urelas | 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
Size

999KB
MD5

804524de8c35e0f453cfccc83a5f4726
SHA1

6e476f64aeec26e3cefb02ed46d0cbbd6a48a60d
SHA256

8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61
SHA512

8c8549ee9e55bf4da6e8250c9fd5ae8cd92e0eee4a8ee1a7282360c8c9dc5e20beb8ce875581dd3246e7e017d9676054d53b962f03a91050977d16c55edb0ac3
SSDEEP

24576:1ydHl4Vi6qm7Aa1UaW7J5RzkF2o5x6RrAyB:wl4Viw7zUTNQF2o6xB

Score

10^/10

urelas trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1668	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1284	jupuh.exe
2956	asviz.exe

Loads dropped DLL 3 IoCs

pid	Process
2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
1284	jupuh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
1284	jupuh.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe
2956	asviz.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1284	2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	28
PID 2352 wrote to memory of 1284	2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	28
PID 2352 wrote to memory of 1284	2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	28
PID 2352 wrote to memory of 1284	2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	28
PID 2352 wrote to memory of 1668	2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	29
PID 2352 wrote to memory of 1668	2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	29
PID 2352 wrote to memory of 1668	2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	29
PID 2352 wrote to memory of 1668	2352	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	29
PID 1284 wrote to memory of 2956	1284	jupuh.exe	33
PID 1284 wrote to memory of 2956	1284	jupuh.exe	33
PID 1284 wrote to memory of 2956	1284	jupuh.exe	33
PID 1284 wrote to memory of 2956	1284	jupuh.exe	33

C:\Users\Admin\AppData\Local\Temp\8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
"C:\Users\Admin\AppData\Local\Temp\8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\jupuh.exe
  "C:\Users\Admin\AppData\Local\Temp\jupuh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\asviz.exe
    "C:\Users\Admin\AppData\Local\Temp\asviz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
d73c5099a0625ad707388d0850968dd4

SHA1
51dab7198c7c6487dd6c1f25f9cec58119bab9a7

SHA256
37b41dbd3c89e1d7b2828743bfac4cce87916cf671c59040cc5b7bc0ad4360bc

SHA512
578b5b256ffac7474f36317531f8f445db18c517630df93f8048bbeabee5d17199c958978c03ba40124e86416fc75bb7c64729fa75e99bc4293909742148331d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
65ffcfe14c2197009096dde8ef1b7bf8

SHA1
450ee07aeb7e07cbac9f3a055daffd9fe2617d8f

SHA256
c1c8fea3376b863bed0475312e6ce3773763a7280e1a2774b18fab0f2ac74b20

SHA512
e5cedfca0bf2b84bef16ec07ef493bfd3ed8641dab161236f1ca06c7016f48ae4067834fd172c6bdbb042d8f0c60db6d260a41f9e9e39b24ac1dd96832bc4417

Download Submit
C:\Users\Admin\AppData\Local\Temp\jupuh.exe

Filesize
999KB

MD5
95f2aafdc82e249caf03f40cf509e195

SHA1
514f80394835f024b39cb8d1b92a0e65613f2f13

SHA256
d622ce586a756635c9cddd2b2bfa10f7c6b2e8d0252b8d61330aeb6959dd7ef1

SHA512
dff8af6b7d272fd2b4c192d16c6db376c507a936a825555e1a0b9d39a50410a286fbd4b26b0f6989de0eca1c8f9b9e2e8c694c3e2c72fdf9c38a1774e5fefe81

Download Submit
\Users\Admin\AppData\Local\Temp\asviz.exe

Filesize
416KB

MD5
69fc2f4e2135569db4ab676e199c1a5b

SHA1
7c659c36ac9b7e3eff0684af7c103c40f0bb9c3d

SHA256
9da9fddf021fbb41c494df08024cb8b5810b1d508f0f38de6b3c0575a1065f33

SHA512
c739ffbe92a722eb6e0365dcf75bd396313974ac2c6b74e609cfdb89bccd1ec7c119cc864c6347589125ff69aba5fa2fb7c15181de6aa5a0549d31df3d3f8038

Download Submit
memory/1284-21-0x0000000001070000-0x0000000001174000-memory.dmp

Filesize
1.0MB

Download
memory/1284-24-0x0000000001070000-0x0000000001174000-memory.dmp

Filesize
1.0MB

Download
memory/1284-30-0x0000000001070000-0x0000000001174000-memory.dmp

Filesize
1.0MB

Download
memory/2352-0-0x0000000000EC0000-0x0000000000FC4000-memory.dmp

Filesize
1.0MB

Download
memory/2352-11-0x0000000002FA0000-0x00000000030A4000-memory.dmp

Filesize
1.0MB

Download
memory/2352-19-0x0000000000EC0000-0x0000000000FC4000-memory.dmp

Filesize
1.0MB

Download