urelas | adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe
Size

448KB
MD5

030cf01cc382eea89b30d91cea2d020f
SHA1

56b6c669ffdf121f4d81507f04c77206cfc55bd1
SHA256

adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db
SHA512

ffd8f7ef91c53361dd0475c850b1836d7fca3732a0c5660725f9a465fbb90e51339790e96bdfaf7ea51c1c0db4b629d3abc883cac5ba8b8e863e77ef9352448d
SSDEEP

6144:FEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpddOMk:FMpASIcWYx2U6hAJQn2M

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1956	koped.exe
2052	vovyvu.exe
1796	doziz.exe

Loads dropped DLL 3 IoCs

pid	Process
2992	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe
1956	koped.exe
2052	vovyvu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe
1796	doziz.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1956	2992	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	28
PID 2992 wrote to memory of 1956	2992	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	28
PID 2992 wrote to memory of 1956	2992	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	28
PID 2992 wrote to memory of 1956	2992	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	28
PID 2992 wrote to memory of 2600	2992	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	29
PID 2992 wrote to memory of 2600	2992	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	29
PID 2992 wrote to memory of 2600	2992	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	29
PID 2992 wrote to memory of 2600	2992	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	29
PID 1956 wrote to memory of 2052	1956	koped.exe	31
PID 1956 wrote to memory of 2052	1956	koped.exe	31
PID 1956 wrote to memory of 2052	1956	koped.exe	31
PID 1956 wrote to memory of 2052	1956	koped.exe	31
PID 2052 wrote to memory of 1796	2052	vovyvu.exe	34
PID 2052 wrote to memory of 1796	2052	vovyvu.exe	34
PID 2052 wrote to memory of 1796	2052	vovyvu.exe	34
PID 2052 wrote to memory of 1796	2052	vovyvu.exe	34
PID 2052 wrote to memory of 2664	2052	vovyvu.exe	35
PID 2052 wrote to memory of 2664	2052	vovyvu.exe	35
PID 2052 wrote to memory of 2664	2052	vovyvu.exe	35
PID 2052 wrote to memory of 2664	2052	vovyvu.exe	35

C:\Users\Admin\AppData\Local\Temp\adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe
"C:\Users\Admin\AppData\Local\Temp\adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\koped.exe
  "C:\Users\Admin\AppData\Local\Temp\koped.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\vovyvu.exe
    "C:\Users\Admin\AppData\Local\Temp\vovyvu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\doziz.exe
      "C:\Users\Admin\AppData\Local\Temp\doziz.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
0b156f267d556048eb9a3946209f8119

SHA1
3901f88b51d92d18067abe25361ec14fb0090213

SHA256
2a09a01585543399f74e84a64fbff8245a1220441b56511bc59affd7ccce6cac

SHA512
ebecd955f5ad3829f62f18937761a73679cb05797394f87c3134b56d55f8c957de5726073f7af68fb6116059bb0e9c8a64ef6921b8b2d35a048da79cc8fc6e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
af9779d1d2853c79b95ff6efa560714e

SHA1
107e7a7ccc669ac9fb36e124f68673ba8dc6c893

SHA256
14ce8a1a90962f141afe330ac691a4fa84bf26842693ca71f49ac1af90c545f7

SHA512
dab3ca59355ba5743e15b7205831b07dc670c919d3dc7d5c8de8018d434e1ea8e1cea979f04983120d45cd56eaf979e0f116fe3d4fba95d77a34f78121327497

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6ae706b7f9f3926b23240e44fcd8982c

SHA1
70f764f5caf21b2d7e6db702010789ae0021f9ee

SHA256
6c1b64f0f247b104512c9673c004341f746c0454b8c9833e115c403e8692ac4a

SHA512
9d1092b02b293b90751989948c5a89faaed06ac661d67418ea60f3edc748451a2cf7a13804dcd3a8a297f384d7c57b990e929ceeee2c5b67d7276be15c252e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\vovyvu.exe

Filesize
448KB

MD5
5dbcb8a00a5b7f48b3d37e4cb51ce420

SHA1
33ef38c446ea98f077749f0694486d7ffa9b7f31

SHA256
85dccbf894fc38e7ff6ed7d80becd28e6dc729a55f672429756fca2f189a3ded

SHA512
af107595d7060a23ca5287ec6ae94ae5ad2e824a732dad72fd61ee0f746323ea74217050ee6777fd683b4777bfc415e2c13e1242947a4bdb98bcbddacda170c0

Download Submit
\Users\Admin\AppData\Local\Temp\doziz.exe

Filesize
223KB

MD5
aac8eebdca809dba49f36c751b5135e9

SHA1
13d927a3fd2ad09dfe71ef8e13151f9b3bdee962

SHA256
e8b82fe54ff240df201d394d8dfb2cc29d39d907e4bab4124681f836d629d97e

SHA512
e27eec54a3b601007afdd3f010e13da6035d499fff3bc390908b465ac02f185b830fa4f64f1bb450533be2573beca73e11c685e8ce91c1927c8f7531d48a121b

Download Submit
\Users\Admin\AppData\Local\Temp\koped.exe

Filesize
448KB

MD5
9bb7543ae57a492a684e4f2f6b952e67

SHA1
56c370ccd9f7b6454ad952e06ce076ede73a2cb4

SHA256
1575f3eddae7662e88109215f791d1fba8f9138ad32de44cef507a9fa231d2ad

SHA512
c736d2b12b93aa57d8dd9da42e3362c1f30ada9ecb313bf9f2c590cd43373c550cdf5f33b71a1f701134fbb9949241127374213d1a743bd5922113a34cbf23c5

Download Submit
memory/1796-52-0x0000000000880000-0x0000000000920000-memory.dmp

Filesize
640KB

Download
memory/1796-47-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1796-55-0x0000000000880000-0x0000000000920000-memory.dmp

Filesize
640KB

Download
memory/1796-54-0x0000000000880000-0x0000000000920000-memory.dmp

Filesize
640KB

Download
memory/1796-53-0x0000000000880000-0x0000000000920000-memory.dmp

Filesize
640KB

Download
memory/1796-45-0x0000000000880000-0x0000000000920000-memory.dmp

Filesize
640KB

Download
memory/1796-51-0x0000000000880000-0x0000000000920000-memory.dmp

Filesize
640KB

Download
memory/1956-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1956-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2052-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2052-36-0x0000000003AE0000-0x0000000003B80000-memory.dmp

Filesize
640KB

Download
memory/2052-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2992-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2992-6-0x00000000022E0000-0x000000000234E000-memory.dmp

Filesize
440KB

Download
memory/2992-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download