Overview

overview

10

Static

static

10

c063c49b9a...8c.exe

windows7-x64

10

c063c49b9a...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c063c49b9aadc37b4bd6a746f157378c.exe

  • Size

    465KB

  • MD5

    c063c49b9aadc37b4bd6a746f157378c

  • SHA1

    c15c71c2b7a926886ef84104ab289ab68c3a9ebe

  • SHA256

    f26c344c3e1ad437eee71c72dd28160e3a99b24af0d28c75a1aeb83bb4f94718

  • SHA512

    f71263e31d4960c9950565799a32571f5d0c5beac80a0cadcd5c9b64e80953f380253c804a96cbe120484d66b23ed29eef3e4f6bf75e9633dc4ebcb1029da356

  • SSDEEP

    12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Uv:m6tQCG0UUPzEkTn4AC1+Q

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe
    "C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Users\Admin\AppData\Local\Temp\ifqoe.exe
      "C:\Users\Admin\AppData\Local\Temp\ifqoe.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Users\Admin\AppData\Local\Temp\wuywi.exe
        "C:\Users\Admin\AppData\Local\Temp\wuywi.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1456
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
      2⤵
      • Deletes itself
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
    Filesize

    276B

    MD5

    36499ebff821457861dd5ccb52113066

    SHA1

    a521b160afab8e1e31647148b4b7f27d176c3c1b

    SHA256

    21409e7d7366616b2675d50a11f206e26f71f1f36cec705da4d665b46c022790

    SHA512

    dda3b4e0faa469e8b93187ee6ad3edfeb8af727515341b63895c46e80ff1f358216faa1f31aae7a8898883654f70f105e46a19fc926dbb1b88ed9440a01227ea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    01c8f4ba58785635aefc669f15079ec3

    SHA1

    08b85fb6f271466865c6fb9480653d4179eda396

    SHA256

    8d9a3423bfc2ccc1f4e85c56efec27b120395c3a2e73cd287e1a40822473b5ff

    SHA512

    7a04efef9ff5b845af3546c7c7d52ae51db086ac05b3b37a79e63acdfc500d2045186145a7f4b4754c2e0cda8404c51a35befe379696f12be827c20125820104

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ifqoe.exe
    Filesize

    39KB

    MD5

    a75004df14f003d9df0c7aa9a7bfc3e8

    SHA1

    e2aaf88f6c826fff26982c8c0e12a5aae2809a4e

    SHA256

    067efe4f2629ad6aec3fad39c87961bcea3233558a3d2c723ebe1ffe7990ee24

    SHA512

    fcbbd0e3cc90cf72cf6c99272173ee92590ebfd848433704a238b552dd9413dc03e44b2f8f807035204ae655794e80cc871993e70d8cc9eea0c8738687102537

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wuywi.exe
    Filesize

    198KB

    MD5

    f048734e315e4abc223a161f9f8c4cbb

    SHA1

    c7092715d394ecfebde70ce4b704fea70240ac62

    SHA256

    1476d1fe03ebefb8e8b860d10fe7a86d505e31033a0a851362c42a8a7cc30852

    SHA512

    052bf9bc42c8e183cfbc42b745d1f8c82ebe69fc1a30f9ae41d9677949b65e19b436a645294c35d335c0920d24de0d708b092f49c50ea421e3fcb9f70cf811ce

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ifqoe.exe
    Filesize

    465KB

    MD5

    8a3a1f7e8b917b3429bdf27585d505c2

    SHA1

    9a6b260efae1fd22b69eb364003bae5bc7bc90b9

    SHA256

    7f4ee8bd2f5686d50284aca10bf7a52d322cb44fd0715f712de896aab51fcbe6

    SHA512

    18598c9aa68ca97c7367369b3861985cffc92aa997dd86e35300703b02870c220e189ccc82721ba7abbb80e20f3a911783d1498a385ec32806abe42c512e03bc

    Download Submit

  • memory/1456-31-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/1456-28-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/1456-30-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/1456-32-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/1456-33-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/1456-34-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2184-18-0x0000000000ED0000-0x0000000000F4C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2184-9-0x0000000000B20000-0x0000000000B9C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2184-0-0x0000000000ED0000-0x0000000000F4C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2892-17-0x0000000000300000-0x000000000037C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2892-26-0x0000000000300000-0x000000000037C000-memory.dmp

    Filesize

    496KB

    Download