urelas | 07e76d48048f345831535e1483a3013ca8e2c1b9a96511304ddbf8935c4b8d88

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 19:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3430ee8706cd29a5daf62024b67b825e.exe
Size

487KB
MD5

3430ee8706cd29a5daf62024b67b825e
SHA1

e2cba5141d3667eab23b1be0b42f79f9706400a6
SHA256

07e76d48048f345831535e1483a3013ca8e2c1b9a96511304ddbf8935c4b8d88
SHA512

5db5033d37def9d917a43167f5af963aeb0c8578710e734c115e89d3f49c1b5eb3cb2515653e6cf53559af859d79d7f951596d7c535f0b0edad22d520925f8ea
SSDEEP

12288:cpbfVlu0agWfZlnxgmEpZGsrUs99uDEq5EGDFhy:cpbGRZxSfGCUs99hq5Ja

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1744	yfnit.exe
2024	elvuk.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	3430ee8706cd29a5daf62024b67b825e.exe
1744	yfnit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe
2024	elvuk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1744	2364	3430ee8706cd29a5daf62024b67b825e.exe	28
PID 2364 wrote to memory of 1744	2364	3430ee8706cd29a5daf62024b67b825e.exe	28
PID 2364 wrote to memory of 1744	2364	3430ee8706cd29a5daf62024b67b825e.exe	28
PID 2364 wrote to memory of 1744	2364	3430ee8706cd29a5daf62024b67b825e.exe	28
PID 2364 wrote to memory of 2564	2364	3430ee8706cd29a5daf62024b67b825e.exe	29
PID 2364 wrote to memory of 2564	2364	3430ee8706cd29a5daf62024b67b825e.exe	29
PID 2364 wrote to memory of 2564	2364	3430ee8706cd29a5daf62024b67b825e.exe	29
PID 2364 wrote to memory of 2564	2364	3430ee8706cd29a5daf62024b67b825e.exe	29
PID 1744 wrote to memory of 2024	1744	yfnit.exe	33
PID 1744 wrote to memory of 2024	1744	yfnit.exe	33
PID 1744 wrote to memory of 2024	1744	yfnit.exe	33
PID 1744 wrote to memory of 2024	1744	yfnit.exe	33

C:\Users\Admin\AppData\Local\Temp\3430ee8706cd29a5daf62024b67b825e.exe
"C:\Users\Admin\AppData\Local\Temp\3430ee8706cd29a5daf62024b67b825e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\yfnit.exe
  "C:\Users\Admin\AppData\Local\Temp\yfnit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\elvuk.exe
    "C:\Users\Admin\AppData\Local\Temp\elvuk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
f1642693dc780689dc5892f762254062

SHA1
453aa30df7547487e4459eddb466b8c96ab2a356

SHA256
664628cbcdf7dfc28de2760fcf5272290686efa26ce4989e8132683c1218d57b

SHA512
acdcfee5fc119ff2d6bb0829702a1c171fb6a865e7fbede00b36e32612cba1b4642e95457b2d5903f396d60a2d3b773ee0437cf398616faf6bf182fd2db0a890

Download Submit
C:\Users\Admin\AppData\Local\Temp\elvuk.exe

Filesize
179KB

MD5
fda647f62854b77aa396dec1fde85f37

SHA1
7e3055767ee7a78f45eccc54db784871f5477e7f

SHA256
92e531dc8e9f5ce17efa5c885e85f4c6a7e1fefe273cb53cb8282242798a4f2c

SHA512
2af551933102a39cd8865d714163e8540c931ebbf97da9fd784345cb02dc4f0634ff4750e825898813aaa95bceb919e39b5e52ba7915070996816e4f1a81b86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
01eb495d430a5ab80ce9a43588e4fc0e

SHA1
d950bf93d270484222f578aba17af77d425dd99f

SHA256
7076def7c6dfe06fdbd2831c4c7804f5e6619d35e24d77255beed482d9f80558

SHA512
37bbd02e9cdd8939181f01677897bc7115498f61531d3e18187e262129b2398cccaaa1d7b4abe6751945a03694d1bf4bf55cb3de630ec6300cd1e2f05c3a6fd1

Download Submit
\Users\Admin\AppData\Local\Temp\yfnit.exe

Filesize
487KB

MD5
fb1fc105ce5b191f391c1eacd1c68550

SHA1
4b204939a9eb010cb0a5a70f2bc1546c8cc28f46

SHA256
0948116c5150a578a692028b30f140b291812995967d34ad86ead7112d9cd070

SHA512
3701c9f4f9b0ba2ff5dfa2afbb0fbb7edb19c041cbdb202d3bfaa2bcf65489209f44f25bf2bf5ec6e2f0c44da5d8106b051668deff0af6cfc598b241b2727d51

Download Submit
memory/1744-33-0x0000000003E60000-0x0000000003F1F000-memory.dmp

Filesize
764KB

Download
memory/1744-27-0x0000000000ED0000-0x0000000000F56000-memory.dmp

Filesize
536KB

Download
memory/1744-20-0x0000000000ED0000-0x0000000000F56000-memory.dmp

Filesize
536KB

Download
memory/1744-26-0x0000000003E60000-0x0000000003F1F000-memory.dmp

Filesize
764KB

Download
memory/2024-29-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2024-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2024-32-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2024-34-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2024-35-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2024-36-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2364-0-0x0000000000A40000-0x0000000000AC6000-memory.dmp

Filesize
536KB

Download
memory/2364-17-0x0000000000A40000-0x0000000000AC6000-memory.dmp

Filesize
536KB

Download
memory/2364-6-0x0000000002340000-0x00000000023C6000-memory.dmp

Filesize
536KB

Download