urelas | 7944271bb179c31d75a959a56a5cef9a34c1a21e2a2ade96ff8cc5d74f94054e

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 19:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e5f099567222ed660a823bb7a624c30.exe
Size

366KB
MD5

7e5f099567222ed660a823bb7a624c30
SHA1

cc843f9a1616620e072faa2ae9990602a8df13ce
SHA256

7944271bb179c31d75a959a56a5cef9a34c1a21e2a2ade96ff8cc5d74f94054e
SHA512

6a219f8095b6845697dc12c5a618c4a8b48a1d1379104911dd3bafca241ab3bc2051c0ce6efe0d12f8c75fb0d9dd3254b48899ab6c54779cd697d0b484480177
SSDEEP

6144:OuJkl8DV12C28tLN2/FkCO0aHftvCGCBhDOHjTPmXHk62pO:OzGL2C2aZ2/F1XaveOHjTC

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Executes dropped EXE 1 IoCs

pid	Process
2100	ygwoc.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	7e5f099567222ed660a823bb7a624c30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2100	2976	7e5f099567222ed660a823bb7a624c30.exe	28
PID 2976 wrote to memory of 2100	2976	7e5f099567222ed660a823bb7a624c30.exe	28
PID 2976 wrote to memory of 2100	2976	7e5f099567222ed660a823bb7a624c30.exe	28
PID 2976 wrote to memory of 2100	2976	7e5f099567222ed660a823bb7a624c30.exe	28

C:\Users\Admin\AppData\Local\Temp\7e5f099567222ed660a823bb7a624c30.exe
"C:\Users\Admin\AppData\Local\Temp\7e5f099567222ed660a823bb7a624c30.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\ygwoc.exe
  "C:\Users\Admin\AppData\Local\Temp\ygwoc.exe"
  2⤵
  - Executes dropped EXE
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
481050b19f74ab97f94a8df9304a095f

SHA1
cabb575fdd02ba33c51b80830979e4232b34f7c6

SHA256
a605c88387d88843ae7d32e5dcc8a480565551ccb0aab69fbb17daf784c23a3c

SHA512
1be1e4da26ec0fdf47fea2f1b7d1eb6d2f125adfdeb0321c417526b7a32a0111c09269e0cfaf0e89e0fa0d9caea775105718dc2accb00134967f4c4f87d631c7

Download Submit
\Users\Admin\AppData\Local\Temp\ygwoc.exe

Filesize
366KB

MD5
27ec9c152bccf082ff5ee3a47e049bc5

SHA1
a2cfeee8fe190f7626f7302d8db536672a26dedf

SHA256
5e236a92686a7b18ae438ed08fc6382399d8058aca7e292fbc08fb47e02d19d6

SHA512
126545b985d2382db126eb3f2f60939af83801ae4562a210af84e2c8dd74d70a3f591da665e31b2a2e0b2af73ee6c2f5040a66d571bb2c76beaf578a439eb197

Download Submit
memory/2100-17-0x00000000011A0000-0x0000000001202000-memory.dmp

Filesize
392KB

Download
memory/2976-0-0x0000000000180000-0x00000000001E2000-memory.dmp

Filesize
392KB

Download
memory/2976-6-0x0000000002750000-0x00000000027B2000-memory.dmp

Filesize
392KB

Download
memory/2976-12-0x0000000000180000-0x00000000001E2000-memory.dmp

Filesize
392KB

Download