urelas | 81f5fc7247797d5d8dfb5860cd12535ac879ec2507ac934cdf2d05e76c2d59f7

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c0800d6f48953b981576b464623ad7.exe
Size

441KB
MD5

a9c0800d6f48953b981576b464623ad7
SHA1

aa0e2fd82c0c55f6d01d06863ca8aaf88255db68
SHA256

81f5fc7247797d5d8dfb5860cd12535ac879ec2507ac934cdf2d05e76c2d59f7
SHA512

229b4abfce3c63fc65c648c2496dbbd28a5388e4b7da05d377f4f030f6b1ee9bedf257dcb8c291ebf2ff87acd2ebc2e74d1e169e0d98827c1702c805bd4e64bd
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMb:rKf1PyKa2H3hOHOHz9JQ6zBQ

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2200	luiji.exe
1744	iklio.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	a9c0800d6f48953b981576b464623ad7.exe
2200	luiji.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe
1744	iklio.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2200	1916	a9c0800d6f48953b981576b464623ad7.exe	28
PID 1916 wrote to memory of 2200	1916	a9c0800d6f48953b981576b464623ad7.exe	28
PID 1916 wrote to memory of 2200	1916	a9c0800d6f48953b981576b464623ad7.exe	28
PID 1916 wrote to memory of 2200	1916	a9c0800d6f48953b981576b464623ad7.exe	28
PID 1916 wrote to memory of 2556	1916	a9c0800d6f48953b981576b464623ad7.exe	29
PID 1916 wrote to memory of 2556	1916	a9c0800d6f48953b981576b464623ad7.exe	29
PID 1916 wrote to memory of 2556	1916	a9c0800d6f48953b981576b464623ad7.exe	29
PID 1916 wrote to memory of 2556	1916	a9c0800d6f48953b981576b464623ad7.exe	29
PID 2200 wrote to memory of 1744	2200	luiji.exe	33
PID 2200 wrote to memory of 1744	2200	luiji.exe	33
PID 2200 wrote to memory of 1744	2200	luiji.exe	33
PID 2200 wrote to memory of 1744	2200	luiji.exe	33

C:\Users\Admin\AppData\Local\Temp\a9c0800d6f48953b981576b464623ad7.exe
"C:\Users\Admin\AppData\Local\Temp\a9c0800d6f48953b981576b464623ad7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\luiji.exe
  "C:\Users\Admin\AppData\Local\Temp\luiji.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\iklio.exe
    "C:\Users\Admin\AppData\Local\Temp\iklio.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
6cb826f6f751321b98ee56ea49757118

SHA1
253f34fe009ed7baf89c166eecdfd4e427b602d7

SHA256
29783840ec3c668e3ecc60d93fb245c38a6ce76c04065ce8a0749e676e4beab7

SHA512
69f09f31aa3ea34d39fd673d9ecc4c5e31089cc1d55ba4da80d67e1d99b45a9fb1cbcab0a03cda6b280a61e764fbfa8c28e82627d36945ea2c3633c606bd7699

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eda081b51051caf73b8cc8621500fe1e

SHA1
850756bbb7b6764be700a54c5c5ea03cc4abbd8f

SHA256
b48e23ecf9dd1792f51e710a7381ff1bf873c0c1d75c5325ee9a7fe6f6ebd037

SHA512
be841c3ec746b23d3938d225635b17ddd17b278f8cb924db64f69b33a775363cf67a5c9983f23ea8c9861f3f3a461ba979c3ea0ce54480e08d16ba3c797d021b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iklio.exe

Filesize
230KB

MD5
08ba7c59f34c81848e8dddb921b3a427

SHA1
00694453a850fc111a2bc8cf295cbcb9e6a275c3

SHA256
e0eaf3b9ff7e266768e8c913956470dfae798d21fc9dc39f6520625ce4ebe6f0

SHA512
1f1269585cb7291c71085c56ee7f2bda0f742f8462046af5b2f7f6c1e271117c93bbf4a5859d9e6c80da8671f7560a43a95c4b3c34e57de3d6438122cd9a0b69

Download Submit
\Users\Admin\AppData\Local\Temp\luiji.exe

Filesize
441KB

MD5
143a2c0c6e47f2bdf866d12922cb7f48

SHA1
6a9cf5a4a492b8a94b3a53398535aa4923f60cd1

SHA256
b271ce5b239a11b438dc9deea82d34fff450e67526832824bcc90f5eee0e0589

SHA512
449e594c85ecca2f4c0ec14dbe1cbfb374f8156de9ca555dad086e8cf9e084f5403caec6e22ee0573e55f7fc017b888be580435f3c70c34c2159ff54712b5d87

Download Submit
memory/1744-32-0x0000000000340000-0x00000000003DE000-memory.dmp

Filesize
632KB

Download
memory/1744-28-0x0000000000340000-0x00000000003DE000-memory.dmp

Filesize
632KB

Download
memory/1744-29-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1744-31-0x0000000000340000-0x00000000003DE000-memory.dmp

Filesize
632KB

Download
memory/1744-33-0x0000000000340000-0x00000000003DE000-memory.dmp

Filesize
632KB

Download
memory/1744-34-0x0000000000340000-0x00000000003DE000-memory.dmp

Filesize
632KB

Download
memory/1744-35-0x0000000000340000-0x00000000003DE000-memory.dmp

Filesize
632KB

Download
memory/1916-17-0x0000000000BA0000-0x0000000000C0E000-memory.dmp

Filesize
440KB

Download
memory/1916-8-0x0000000000AE0000-0x0000000000B4E000-memory.dmp

Filesize
440KB

Download
memory/1916-0-0x0000000000BA0000-0x0000000000C0E000-memory.dmp

Filesize
440KB

Download
memory/2200-26-0x0000000003320000-0x00000000033BE000-memory.dmp

Filesize
632KB

Download
memory/2200-25-0x0000000000890000-0x00000000008FE000-memory.dmp

Filesize
440KB

Download