urelas | c7661d91bada02fb540c88e94bf5ee6594f5157a7b3343c19619a6b1ec5480b7

Analysis

max time kernel
158s
max time network
187s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c14fb102c05d77ab7443cc15d489ea70.exe
Size

328KB
MD5

c14fb102c05d77ab7443cc15d489ea70
SHA1

cd2176a25e62066e076fe99efb30058a139c888d
SHA256

c7661d91bada02fb540c88e94bf5ee6594f5157a7b3343c19619a6b1ec5480b7
SHA512

8e03afacbecc4aa4f5ffe00af996479405ccb02021530bda074964b4226001a7016c98fb84a7594e497abf765b7a11aa85ac66b9a19e6d261bfb29e2a0d51bf3
SSDEEP

6144:wObaeY8zPekKKH/hT8PVdkLHtA3nPER5oSHzZ4NyQ:wOb/KKH/hT8PVdkJA3uoSiT

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.184

121.88.5.183

218.54.30.235

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
592	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2364	opert.exe

Loads dropped DLL 1 IoCs

pid	Process
2396	c14fb102c05d77ab7443cc15d489ea70.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-0-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2396-3-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x0008000000012249-5.dat	upx
behavioral1/memory/2364-10-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2396-18-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2364	2396	c14fb102c05d77ab7443cc15d489ea70.exe	28
PID 2396 wrote to memory of 2364	2396	c14fb102c05d77ab7443cc15d489ea70.exe	28
PID 2396 wrote to memory of 2364	2396	c14fb102c05d77ab7443cc15d489ea70.exe	28
PID 2396 wrote to memory of 2364	2396	c14fb102c05d77ab7443cc15d489ea70.exe	28
PID 2396 wrote to memory of 592	2396	c14fb102c05d77ab7443cc15d489ea70.exe	29
PID 2396 wrote to memory of 592	2396	c14fb102c05d77ab7443cc15d489ea70.exe	29
PID 2396 wrote to memory of 592	2396	c14fb102c05d77ab7443cc15d489ea70.exe	29
PID 2396 wrote to memory of 592	2396	c14fb102c05d77ab7443cc15d489ea70.exe	29

C:\Users\Admin\AppData\Local\Temp\c14fb102c05d77ab7443cc15d489ea70.exe
"C:\Users\Admin\AppData\Local\Temp\c14fb102c05d77ab7443cc15d489ea70.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\opert.exe
  "C:\Users\Admin\AppData\Local\Temp\opert.exe"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eedb29ddd99eaacb97303426301d4575

SHA1
598485f712057df31e2318e85d17949510adea21

SHA256
79a0976bed8113f97584faf4ea7e820ecc6eb864a78b17fcdc9dcf8db252d84e

SHA512
cfcaeb5b791127f2b06cafc8590e4cc6ca2ea8a66f04abb7c6cad9bbe4ab84c819e1126b7919da68d3bdd25300866d695d40d61ab0b1cba8764c4c1dafe520db

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
7d9dd9c904b68c7e726d39b0d390e0c0

SHA1
5caa23245478df846b7b460dbef3cee92431e6b7

SHA256
a97ceca17fb783be3f4a06a8965cc15622e5ce5d8410e68ba554456ca68aff01

SHA512
efddffbf9031e1be8db233b418ddc1c21be82e8913815f205c65b76de5a9cc3bc6110af860b2c5c690f7d3a9b00c936f3172704215c7f898775be836d10dcd6a

Download Submit
\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
328KB

MD5
7780cabc32c82993912dee68a9f97e54

SHA1
4152c600e370ef668f7f7be3b03c1efbfa190ae8

SHA256
5fc8c94fb4296fe3f754ee7b88f6bf6515224b86445244d1ad708da42cf35b0b

SHA512
f84ea20634454f2bed54aa0c9797560efeb499005b80032d5afc1d340b74f688b718e7cff49157cfbb22dd192fe4daf76d476aff12f7e74f8d9c50ba757addf3

Download Submit
memory/2364-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2396-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2396-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2396-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download