urelas | afd5947c53ec3fbfa05babc02f2a638c6b9a59d1303bd9802ad23584465d91eb

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb3775cf3ffe36b9c5cfb9f37ad5e638.exe
Size

415KB
MD5

fb3775cf3ffe36b9c5cfb9f37ad5e638
SHA1

fe8ce16de51789591531d2c30813329a49953326
SHA256

afd5947c53ec3fbfa05babc02f2a638c6b9a59d1303bd9802ad23584465d91eb
SHA512

ad3366cc580c7e6271747f004683a5d043dad0d57b62d83ca98ab37d985b37295510a02e5bae7ff60497f3d57419710b9a53555c0fd0e0fdea70084ef999fc6e
SSDEEP

6144:bzwArTEDSCs5wL0DKlpn/URBudL7qRBpkvfsModogZ/SvnDTH95r:bMmQDSCs5wo0e8L7qRbQUugennHX

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
876	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1208	ruovc.exe
2772	symyv.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe
1208	ruovc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe
2772	symyv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1208	2236	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	30
PID 2236 wrote to memory of 1208	2236	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	30
PID 2236 wrote to memory of 1208	2236	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	30
PID 2236 wrote to memory of 1208	2236	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	30
PID 2236 wrote to memory of 876	2236	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	31
PID 2236 wrote to memory of 876	2236	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	31
PID 2236 wrote to memory of 876	2236	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	31
PID 2236 wrote to memory of 876	2236	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	31
PID 1208 wrote to memory of 2772	1208	ruovc.exe	33
PID 1208 wrote to memory of 2772	1208	ruovc.exe	33
PID 1208 wrote to memory of 2772	1208	ruovc.exe	33
PID 1208 wrote to memory of 2772	1208	ruovc.exe	33

C:\Users\Admin\AppData\Local\Temp\fb3775cf3ffe36b9c5cfb9f37ad5e638.exe
"C:\Users\Admin\AppData\Local\Temp\fb3775cf3ffe36b9c5cfb9f37ad5e638.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\ruovc.exe
  "C:\Users\Admin\AppData\Local\Temp\ruovc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\symyv.exe
    "C:\Users\Admin\AppData\Local\Temp\symyv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
1750aa75e225f011f32fc32e633fd45b

SHA1
60bcc738c3e74d6e5767e33434bf5d44f9d38287

SHA256
ba68800b86f85fd03d60200be65a883fe54e2378b8c74d176cda495567cc6f81

SHA512
8eb27ba9f6529af41309758d9066724ec664e3c7408cd279ed610e06e66bf2a64333ab4792004cc9d1728e40b10c0f8ccf91fd56195734485b5b83185a9055dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
995e228831cac31e941c33ef196ef77a

SHA1
add457266c640a466f1155f7e6ed2fd87d5beef5

SHA256
8d72207dc00ba81762676d752e437d534309426c959b98c80b9033a1d7f19a50

SHA512
a0446533f41213deec0d62da5b95bb49ef078f6025f8064a3641fff0c6a6afb9a9173cf05e9db14977d1bf365516bccbad04c5fddecdeb3ad28ad09323395b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\symyv.exe

Filesize
175KB

MD5
99e07c775f8bacdc47d3f74288a75eb2

SHA1
bfc095d0386bf537c02bbac585ef8f67f12da7e4

SHA256
952424e663b3dc5eca1ed26f6efaa49d1d00c58a68181cb1f98622ee949365e6

SHA512
cd27d5bd3cfd289f1d3816689f59b3c461e6f6a6bd37b54705d389cb763a3b83a971fe41fb11c073c9a41bef18a7dd655a2c67085705daede41d13f732b1f507

Download Submit
\Users\Admin\AppData\Local\Temp\ruovc.exe

Filesize
415KB

MD5
0682818c40ddcea036c800184292ee6c

SHA1
ae26c9561ef47a577793f5574c96f675e353d289

SHA256
dcd3d8db50df117f5aaf350944290b9a79ecdc492c17bbd5a36f114ff160ba74

SHA512
a30affc5c4f30cb72b889ba449c44ecb221820c9c73940e8c75c82db2805bf95525411a53bfe787eb78ad7664bbd43b3205e0fdd274622af4d4d280397f6cb25

Download Submit
memory/1208-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1208-28-0x0000000002CA0000-0x0000000002D30000-memory.dmp

Filesize
576KB

Download
memory/1208-27-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2236-9-0x0000000002700000-0x0000000002766000-memory.dmp

Filesize
408KB

Download
memory/2236-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2236-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2772-29-0x0000000000DA0000-0x0000000000E30000-memory.dmp

Filesize
576KB

Download
memory/2772-31-0x0000000000DA0000-0x0000000000E30000-memory.dmp

Filesize
576KB

Download
memory/2772-32-0x0000000000DA0000-0x0000000000E30000-memory.dmp

Filesize
576KB

Download
memory/2772-33-0x0000000000DA0000-0x0000000000E30000-memory.dmp

Filesize
576KB

Download
memory/2772-34-0x0000000000DA0000-0x0000000000E30000-memory.dmp

Filesize
576KB

Download
memory/2772-35-0x0000000000DA0000-0x0000000000E30000-memory.dmp

Filesize
576KB

Download