urelas | e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/03/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe
Size

344KB
MD5

e90fbfc35090355aec173d79341b7b8c
SHA1

6de2e18af5013c1236f691d03fe739471126a42e
SHA256

e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791
SHA512

c9fdc21fc07ea8272cfa9555316d91df9fab5d226f5c696b78d4cb4461df8ab4b35a01da0d3ca46ce229e945bb33ae23f1c7fb39c4ba1764af50d70915623610
SSDEEP

6144:DX+psoWJ+IvLI7BziS3qoJGd2GexPZmxMcVp0XpY:ymoWkI094og2GgPZkiC

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2504	ijkur.exe

Loads dropped DLL 1 IoCs

pid	Process
2192	e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2504	2192	e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe	28
PID 2192 wrote to memory of 2504	2192	e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe	28
PID 2192 wrote to memory of 2504	2192	e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe	28
PID 2192 wrote to memory of 2504	2192	e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe	28
PID 2192 wrote to memory of 2604	2192	e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe	29
PID 2192 wrote to memory of 2604	2192	e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe	29
PID 2192 wrote to memory of 2604	2192	e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe	29
PID 2192 wrote to memory of 2604	2192	e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe	29

C:\Users\Admin\AppData\Local\Temp\e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe
"C:\Users\Admin\AppData\Local\Temp\e518625844848805ddf2dae9479ccdfdf6013084b68910cd004954aa81e30791.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\ijkur.exe
  "C:\Users\Admin\AppData\Local\Temp\ijkur.exe"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
bb58049e335fa69e3e5ad91fdb5170bd

SHA1
580f55735f98c128eb0eb95968e00b92a4f6267b

SHA256
882ad1d47647dbd566bc502b07b00ede2382b9494c1616164b8ab67e7620af7b

SHA512
80ba5f3064b717868d72be7388f8d7779351123894168b3af9a4baa65a9909eecb68c732a9b4d0a09f68498e600c1cbae01603de189a64f97072f2ca70ac3a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3b5bd4b472219800da7bafb677327c76

SHA1
a210425f96113778cc1c61cfab08c07a9827a9ec

SHA256
a0fd8ffb6e8bb789c41c69853aa4e2a81e02086cd13df750fa090f1b19e46d54

SHA512
4924032b697f29a67b35c8a2aa2b8c77d671c09b9f31d941dfd7bd554a7f0c8d5352958b124dd791e010c8b857ed153e61be5852fa752803fdd17c3f7f0ee304

Download Submit
\Users\Admin\AppData\Local\Temp\ijkur.exe

Filesize
344KB

MD5
741b0af44307a6ef44c9e62797556a20

SHA1
b03d3fab53fe8b92ff1828657825f733fb0867e1

SHA256
b9ffdd65c886013e5771a4cb7de2ac35c59ece8888fa4f223b9a6c4bf4f9b1da

SHA512
063f017b6d47757677c868e09aacfc8739510aebd4c14c278325314956f3d294790a4aed546c343ef386d59ac7ca59c9f6172885556345c3b897955855bfdd5b

Download Submit
memory/2192-0-0x0000000000F10000-0x0000000000FDC000-memory.dmp

Filesize
816KB

Download
memory/2192-8-0x0000000000E30000-0x0000000000EFC000-memory.dmp

Filesize
816KB

Download
memory/2192-17-0x0000000000F10000-0x0000000000FDC000-memory.dmp

Filesize
816KB

Download
memory/2504-18-0x0000000000A60000-0x0000000000B2C000-memory.dmp

Filesize
816KB

Download
memory/2504-21-0x0000000000A60000-0x0000000000B2C000-memory.dmp

Filesize
816KB

Download