urelas | fc7da515c0f27fce223a25286c3cab351e38d40770be3517430056f7940f308f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de322c81026f271e9ff9c5aca5b6cb48.exe
Size

67KB
MD5

de322c81026f271e9ff9c5aca5b6cb48
SHA1

b9831eda63f2d89cc8663adaf0e6270ec8b279cb
SHA256

fc7da515c0f27fce223a25286c3cab351e38d40770be3517430056f7940f308f
SHA512

e22f151ceb14c8240c837b7500e4c2a61f6c3f1d88568fc88a1ee856aa78851e8b0fec487887352c392eaf60c49581913e225fc2073619661938f6608714d427
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCar+j:yLAYUzmdD0sMQl7d7IuhCaaj

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2512	de322c81026f271e9ff9c5aca5b6cb48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2192	2512	de322c81026f271e9ff9c5aca5b6cb48.exe	28
PID 2512 wrote to memory of 2192	2512	de322c81026f271e9ff9c5aca5b6cb48.exe	28
PID 2512 wrote to memory of 2192	2512	de322c81026f271e9ff9c5aca5b6cb48.exe	28
PID 2512 wrote to memory of 2192	2512	de322c81026f271e9ff9c5aca5b6cb48.exe	28
PID 2512 wrote to memory of 2956	2512	de322c81026f271e9ff9c5aca5b6cb48.exe	29
PID 2512 wrote to memory of 2956	2512	de322c81026f271e9ff9c5aca5b6cb48.exe	29
PID 2512 wrote to memory of 2956	2512	de322c81026f271e9ff9c5aca5b6cb48.exe	29
PID 2512 wrote to memory of 2956	2512	de322c81026f271e9ff9c5aca5b6cb48.exe	29

C:\Users\Admin\AppData\Local\Temp\de322c81026f271e9ff9c5aca5b6cb48.exe
"C:\Users\Admin\AppData\Local\Temp\de322c81026f271e9ff9c5aca5b6cb48.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
89fc4528d541b900fa23459360b977bd

SHA1
e97de011d3181142425586e9d0e3eea135a65cb7

SHA256
e4e86ac76f867a96874a9041abd3af3a6f755488e77c06d8a744141e2657b8f0

SHA512
df2adb889b5951eda530532e0540bd9abb6bc30ec410247b0be69426bf298bf3459401279390b803cd47893e2091458d0305e06c88de89e0376527cafeea9919

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
67KB

MD5
9d8fdbd52dcfaf63b6e219e9aeae7e60

SHA1
65bb26ec70d96ef7ec7c315a1348362db6b225a4

SHA256
0181eab2fdc3c2ed7768f9bf4b93c107f565c5278e1638ff646b09c30044cebe

SHA512
cdb9d5ee264ed1237d531b7587e5242e8e5469f147184f57a1bb50c02bbdb3d77c7c22dcac5a219095fe3949bdabd3e3999a171613a9f591a5d33e6cccf4147c

Download Submit
memory/2192-18-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2192-21-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2192-23-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2192-29-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2512-0-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/2512-10-0x00000000008B0000-0x00000000008D7000-memory.dmp

Filesize
156KB

Download
memory/2512-17-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download