urelas | 6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe
Size

366KB
MD5

8d485f83022e4be758176248bb551a09
SHA1

a75b23f6102cf0b4ba71590ec1da7f72421d74e4
SHA256

6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619
SHA512

80c45c3eb593ceb284fa513245ffb5c0d5a971795250552d0f1b24959fba1cf5943f7843421b69f945367578db175af1fbd4b74dba7c73d93065288ee76edbfa
SSDEEP

6144:1o3whi+1Py3V0a24kOn+Sr72iyjmhuKtUYiw52hVOcvBRMHkWYHpo:YKf1PyKa2anKjm3OYZ2hocvHK

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2000	moruk.exe
716	notek.exe

Loads dropped DLL 2 IoCs

pid	Process
3028	6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe
2000	moruk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe
716	notek.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2000	3028	6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe	28
PID 3028 wrote to memory of 2000	3028	6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe	28
PID 3028 wrote to memory of 2000	3028	6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe	28
PID 3028 wrote to memory of 2000	3028	6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe	28
PID 3028 wrote to memory of 2052	3028	6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe	29
PID 3028 wrote to memory of 2052	3028	6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe	29
PID 3028 wrote to memory of 2052	3028	6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe	29
PID 3028 wrote to memory of 2052	3028	6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe	29
PID 2000 wrote to memory of 716	2000	moruk.exe	33
PID 2000 wrote to memory of 716	2000	moruk.exe	33
PID 2000 wrote to memory of 716	2000	moruk.exe	33
PID 2000 wrote to memory of 716	2000	moruk.exe	33

C:\Users\Admin\AppData\Local\Temp\6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe
"C:\Users\Admin\AppData\Local\Temp\6e260e670af0036709d6b8e72541f60e45a02bd6a5b0c0bb8260a1574bb96619.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\moruk.exe
  "C:\Users\Admin\AppData\Local\Temp\moruk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\notek.exe
    "C:\Users\Admin\AppData\Local\Temp\notek.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
319ae29c1070879d12f867d45e6607ce

SHA1
04df641032207345c0be275ccef5280af41c5fb2

SHA256
a15e8bb02ae31b4f3100a4101fed0f21ec28ab4e8e753902193fb3666c3dd317

SHA512
a09116eb0cdc528c98efb29a4c86aa40ffe4a3f1ba5279de36a967246dde08b80a0704674e3d4ce0ee90b0c0483ed85afb5786108230a989f04f072b156f2732

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
849f3ab9303b4b5e643a70a65543de65

SHA1
a5eeb8802f90238cd5e5e68d4528ccb68c9d3be1

SHA256
a4fd3ef1daf78f7f866f42101ba57af1af9ff427ddcedcc3dd00f1c17ab9f9f0

SHA512
21e2388a894709f0a630942a8ee4ed9a5b6f794324b924c948025977c05dcc8ade1c07767c70411ba17c44963749675bde75c5ec6f20b48e655287924b157180

Download Submit
C:\Users\Admin\AppData\Local\Temp\notek.exe

Filesize
208KB

MD5
10cefd46ccdbecf8194ab54d92970a7a

SHA1
eee08b688bf90253186b6c8cefe1fc5562a7d602

SHA256
9f90e8a0c590c24566708ceb04ce0041d3fe2a6933e8c0b00a9886a07fc3163f

SHA512
c2d7389965f2631706980c5ee78406452e092387ae8b71cf5b3d2b2cc5e4ff30bc5d4615a41a6a2598402c87205c938df86f1837ab8936a91b13ee57573011d7

Download Submit
\Users\Admin\AppData\Local\Temp\moruk.exe

Filesize
366KB

MD5
271f9c524e3e2b4d0aeb87cffc0873f8

SHA1
19f54e294e418cb004818dbddedc9a1802109ffd

SHA256
710fdeb6933fad5779f910f7b356e7bcd6d669541720dee67e7ab2e1286d7ab3

SHA512
fa80e86363bc819c5a018c8295150839b51f4f95b2bd9e39e67baf50c4d9b2bc96b8c15f538c1f6d5c479eab13af94952c9ed342b771f1e3bcf757a81814354c

Download Submit
memory/716-32-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/716-31-0x0000000000F80000-0x0000000001033000-memory.dmp

Filesize
716KB

Download
memory/716-38-0x0000000000F80000-0x0000000001033000-memory.dmp

Filesize
716KB

Download
memory/716-37-0x0000000000F80000-0x0000000001033000-memory.dmp

Filesize
716KB

Download
memory/716-36-0x0000000000F80000-0x0000000001033000-memory.dmp

Filesize
716KB

Download
memory/716-35-0x0000000000F80000-0x0000000001033000-memory.dmp

Filesize
716KB

Download
memory/716-34-0x0000000000F80000-0x0000000001033000-memory.dmp

Filesize
716KB

Download
memory/2000-22-0x0000000001150000-0x00000000011B2000-memory.dmp

Filesize
392KB

Download
memory/2000-30-0x0000000003C30000-0x0000000003CE3000-memory.dmp

Filesize
716KB

Download
memory/2000-29-0x0000000001150000-0x00000000011B2000-memory.dmp

Filesize
392KB

Download
memory/2000-11-0x0000000001150000-0x00000000011B2000-memory.dmp

Filesize
392KB

Download
memory/3028-0-0x0000000000F80000-0x0000000000FE2000-memory.dmp

Filesize
392KB

Download
memory/3028-1-0x0000000000F80000-0x0000000000FE2000-memory.dmp

Filesize
392KB

Download
memory/3028-19-0x0000000000F80000-0x0000000000FE2000-memory.dmp

Filesize
392KB

Download
memory/3028-6-0x00000000009A0000-0x0000000000A02000-memory.dmp

Filesize
392KB

Download