Overview

overview

10

Static

static

10

8b5af3bfd0...21.exe

windows7-x64

10

8b5af3bfd0...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b5af3bfd0e7ee1b5755679a196c7a651397e97e26a3eccdce31a74e310e0b21.exe

  • Size

    343KB

  • MD5

    39d3b86f9e8cf53ae91e37b591271ea2

  • SHA1

    163cfe040644500164b2ef914cef0d00ef1225e9

  • SHA256

    8b5af3bfd0e7ee1b5755679a196c7a651397e97e26a3eccdce31a74e310e0b21

  • SHA512

    cdc41c741fe321571c06bff183db762f5b74ee06b6a00afeb1335d900c4a5fb8f052930a4c77500fe5328b912dfccd0f3a8a1fecdfd2b34862b98e1f90189f2f

  • SSDEEP

    6144:SF/gEKyOAuuHcqXt96bHa+bZu0k6XCCbd2CKcwA2x9G+84AmGSncH:SF/gVyduuHv946gZ6bCbd2qspnA6g

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Detects executables built or packed with MPress PE compressor 6 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b5af3bfd0e7ee1b5755679a196c7a651397e97e26a3eccdce31a74e310e0b21.exe
    "C:\Users\Admin\AppData\Local\Temp\8b5af3bfd0e7ee1b5755679a196c7a651397e97e26a3eccdce31a74e310e0b21.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\hyexd.exe
      "C:\Users\Admin\AppData\Local\Temp\hyexd.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Users\Admin\AppData\Local\Temp\taqiy.exe
        "C:\Users\Admin\AppData\Local\Temp\taqiy.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2500
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    b0f9901cc65a6f7a0157f6e9ab2c56d4

    SHA1

    cb282e364211b9cd63bcff73a567863780e1833f

    SHA256

    b94d08c89c87f6e4fb50258c652cc9bea4d95e2cdb671cefcc0be28c00d924b5

    SHA512

    7b1fe66e76c67bc686e583d42b6a5cb8282d5ccc3f35a3668e34f4d7b7375a76e565ed2a855dc109371a0af3f38cb8176c0aee4bff302dc8bc2b61c00d616326

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    6ee3f98eaadfb4485455f53404e76606

    SHA1

    8090fbcaa1dba544ff25d653468886e301a70f3c

    SHA256

    2bada7fb47baca8bc861fe2615180e7db109e657eca1e172bbebf218e0aed6e7

    SHA512

    fd9138264b70783dd002a3f836168f08e1f7b1bc52ca50691b7be157f7f0d33d4cb9687f25ebc203d2a1044a7f84e8eade638e37e337189570ac7d1de15147a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\taqiy.exe
    Filesize

    218KB

    MD5

    d0083f7b251a9fca40e3aee40f9587b5

    SHA1

    2328179bfef00fdc94c23a72103bd2369f53f6c2

    SHA256

    8ac577f1fd53a275a249fdc090c472a03ee6dcb6b6a4de3bbd675c18a13aa1af

    SHA512

    bdb9c3b62fbadb5c37cba778c79e5e43e0142f2b905e7d9ca8b68877cef443e0df91418df800e35548f7764f0bb1086498ccef1875ad683ea0a74b6bd9fec08a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\hyexd.exe
    Filesize

    343KB

    MD5

    82f037f5b5542cf2ced17886c6fc713b

    SHA1

    191ef8b96181a6946e9560e9e7d1161b84173cd3

    SHA256

    bdc1fad1d48cf8bdf2c6c6e534352521479defd13fa71ccbaf75d6efa4f053d3

    SHA512

    13b9515fc2ddda7b4b3ef8724cfa9d7ec6efb86b15e08d4cffb85e17c89e93c5aeba93f7b309941c5198c276d6d545ce04289e95187ede4588ed32a3227a91b8

    Download Submit

  • memory/1972-17-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1972-16-0x0000000002C80000-0x0000000002D0B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1972-0-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/2348-35-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/2348-18-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/2348-21-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/2500-37-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-38-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2500-40-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-41-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-42-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-43-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-44-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download