urelas | 5ea3536e4cfe1f2771d0cadab8590be9c243f55c2be0191a6f0b96000ce36a9b

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3884a328a033cf349a6a0c2a0a1edc4e.exe
Size

551KB
MD5

3884a328a033cf349a6a0c2a0a1edc4e
SHA1

814c24593cc5324c87544a686e45cc8dffedcc76
SHA256

5ea3536e4cfe1f2771d0cadab8590be9c243f55c2be0191a6f0b96000ce36a9b
SHA512

8cf60e637c715f1e0084bdecadcdc3679606d9fb96c9ffe0455bec640b241cc583241691abf30b9169f3d15954988cb6f3e0327b4ab53e87a4a131e68bfa6115
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlL:+rt4/NArwjs5olL

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	wufos.exe
2212	odacj.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	3884a328a033cf349a6a0c2a0a1edc4e.exe
2884	wufos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2884	2160	3884a328a033cf349a6a0c2a0a1edc4e.exe	3
PID 2160 wrote to memory of 2884	2160	3884a328a033cf349a6a0c2a0a1edc4e.exe	3
PID 2160 wrote to memory of 2884	2160	3884a328a033cf349a6a0c2a0a1edc4e.exe	3
PID 2160 wrote to memory of 2884	2160	3884a328a033cf349a6a0c2a0a1edc4e.exe	3
PID 2160 wrote to memory of 2664	2160	3884a328a033cf349a6a0c2a0a1edc4e.exe	2
PID 2160 wrote to memory of 2664	2160	3884a328a033cf349a6a0c2a0a1edc4e.exe	2
PID 2160 wrote to memory of 2664	2160	3884a328a033cf349a6a0c2a0a1edc4e.exe	2
PID 2160 wrote to memory of 2664	2160	3884a328a033cf349a6a0c2a0a1edc4e.exe	2
PID 2884 wrote to memory of 2212	2884	wufos.exe	33
PID 2884 wrote to memory of 2212	2884	wufos.exe	33
PID 2884 wrote to memory of 2212	2884	wufos.exe	33
PID 2884 wrote to memory of 2212	2884	wufos.exe	33

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
1⤵
- Deletes itself
PID:2664

C:\Users\Admin\AppData\Local\Temp\wufos.exe
"C:\Users\Admin\AppData\Local\Temp\wufos.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\odacj.exe
  "C:\Users\Admin\AppData\Local\Temp\odacj.exe"
  2⤵
  - Executes dropped EXE
  PID:2212

C:\Users\Admin\AppData\Local\Temp\3884a328a033cf349a6a0c2a0a1edc4e.exe
"C:\Users\Admin\AppData\Local\Temp\3884a328a033cf349a6a0c2a0a1edc4e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
fb26345642341420ae93e8157891090f

SHA1
b7b02b001033db4ac72c1b94d0e9fc1455e78761

SHA256
07683599d00d9edb6999fb563bc6612642e8cfb2498bc0b1e7978103e6987189

SHA512
1f5efda76f6cd097c0fc00e26fdd0683ab749dd5c937a6b39d5f1c06f5bb42a9d2cc9ad27d6d11412ea0dee31ac74ea512de60e0d1245b1d6b84335bdc3fb1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
952d05df7cd51da8402d951f3cfd5d16

SHA1
71e9dac966d3b8a6cd88da92aec1fe6e8cb757ad

SHA256
1f3f9bfbb5aac1dad5f9bc44d0e9e08a5465685a605aa87aaba8e6d6f804959c

SHA512
ee47f7a31464d915239a4d7678baa5596a10f09ca88919ec8c1201740d8540ec7b36d72fa0d1e130ba98bd6bd2bd774873ba85f63b50cedad2820a328f7b9427

Download Submit
C:\Users\Admin\AppData\Local\Temp\odacj.exe

Filesize
231KB

MD5
44525a07427f32d781689a4b337a2037

SHA1
f8c3efe907d1fe225116360f772a8328d4078424

SHA256
d08ad089b94a0e10e7737d75809786cc8fdb1a520691d08b78330726ce430e3f

SHA512
d786ab38c74bbf6b3bfb463ef109d5e7677eb90f235d1896a8777702e583e8245bc31bcb0ff5914dc63f8375715292cd4b4459741b57873b256b76f8a5cf3e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\wufos.exe

Filesize
551KB

MD5
6e8fd126d1f9db064b64fdf8fbf17d23

SHA1
cd33fff43e74cf030d5cc355c9dc4e36af3a2088

SHA256
7e5d4f06e309fcda99d7aee86764532611b01a63e2bb9eb22ef517cbb420e286

SHA512
7a1c70027eee5127f3f21acdaa35a2dd009a5eb6a00238f3ef8db6a8807c2a07775cbcf6ac1d7a33228bc01b815e246115dc5ee19a9d3e130583c80d7ae4be96

Download Submit
memory/2160-18-0x0000000000F90000-0x000000000101F000-memory.dmp

Filesize
572KB

Download
memory/2160-7-0x0000000000EA0000-0x0000000000F2F000-memory.dmp

Filesize
572KB

Download
memory/2160-0-0x0000000000F90000-0x000000000101F000-memory.dmp

Filesize
572KB

Download
memory/2212-29-0x0000000000F90000-0x0000000001043000-memory.dmp

Filesize
716KB

Download
memory/2884-10-0x0000000000270000-0x00000000002FF000-memory.dmp

Filesize
572KB

Download
memory/2884-28-0x0000000000270000-0x00000000002FF000-memory.dmp

Filesize
572KB

Download
memory/2884-27-0x0000000002360000-0x0000000002413000-memory.dmp

Filesize
716KB

Download