urelas | 92faa5aaeef3e16afe8a8f6e41d7b33d0993674c0629e2011e35aa643aa941e8

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4202364da06c9f7e07177ce3d08e9124.exe
Size

536KB
MD5

4202364da06c9f7e07177ce3d08e9124
SHA1

653c2fc6d58dd404bd2f2b02dcb5d7e6514b3853
SHA256

92faa5aaeef3e16afe8a8f6e41d7b33d0993674c0629e2011e35aa643aa941e8
SHA512

1b5867253f2f0c4df6f7242a4c971ef5c0b590cfb59a68071e1cdd7ba2bb726f7ed2d32f672467398fd5f39b61b2278040d9ec9cd43ec2a497866c0127fee1fb
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPM:q0P/k4lb2wKatM

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2140	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1892	zadoa.exe
1676	xuhuu.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	4202364da06c9f7e07177ce3d08e9124.exe
1892	zadoa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe
1676	xuhuu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1892	2932	4202364da06c9f7e07177ce3d08e9124.exe	28
PID 2932 wrote to memory of 1892	2932	4202364da06c9f7e07177ce3d08e9124.exe	28
PID 2932 wrote to memory of 1892	2932	4202364da06c9f7e07177ce3d08e9124.exe	28
PID 2932 wrote to memory of 1892	2932	4202364da06c9f7e07177ce3d08e9124.exe	28
PID 2932 wrote to memory of 2140	2932	4202364da06c9f7e07177ce3d08e9124.exe	29
PID 2932 wrote to memory of 2140	2932	4202364da06c9f7e07177ce3d08e9124.exe	29
PID 2932 wrote to memory of 2140	2932	4202364da06c9f7e07177ce3d08e9124.exe	29
PID 2932 wrote to memory of 2140	2932	4202364da06c9f7e07177ce3d08e9124.exe	29
PID 1892 wrote to memory of 1676	1892	zadoa.exe	33
PID 1892 wrote to memory of 1676	1892	zadoa.exe	33
PID 1892 wrote to memory of 1676	1892	zadoa.exe	33
PID 1892 wrote to memory of 1676	1892	zadoa.exe	33

C:\Users\Admin\AppData\Local\Temp\4202364da06c9f7e07177ce3d08e9124.exe
"C:\Users\Admin\AppData\Local\Temp\4202364da06c9f7e07177ce3d08e9124.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\zadoa.exe
  "C:\Users\Admin\AppData\Local\Temp\zadoa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\xuhuu.exe
    "C:\Users\Admin\AppData\Local\Temp\xuhuu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
ac6171de4d6bd6f99ab4476752054e16

SHA1
04bd0acc8e08cf2d20fd67e3ad54e37fa6886f54

SHA256
13ced25e841f0da703fcbbfdd71b30ff15c3372f4b58076a44189e7113294c94

SHA512
db7ada78004bf35e3b631337036e1fe8c1ee2db4f6000d7a195fbb8ce61696386e8870311b162003f5b87e40512d98c65d70cabe8fbec5cb25a605fcb5bdecc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9bc313fe66274602a16016571a45e5d0

SHA1
54c9cb2647a0dc84a99bb6498b8a85a37548027a

SHA256
9a269a583198f15ff67468f17fd563b5f62341c4cde1bae8f70db73f22258466

SHA512
52d0997e90763b5f08393b960846af46d3b44c5d171dd8ff334a3416f256ca9c9a37ace57aed8d48d591f7b25a6664aa4d0ef1318e6bef8cbaa9319b59621b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuhuu.exe

Filesize
118KB

MD5
985c5e6bd5d118fb082b5fe4907b2d5d

SHA1
7da81147938b02950039b7ce4a23d7d8471451c7

SHA256
5badb5ffd9b7c17c78ca04a361cdddea42c652c27c84cdc24d43ad57860e3550

SHA512
65ed48b5e78b329745e549f50dcce25106ae23a8103fc3b9325ceb5b43242466d85c819c2ee34050e0e3f3b37eede28719c66b596755bdd9eab4acc1f11ac65f

Download Submit
\Users\Admin\AppData\Local\Temp\xuhuu.exe

Filesize
112KB

MD5
e3173a9b165172c606613f04c30aca85

SHA1
4407b3d8df96d38a94b5177ca1b4040071e3d5a8

SHA256
d24a3455d8b5b779265571be45e191e61b23a89c7f2393ebb92557cba88085c4

SHA512
235cc073a440ae72ad6cb05b8053cd8f094d02584a0ff290ce869654f617d83bce128c9e850b16429804bd9e8a5d796b895b92dc30c2c8526e42935c79385283

Download Submit
\Users\Admin\AppData\Local\Temp\zadoa.exe

Filesize
536KB

MD5
2c610dfa567ce786aaee324047fd08d5

SHA1
231b537de6b012fdfbeb85e80bcd7c327a55bc58

SHA256
1d9320b46f66c3efff30ce449208e6087b018d2a107066828229b170415f8689

SHA512
0f0e09a3ec97e334c4479e2eaa37ffc622b64f6868e8e9db813b47a529642ede53d3d0160642f64ee578627d35f17918b7c390a58abad73e568e47608b1444ae

Download Submit
memory/1676-31-0x0000000000E50000-0x0000000000EF3000-memory.dmp

Filesize
652KB

Download
memory/1676-34-0x0000000000E50000-0x0000000000EF3000-memory.dmp

Filesize
652KB

Download
memory/1676-33-0x0000000000E50000-0x0000000000EF3000-memory.dmp

Filesize
652KB

Download
memory/1676-28-0x0000000000E50000-0x0000000000EF3000-memory.dmp

Filesize
652KB

Download
memory/1676-27-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1676-32-0x0000000000E50000-0x0000000000EF3000-memory.dmp

Filesize
652KB

Download
memory/1676-30-0x0000000000E50000-0x0000000000EF3000-memory.dmp

Filesize
652KB

Download
memory/1892-26-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2932-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2932-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2932-6-0x0000000002C40000-0x0000000002CCC000-memory.dmp

Filesize
560KB

Download