urelas | 09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe
Size

359KB
MD5

33fc3fe46e05744b924537a2a89d79bf
SHA1

a055e22eaa0406127b9735913a651e30ebf2ca04
SHA256

09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5
SHA512

8cc573b41302815787276d2280f1216ef77da831df417af72b161e36d78aaf9e4e9b81e22fc07863bef27c26c7830cba26a14dc168c1b066b2b22a3d030ddd3b
SSDEEP

6144:Z/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZKBPvu:l0G5obGGraOpUWlpB5u

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2072	yxtuv.exe
2564	yswofu.exe
1284	ypygj.exe

Loads dropped DLL 6 IoCs

pid	Process
2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe
2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe
2072	yxtuv.exe
2072	yxtuv.exe
2564	yswofu.exe
2564	yswofu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe
1284	ypygj.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2072	2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	28
PID 2268 wrote to memory of 2072	2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	28
PID 2268 wrote to memory of 2072	2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	28
PID 2268 wrote to memory of 2072	2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	28
PID 2268 wrote to memory of 2556	2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	29
PID 2268 wrote to memory of 2556	2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	29
PID 2268 wrote to memory of 2556	2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	29
PID 2268 wrote to memory of 2556	2268	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	29
PID 2072 wrote to memory of 2564	2072	yxtuv.exe	31
PID 2072 wrote to memory of 2564	2072	yxtuv.exe	31
PID 2072 wrote to memory of 2564	2072	yxtuv.exe	31
PID 2072 wrote to memory of 2564	2072	yxtuv.exe	31
PID 2564 wrote to memory of 1284	2564	yswofu.exe	34
PID 2564 wrote to memory of 1284	2564	yswofu.exe	34
PID 2564 wrote to memory of 1284	2564	yswofu.exe	34
PID 2564 wrote to memory of 1284	2564	yswofu.exe	34
PID 2564 wrote to memory of 1984	2564	yswofu.exe	35
PID 2564 wrote to memory of 1984	2564	yswofu.exe	35
PID 2564 wrote to memory of 1984	2564	yswofu.exe	35
PID 2564 wrote to memory of 1984	2564	yswofu.exe	35

C:\Users\Admin\AppData\Local\Temp\09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe
"C:\Users\Admin\AppData\Local\Temp\09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\yxtuv.exe
  "C:\Users\Admin\AppData\Local\Temp\yxtuv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\yswofu.exe
    "C:\Users\Admin\AppData\Local\Temp\yswofu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\ypygj.exe
      "C:\Users\Admin\AppData\Local\Temp\ypygj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1284
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9dc070c975eda37a07537f61e8de35b5

SHA1
67a9b900033e98b58ec0e4ee68a65b474f33a117

SHA256
1bcaf4b8c5fc68b5a7a63c6c10b8fdf728a6cec75a222d82d97df0a0d7f724a5

SHA512
b9f5e77056c05ced41df763edc20ad291fc2a9415a8bf4aba6c99e88db2e9a2c0e3ae4ffd5e5b011d2b40cb3cf372647975e54d33d4903c6b436b50ce2ff1541

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
51120901b48c61ed5f7ba8db952446f9

SHA1
b3429b4dab8be1843ce0d8701a00e3a61c02cd04

SHA256
c3448c8c9c417492cb2733e870562e131a8f0e7c95646ad8c89877c5201c615f

SHA512
1391303e360a6561d3083793978e302efa0da4f6921a10fa2a8a950e165e9d1e6ae071e89bbf64b4ace52e936089d79837e31fd6fb4dca0c9b6bdc4fcefab1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
413a181b68a5f66909315720f99f206c

SHA1
c9a18d7545af683c681406ef5958016d4a661adc

SHA256
8a2e89c5d1b0141b7aef9bac85f3c4bc06d5088a60d2ed2a4b65a14e9a6eb55a

SHA512
1781382b644de4973aa066e3cb086aa6d0c2693f1efd295c65a491af3ab58124e06163c117c47ded5b36402d13e8264771e04ade8218d4a923c1f470a4897001

Download Submit
\Users\Admin\AppData\Local\Temp\ypygj.exe

Filesize
115KB

MD5
c3dc62f70648dc8366ea2c57667ce81b

SHA1
6c8f971b73256b5d19a0d860b56a9adaf578a2d0

SHA256
a10de251851c82afd7e86923e45fbb1d8a9fe131bda9218c08ad2fdd8e8d7150

SHA512
e10e38f03ab05ba1f9b1b357d210d6243f494e5afdbc58e1efba68671b710b986210c40ee7e1bd096fe96bf161df795210486ea0cee58e325ac174b340a617e5

Download Submit
\Users\Admin\AppData\Local\Temp\yxtuv.exe

Filesize
359KB

MD5
0be79854b4afcddc53f80b9b7cf3f85b

SHA1
dac372b4580177c77efce29b0f9eee6fb0300b2f

SHA256
5822571c225908585a07700bf7d20a67eea702b425e633a56d9e78f5504bfea4

SHA512
1593822d89a7ff0558f0b84692854138d317ec1bfd7ad05f3828b1c14482581c28b48d01c27b391affd99e032140b5a7722b874a411fd6dc2a73c9f49fdc7553

Download Submit
memory/1284-59-0x00000000010B0000-0x0000000001132000-memory.dmp

Filesize
520KB

Download
memory/1284-67-0x00000000010B0000-0x0000000001132000-memory.dmp

Filesize
520KB

Download
memory/1284-66-0x00000000010B0000-0x0000000001132000-memory.dmp

Filesize
520KB

Download
memory/1284-62-0x00000000010B0000-0x0000000001132000-memory.dmp

Filesize
520KB

Download
memory/1284-65-0x00000000010B0000-0x0000000001132000-memory.dmp

Filesize
520KB

Download
memory/1284-64-0x00000000010B0000-0x0000000001132000-memory.dmp

Filesize
520KB

Download
memory/1284-63-0x00000000010B0000-0x0000000001132000-memory.dmp

Filesize
520KB

Download
memory/2072-22-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2072-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2072-35-0x0000000002060000-0x00000000020BC000-memory.dmp

Filesize
368KB

Download
memory/2268-37-0x0000000002BD0000-0x0000000002C2C000-memory.dmp

Filesize
368KB

Download
memory/2268-2-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2268-19-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2268-6-0x0000000002BD0000-0x0000000002C2C000-memory.dmp

Filesize
368KB

Download
memory/2564-58-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2564-49-0x00000000039C0000-0x0000000003A42000-memory.dmp

Filesize
520KB

Download
memory/2564-38-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2564-36-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download