urelas | 9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe
Size

276KB
MD5

4814e846831833acf4f8d0e8d49e425d
SHA1

90e0d1a2b813401f0865a6c406e18547b52096c5
SHA256

9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f
SHA512

e3c277f4e52a8542f497304d7e4c84d875b4dd906ab05be29eb9cd923b96bff83d5ece3851c27feed795b83a9f16a3c89ddf9e5e8e815aa1f1ffe5c25b1144b2
SSDEEP

6144:jjRKpaz7NrnzxIOyh5pvNLd+muC6tzpop1roiF:j3nlIOyh5pvNg3C6tK

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.184

121.88.5.183

218.54.30.235

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2008	opert.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2008	2212	9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe	28
PID 2212 wrote to memory of 2008	2212	9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe	28
PID 2212 wrote to memory of 2008	2212	9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe	28
PID 2212 wrote to memory of 2008	2212	9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe	28
PID 2212 wrote to memory of 2032	2212	9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe	29
PID 2212 wrote to memory of 2032	2212	9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe	29
PID 2212 wrote to memory of 2032	2212	9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe	29
PID 2212 wrote to memory of 2032	2212	9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe	29

C:\Users\Admin\AppData\Local\Temp\9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe
"C:\Users\Admin\AppData\Local\Temp\9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\opert.exe
  "C:\Users\Admin\AppData\Local\Temp\opert.exe"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fe7166a28954b6fdc0725678e557dc63

SHA1
a4773f5793bff2bf1ba8740d035dce26263df523

SHA256
1761a5749c1d10f843f253c896093f99496e7d86a0b6375363721713f72a4ff1

SHA512
62ce8e05d74630cb88049bcf610167e74a37cc1c8ffa3ce4c216b3ca1089b7d38e9d4fcf14a0115084a22bd434a42f23f61b4198852ebac9b604ade90d8021be

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
e5a2727d299e9d0df6598d28b90e8a6b

SHA1
b2c5c2f5101decce19a962710ecabd38b6727293

SHA256
1531c6107e5df192de1364619d8804001dcd4c3081adc96b1fa9e7e34923343f

SHA512
34fa476db90139a1416bdad51bf1744e0fd159c33cf95e543711a0ae356ff53e5bc1ec7d35a972dfa5e554dbd9729d72fa7d45c26f0906d48c2f634ce237fdc2

Download Submit
\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
276KB

MD5
4814e846831833acf4f8d0e8d49e425d

SHA1
90e0d1a2b813401f0865a6c406e18547b52096c5

SHA256
9df6fbcdb5c43d22e0e7a60aa156a3492ba7a4ecb39753cacc258f9b1704e51f

SHA512
e3c277f4e52a8542f497304d7e4c84d875b4dd906ab05be29eb9cd923b96bff83d5ece3851c27feed795b83a9f16a3c89ddf9e5e8e815aa1f1ffe5c25b1144b2

Download Submit
memory/2008-16-0x0000000000170000-0x00000000001BB000-memory.dmp

Filesize
300KB

Download
memory/2008-21-0x0000000000170000-0x00000000001BB000-memory.dmp

Filesize
300KB

Download
memory/2212-0-0x00000000008C0000-0x000000000090B000-memory.dmp

Filesize
300KB

Download
memory/2212-9-0x00000000020A0000-0x00000000020EB000-memory.dmp

Filesize
300KB

Download
memory/2212-18-0x00000000008C0000-0x000000000090B000-memory.dmp

Filesize
300KB

Download