urelas | 665c0f4b784ab387fba7f945059dad5b8462b0ccffa96f2110ea673dabdd2044

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72aece57191774ee8faa706df2fb668f.exe
Size

401KB
MD5

72aece57191774ee8faa706df2fb668f
SHA1

0a397db178732b4d0e3e1ca8567ab8f08de89b93
SHA256

665c0f4b784ab387fba7f945059dad5b8462b0ccffa96f2110ea673dabdd2044
SHA512

6c547649fb3058cfbea61cd05df8f9ad222abb1213687f9f2d5ac7dad10f05c0c7b6bf2f4edd50b181b2cfe17c663a99e3fcc5d215e7e803334d9592d1af8bfa
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohW:8IfBoDWoyFblU6hAJQnO0

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
604	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3004	yhqih.exe
1456	ecnony.exe
1536	oravq.exe

Loads dropped DLL 5 IoCs

pid	Process
1696	72aece57191774ee8faa706df2fb668f.exe
1696	72aece57191774ee8faa706df2fb668f.exe
3004	yhqih.exe
3004	yhqih.exe
1456	ecnony.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe
1536	oravq.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 3004	1696	72aece57191774ee8faa706df2fb668f.exe	28
PID 1696 wrote to memory of 3004	1696	72aece57191774ee8faa706df2fb668f.exe	28
PID 1696 wrote to memory of 3004	1696	72aece57191774ee8faa706df2fb668f.exe	28
PID 1696 wrote to memory of 3004	1696	72aece57191774ee8faa706df2fb668f.exe	28
PID 1696 wrote to memory of 604	1696	72aece57191774ee8faa706df2fb668f.exe	31
PID 1696 wrote to memory of 604	1696	72aece57191774ee8faa706df2fb668f.exe	31
PID 1696 wrote to memory of 604	1696	72aece57191774ee8faa706df2fb668f.exe	31
PID 1696 wrote to memory of 604	1696	72aece57191774ee8faa706df2fb668f.exe	31
PID 3004 wrote to memory of 1456	3004	yhqih.exe	30
PID 3004 wrote to memory of 1456	3004	yhqih.exe	30
PID 3004 wrote to memory of 1456	3004	yhqih.exe	30
PID 3004 wrote to memory of 1456	3004	yhqih.exe	30
PID 1456 wrote to memory of 1536	1456	ecnony.exe	34
PID 1456 wrote to memory of 1536	1456	ecnony.exe	34
PID 1456 wrote to memory of 1536	1456	ecnony.exe	34
PID 1456 wrote to memory of 1536	1456	ecnony.exe	34
PID 1456 wrote to memory of 2172	1456	ecnony.exe	36
PID 1456 wrote to memory of 2172	1456	ecnony.exe	36
PID 1456 wrote to memory of 2172	1456	ecnony.exe	36
PID 1456 wrote to memory of 2172	1456	ecnony.exe	36

C:\Users\Admin\AppData\Local\Temp\72aece57191774ee8faa706df2fb668f.exe
"C:\Users\Admin\AppData\Local\Temp\72aece57191774ee8faa706df2fb668f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\yhqih.exe
  "C:\Users\Admin\AppData\Local\Temp\yhqih.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\ecnony.exe
    "C:\Users\Admin\AppData\Local\Temp\ecnony.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\oravq.exe
      "C:\Users\Admin\AppData\Local\Temp\oravq.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1536
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
5c66acc43ae456f356e617467702c56c

SHA1
dcd24c79cb78e0dd2f31c6ccc2b1f9ac07f8b270

SHA256
aba1fc6cdc0fd31e39bb693c40604a46683e6c2c41457b9f7f476e7a7d376abc

SHA512
64284e7b2b9e7c96cce097d208ef4461a943945a75b0869e4c3158b1c8bfeecb7a1364e3b3599edef77fb04bbec690d0efafa7f064ce846d64c0116172557ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
5c6387681a6dfc16fb1037295561e301

SHA1
9afa6333feb4a0aa0dce9ef214e45e3904246c89

SHA256
57143106b75c1fcf206336ab18297323ed4ee81284b889a38713c0d5dbbc2217

SHA512
a26d3c2966d80cf5349a57c96d0c65141512ff63b16680bb0f780cd96f266a555583ce5db63bc8fcff64c89772a85619c36ae524f89fe78da51983da8d6a2e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5af685f8348fc90c5109416361403bc8

SHA1
209cce317d59b1a95f57054921413d7892a101e9

SHA256
be7efde1e9e4db92d8fa7a89e9844b8d36a6f880cf49f29206f909908f9cbb4a

SHA512
bf7fb673e507fc9ff1f590a45d857f288945801d2404b74d314fc12bea6703c3a86584150b9095197d5cde4659e90457492516945fbd89315b38827d97e343d4

Download Submit
\Users\Admin\AppData\Local\Temp\ecnony.exe

Filesize
401KB

MD5
da3fa384b54e35021d6be105344270f0

SHA1
ac3060a3a3f4773cd647723420bd3afd46b126ae

SHA256
19dd52663aaacf0f25c1fee88d11a2c82693cd1410fa704e371ade9d21b636eb

SHA512
d8d2bba8f83ef30a562dd14b47c1420bc043fcaf495fe6248d67344f8ab3a8f8776e8280a2b669c288ebcc3b63585249bcd3c146bbf24ec3315a845e5f14e187

Download Submit
\Users\Admin\AppData\Local\Temp\oravq.exe

Filesize
223KB

MD5
cdf1cae1ababd56da47590fafb66c18f

SHA1
67c7f0962ba6d9195dbc1e10e3a1d9141f4cb4dc

SHA256
fdced709bab914cbcb6d167f1dc76ea44e51c3e8412666f7abb495322711b71c

SHA512
96881ef763bb8d087e56949934522900646eb9c419ca94b04004b1a5aad3da154ecac843ef560e99c342c088781530e5e273d7a4401b09bc8be1cdc5500d2e58

Download Submit
\Users\Admin\AppData\Local\Temp\yhqih.exe

Filesize
401KB

MD5
af9308ce9794075e64e0e0ba8203d7ad

SHA1
e71c63de4ef60ab303167030a8a3da9bbac1135f

SHA256
5d338d91b2900773596528b8ac8be0f4ea2ee184fbdb4518fc347a31a4034c75

SHA512
9b113da3953186fb18a30eba1e760593ed06fd7189029ce386a6ccd14d5f508eb0e8f8bd6b2f0b2c73c3b2f1468fd7ef0c39350033fffa4d8992a271a0ea6e9b

Download Submit
memory/1456-36-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1456-41-0x00000000035D0000-0x0000000003670000-memory.dmp

Filesize
640KB

Download
memory/1456-53-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1536-52-0x0000000001300000-0x00000000013A0000-memory.dmp

Filesize
640KB

Download
memory/1536-54-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1536-58-0x0000000001300000-0x00000000013A0000-memory.dmp

Filesize
640KB

Download
memory/1536-59-0x0000000001300000-0x00000000013A0000-memory.dmp

Filesize
640KB

Download
memory/1536-60-0x0000000001300000-0x00000000013A0000-memory.dmp

Filesize
640KB

Download
memory/1536-61-0x0000000001300000-0x00000000013A0000-memory.dmp

Filesize
640KB

Download
memory/1536-62-0x0000000001300000-0x00000000013A0000-memory.dmp

Filesize
640KB

Download
memory/1696-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1696-11-0x0000000002C10000-0x0000000002C78000-memory.dmp

Filesize
416KB

Download
memory/1696-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1696-26-0x0000000002C10000-0x0000000002C78000-memory.dmp

Filesize
416KB

Download
memory/3004-13-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3004-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download