urelas | d6d1d6fe4be85a2b54ca97dcb642c53011e5b507eeb13f5c27cfa3c2aa751103

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a8d0c692042fcace23a8b9461050ddd.exe
Size

328KB
MD5

4a8d0c692042fcace23a8b9461050ddd
SHA1

b9eb6d038650d33fe9553d4e692e25088113d91f
SHA256

d6d1d6fe4be85a2b54ca97dcb642c53011e5b507eeb13f5c27cfa3c2aa751103
SHA512

f51092c252afb5844b3e7ba4b98aeb7e329a7e05a63504a8e627d3ce2717e9edf73a5e8c218b28d11af5d32a1996e54512588688fa8ddbf29549ec656299f473
SSDEEP

6144:wObaeY8zPekKKH/hT8PVdkLHtA3nPER5oSHzZ4NyM:wOb/KKH/hT8PVdkJA3uoSir

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.184

121.88.5.183

218.54.30.235

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1844	opert.exe

Loads dropped DLL 1 IoCs

pid	Process
2224	4a8d0c692042fcace23a8b9461050ddd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x0027000000015549-4.dat	upx
behavioral1/memory/2224-18-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1844-10-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1844-21-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1844-22-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1844	2224	4a8d0c692042fcace23a8b9461050ddd.exe	28
PID 2224 wrote to memory of 1844	2224	4a8d0c692042fcace23a8b9461050ddd.exe	28
PID 2224 wrote to memory of 1844	2224	4a8d0c692042fcace23a8b9461050ddd.exe	28
PID 2224 wrote to memory of 1844	2224	4a8d0c692042fcace23a8b9461050ddd.exe	28
PID 2224 wrote to memory of 2680	2224	4a8d0c692042fcace23a8b9461050ddd.exe	29
PID 2224 wrote to memory of 2680	2224	4a8d0c692042fcace23a8b9461050ddd.exe	29
PID 2224 wrote to memory of 2680	2224	4a8d0c692042fcace23a8b9461050ddd.exe	29
PID 2224 wrote to memory of 2680	2224	4a8d0c692042fcace23a8b9461050ddd.exe	29

C:\Users\Admin\AppData\Local\Temp\4a8d0c692042fcace23a8b9461050ddd.exe
"C:\Users\Admin\AppData\Local\Temp\4a8d0c692042fcace23a8b9461050ddd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\opert.exe
  "C:\Users\Admin\AppData\Local\Temp\opert.exe"
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eedb29ddd99eaacb97303426301d4575

SHA1
598485f712057df31e2318e85d17949510adea21

SHA256
79a0976bed8113f97584faf4ea7e820ecc6eb864a78b17fcdc9dcf8db252d84e

SHA512
cfcaeb5b791127f2b06cafc8590e4cc6ca2ea8a66f04abb7c6cad9bbe4ab84c819e1126b7919da68d3bdd25300866d695d40d61ab0b1cba8764c4c1dafe520db

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
62f32696e40b9df1f996c2707bb981ac

SHA1
c8110d33408b53d70148392f4c7b9248abeac967

SHA256
d49c46ff343c62a5397f95b8536103a5c19272977998155fa3f65774458f99e6

SHA512
3833b79c77bcf3a9237708fe7ff4510332ef3773d4a50694be42449743d5bbcb6c73173a45464f77239852a5a339ba05cf8f51eca536a8b6aaa53e0cf179e77f

Download Submit
\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
328KB

MD5
9ccff7686793f7f4d0cedcc638f31f75

SHA1
b7b222198871ef456aab759df6447348626cef3e

SHA256
160fac6d70c09e7b1eb25482cfe77d5286a8d4907a2a55311d9c1dd3a9469e14

SHA512
0315df04a1d02d483289b882ecf0abd58f844827486bb79f15dd4ae88b5679ba0fb6f9b4b69b1ece0446f00fe883f1a660188bdf32f26232d8f4d3f39f072aca

Download Submit
memory/1844-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1844-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1844-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2224-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2224-9-0x0000000002170000-0x00000000021CB000-memory.dmp

Filesize
364KB

Download
memory/2224-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download