urelas | 7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe
Size

144KB
MD5

33b30e12564983fdba9ef8842ed64f98
SHA1

f358223c7ee599bb8243e3382c300b649ad63da2
SHA256

7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a
SHA512

6bfaa8c3d8280b979403cb8f15dcc8274564df9239fe213e3f0cc260a9372049bef0fe02ab0a74f92c7379a83f2de64ec2ccb6b6df0efd15df8c672870e0966c
SSDEEP

1536:1i+N6u0utYGsoK2mEGIBp+WWN7YfEj77iZ76vVGU2AjK15t5uPpdrcIPWAWvnTX3:wYYutRQSc/7c6tJK7t5uPpdrxOhvnTn

Score

10^/10

urelas trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2208	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	28
PID 2740 wrote to memory of 2208	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	28
PID 2740 wrote to memory of 2208	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	28
PID 2740 wrote to memory of 2208	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	28
PID 2740 wrote to memory of 2208	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	28
PID 2740 wrote to memory of 2208	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	28
PID 2740 wrote to memory of 2208	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	28
PID 2740 wrote to memory of 2996	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	29
PID 2740 wrote to memory of 2996	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	29
PID 2740 wrote to memory of 2996	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	29
PID 2740 wrote to memory of 2996	2740	7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe	29

C:\Users\Admin\AppData\Local\Temp\7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe
"C:\Users\Admin\AppData\Local\Temp\7dacb37610e680323d654261f9881495e11f24a1e14c53519771c1183e71a08a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55d2fdd1432483e3ba86ebeccfe130b6

SHA1
7280b14d708800fd15303b2caa8628a0fbd7aa08

SHA256
5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb

SHA512
36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
a150ef14f69d25ab1d365ee1a8fb2c10

SHA1
3c6951b258dd00aba643ec43984a0490a3a5080f

SHA256
ef2f34d22ab011364512182c174cf89c20ca9165e47238dd8cef9d2ecbee09ef

SHA512
4cbedf17738765b1e2cc8953dabef974ccb47cad3c7212af1824451998ac51195fad2aafdb98b34913fd385fe505e7c387da8809d8afe3b6fb79ba465e5d70bd

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
144KB

MD5
ffcf71e2a8bf1259c0cf574348b0041d

SHA1
92643dc5b86fbb8dc18372af174021a6546f7941

SHA256
8c648fec267bc06a4b5083dcddf088d9d64b95e488d0c7f849e268e7710bc5a6

SHA512
b6cd576e5c39ed4af746e74728777834e01033bf0143c8dccd2809d30c88e4fa1fae63c31db8d7f0c4f1fcc635f5d12f17491fd9ad2c3a9fab254a05371d6990

Download Submit