urelas | d543f7a9aaf7cdfe845d94ba02ec24e243c8ad8941f73ba620ebcc6e70129272

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 15:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c62f2715f7d498a3f82a0d826664ff94.exe
Size

535KB
MD5

c62f2715f7d498a3f82a0d826664ff94
SHA1

40f6bb977f14e6f3600d781873a0bee5db8abd2c
SHA256

d543f7a9aaf7cdfe845d94ba02ec24e243c8ad8941f73ba620ebcc6e70129272
SHA512

2a1ba05dfa39ecdb37f05865147291a1bebc75228631b0e7b5695938831f39c05e54d1b38c83a673d040fe2ca6a3889ffd00f946542037dafb32a46de0cdcc58
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPE:q0P/k4lb2wKatE

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
3044	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1388	dyupf.exe
1652	wowul.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	c62f2715f7d498a3f82a0d826664ff94.exe
1388	dyupf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe
1652	wowul.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1388	2392	c62f2715f7d498a3f82a0d826664ff94.exe	28
PID 2392 wrote to memory of 1388	2392	c62f2715f7d498a3f82a0d826664ff94.exe	28
PID 2392 wrote to memory of 1388	2392	c62f2715f7d498a3f82a0d826664ff94.exe	28
PID 2392 wrote to memory of 1388	2392	c62f2715f7d498a3f82a0d826664ff94.exe	28
PID 2392 wrote to memory of 3044	2392	c62f2715f7d498a3f82a0d826664ff94.exe	29
PID 2392 wrote to memory of 3044	2392	c62f2715f7d498a3f82a0d826664ff94.exe	29
PID 2392 wrote to memory of 3044	2392	c62f2715f7d498a3f82a0d826664ff94.exe	29
PID 2392 wrote to memory of 3044	2392	c62f2715f7d498a3f82a0d826664ff94.exe	29
PID 1388 wrote to memory of 1652	1388	dyupf.exe	33
PID 1388 wrote to memory of 1652	1388	dyupf.exe	33
PID 1388 wrote to memory of 1652	1388	dyupf.exe	33
PID 1388 wrote to memory of 1652	1388	dyupf.exe	33

C:\Users\Admin\AppData\Local\Temp\c62f2715f7d498a3f82a0d826664ff94.exe
"C:\Users\Admin\AppData\Local\Temp\c62f2715f7d498a3f82a0d826664ff94.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\dyupf.exe
  "C:\Users\Admin\AppData\Local\Temp\dyupf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\wowul.exe
    "C:\Users\Admin\AppData\Local\Temp\wowul.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
71a3ed0881c056306692c585dc8fc614

SHA1
9240724c2904aa164010f800e959dfdea62d1fd6

SHA256
df54542c92346053eb44c4db28e008e9dd884a2a40e789d00b51c9269c1e4688

SHA512
a744766bf547ee341f156d3b06e936c0c3695bb04eabc1ba5195565396e6a19be125b96024993bcab503b73bbc3475c60629f8c59ceb479a27fedfdc8e81da84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyupf.exe

Filesize
535KB

MD5
f860cdaf4b55a615d6c8a3acd2a61a32

SHA1
83bf1ccc5f87e9f9dd07ece4cd948b584407b101

SHA256
bc67ff96b9265d1876ac2b3f7590df7d54bd8d8b3304c958f017a028c6673834

SHA512
1999f0c69a110b84085190987e079fb3eff217a9a25e55e672c879d09049bc601077a5072df4bc3accdcc91a5b764b1f6ad11455cd401f5bcfd89a656f047712

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
38f217bca03e98da51ee62594fa46e81

SHA1
e57b4d9855ad4485fe8def41816d498e68ac6769

SHA256
24afcaad74bfde51a3df55e4c46aa8288779d53e348ec9d00fd0348834c0ad14

SHA512
65963d44cb35b2a56a9677670338176a8ff4788b0fddc63bedd8b57b9243fdf78868199c22a09a15e5b9d5599d0c4c07ba6a68bb060ab213276098290b050fa7

Download Submit
\Users\Admin\AppData\Local\Temp\dyupf.exe

Filesize
535KB

MD5
fe0dd06909ed9cd48ef925df18c7f033

SHA1
494296ebab88c4fd3bffaf143f9f2e65c46bf8a8

SHA256
3c878f27849ff434b8a37370549cd42974059ccaa3285a2e70504f0df5a826ff

SHA512
e4fc05eee96139b00c9180b444b07497e2f42b75e43157de08257e0e8bb174976bd102c13f96ff1bbc4103cd59e3c115195374e8254c2efaf62c147de9dab3e1

Download Submit
\Users\Admin\AppData\Local\Temp\wowul.exe

Filesize
236KB

MD5
dbe0c3a430c44b7a90263eee8b521ddc

SHA1
01ab8cf9d6dd7286fae3052a8d67b89a15735cfc

SHA256
3431d612e73995ec3e2035528d6038cb7a16a4e061cf7d914c28bccb8015c4c9

SHA512
1fbb22572948d83855c9c476d9c5879951df7e6bd0d8315b37837809180beeb25220447ef69846345cddd4917de1f6983b12b94b1ae53c15d6132996f33908d2

Download Submit
memory/1388-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1388-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1652-32-0x0000000000190000-0x0000000000233000-memory.dmp

Filesize
652KB

Download
memory/1652-28-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1652-29-0x0000000000190000-0x0000000000233000-memory.dmp

Filesize
652KB

Download
memory/1652-33-0x0000000000190000-0x0000000000233000-memory.dmp

Filesize
652KB

Download
memory/1652-34-0x0000000000190000-0x0000000000233000-memory.dmp

Filesize
652KB

Download
memory/1652-35-0x0000000000190000-0x0000000000233000-memory.dmp

Filesize
652KB

Download
memory/1652-36-0x0000000000190000-0x0000000000233000-memory.dmp

Filesize
652KB

Download
memory/2392-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2392-6-0x0000000002C20000-0x0000000002CAC000-memory.dmp

Filesize
560KB

Download
memory/2392-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download