urelas | 81d8afad7ddcdbb11e808c88da424e9477a38a0a936c88f798e1284cd9bce023

Analysis

max time kernel
152s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe
Size

461KB
MD5

07c7f5de12c99be42f9d473a1a879456
SHA1

1c02151d3c0b3d3bcdd731b17db39ca8c2778c1a
SHA256

0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d
SHA512

57e8baac2dddca2db65d301001dcc8724db04687e93db8a6491f47170cfb6d5602c92197d0c8a7b86f55ef438a83d0b97bffbfd24d07dae4dac2135add02f8f1
SSDEEP

6144:qmbmLppYOuakYGWV5ZhExy1gO8B9vhMQqATCSw2wp5:qma6id7TsrhS8/wl

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2284	cimon.exe
1136	kityn.exe

Loads dropped DLL 3 IoCs

pid	Process
2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe
2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe
2284	cimon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe
1136	kityn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2284	2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe	28
PID 2168 wrote to memory of 2284	2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe	28
PID 2168 wrote to memory of 2284	2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe	28
PID 2168 wrote to memory of 2284	2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe	28
PID 2168 wrote to memory of 2684	2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe	29
PID 2168 wrote to memory of 2684	2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe	29
PID 2168 wrote to memory of 2684	2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe	29
PID 2168 wrote to memory of 2684	2168	0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe	29
PID 2284 wrote to memory of 1136	2284	cimon.exe	33
PID 2284 wrote to memory of 1136	2284	cimon.exe	33
PID 2284 wrote to memory of 1136	2284	cimon.exe	33
PID 2284 wrote to memory of 1136	2284	cimon.exe	33

C:\Users\Admin\AppData\Local\Temp\0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe
"C:\Users\Admin\AppData\Local\Temp\0b36e4a25748a1daf0dbe1ed9b8ccd7208a0be2a536a14272771c8deff11d65d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\cimon.exe
  "C:\Users\Admin\AppData\Local\Temp\cimon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\kityn.exe
    "C:\Users\Admin\AppData\Local\Temp\kityn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
f571420019ee66b60808cd2ea63d14e1

SHA1
5ee33614bc222b6bd5ef7a8eb1caebf28a0c5540

SHA256
be5497c66e4baf20b885cf72a7f34f36419d7c20a754addc5dbc07a58cd5ff18

SHA512
76c9d653469e834c33d1753505993bbec40454b9e6418f3dd5a721ecf891d47429e1c61374e286ec6fb7cc58f834382b7f5ad96ceb3745070e417fd39811806a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
557c60ed780b4c8bdb783ce4e78fc483

SHA1
694a19af6fef489cfe91d48e3260510d0878cfde

SHA256
b896d5aae40f9abdfcce59a50c8b1200ee70a14600d2023d620e2533e126ec1e

SHA512
eb30b8afe28b46acbb8f6bdc12b9bb2b9fa91a08bdaadcce9e6e8fe70f65aedfb1155a8e864b6c52f7c46aabbb81f4cc19570931605ec6211fa33b21ce218a4c

Download Submit
\Users\Admin\AppData\Local\Temp\cimon.exe

Filesize
461KB

MD5
658e9c9f6f726b358eb4dea293035e89

SHA1
f18744676cdb9d0f14737c122e5f89ae3639c144

SHA256
888d06baf4f0f8956a9fbeb712afa0ca842b5a2f4a65faad71401ab106bcc076

SHA512
1ee10a85ef494024c4fe82a9948934faf6e64c135bbe3ff51c23b3c7ce830e8a5a5a2573934091ca4e79180086de4c8e9d6baed48641eede9c3fdaf64bf48d5a

Download Submit
\Users\Admin\AppData\Local\Temp\kityn.exe

Filesize
212KB

MD5
f88b622f98dd4090a8c8b84fc252572e

SHA1
0ea5e8bcb76fd3630a4d831ef7094a6a488447d2

SHA256
f1723052fcb28a73b17381bc1b9a09a921eb9088f03d83291ee68c5811847bf4

SHA512
acaa0ac6156bd389692430d424b1d6a467038df02225120f1167f0924e07e2c652c941c7f90f6db1ce2c5250e6a34be168914cd75278d8b8a1b579a1deb39e69

Download Submit
memory/1136-35-0x0000000000C10000-0x0000000000CB8000-memory.dmp

Filesize
672KB

Download
memory/1136-31-0x0000000000C10000-0x0000000000CB8000-memory.dmp

Filesize
672KB

Download
memory/1136-32-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1136-34-0x0000000000C10000-0x0000000000CB8000-memory.dmp

Filesize
672KB

Download
memory/1136-36-0x0000000000C10000-0x0000000000CB8000-memory.dmp

Filesize
672KB

Download
memory/1136-37-0x0000000000C10000-0x0000000000CB8000-memory.dmp

Filesize
672KB

Download
memory/1136-38-0x0000000000C10000-0x0000000000CB8000-memory.dmp

Filesize
672KB

Download
memory/2168-21-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2168-12-0x0000000002830000-0x00000000028A5000-memory.dmp

Filesize
468KB

Download
memory/2168-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2284-13-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2284-29-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download