urelas | 29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe
Size

448KB
MD5

abc7af471759c348bed8520bf15295ef
SHA1

08064f0d39b9422c5d7b119831ccedea872ccdab
SHA256

29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c
SHA512

ab1a4715c6cf1e8d2fd0b62c4d2d167ddd7de9f0bfb5bb735f11f8e4df767badfcfc1dbadb3bedecc651ec3b4dc26be202ad3425f959991a6271265a393e8818
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjdOS:oMpASIcWYx2U6hAJQnMh

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1388	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1740	jeybu.exe
2672	hiywmu.exe
2304	xoyvb.exe

Loads dropped DLL 3 IoCs

pid	Process
2496	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe
1740	jeybu.exe
2672	hiywmu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe
2304	xoyvb.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1740	2496	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	28
PID 2496 wrote to memory of 1740	2496	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	28
PID 2496 wrote to memory of 1740	2496	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	28
PID 2496 wrote to memory of 1740	2496	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	28
PID 2496 wrote to memory of 1388	2496	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	29
PID 2496 wrote to memory of 1388	2496	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	29
PID 2496 wrote to memory of 1388	2496	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	29
PID 2496 wrote to memory of 1388	2496	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	29
PID 1740 wrote to memory of 2672	1740	jeybu.exe	31
PID 1740 wrote to memory of 2672	1740	jeybu.exe	31
PID 1740 wrote to memory of 2672	1740	jeybu.exe	31
PID 1740 wrote to memory of 2672	1740	jeybu.exe	31
PID 2672 wrote to memory of 2304	2672	hiywmu.exe	34
PID 2672 wrote to memory of 2304	2672	hiywmu.exe	34
PID 2672 wrote to memory of 2304	2672	hiywmu.exe	34
PID 2672 wrote to memory of 2304	2672	hiywmu.exe	34
PID 2672 wrote to memory of 784	2672	hiywmu.exe	35
PID 2672 wrote to memory of 784	2672	hiywmu.exe	35
PID 2672 wrote to memory of 784	2672	hiywmu.exe	35
PID 2672 wrote to memory of 784	2672	hiywmu.exe	35

C:\Users\Admin\AppData\Local\Temp\29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe
"C:\Users\Admin\AppData\Local\Temp\29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\jeybu.exe
  "C:\Users\Admin\AppData\Local\Temp\jeybu.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\hiywmu.exe
    "C:\Users\Admin\AppData\Local\Temp\hiywmu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\xoyvb.exe
      "C:\Users\Admin\AppData\Local\Temp\xoyvb.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f0370bb5181e8c260d1314b10ca45e74

SHA1
ce569266a667dfb50005a9a890306299676b1da8

SHA256
f93b0787b492076d41b2e6eb880f7c095dbf605c6fe34dcc36019e6d16ddb7ff

SHA512
c43b1b1bbfe1ff839d4f969456f0c3755fb3f80a9a81ce0f67c5273ced01abb590dd541ac3ad8e1c7a33a43dd8c71afee0aec8b23a66d87ef8d1b29b6470be0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
125a93a97e5490b2e3da4c51180e9eb0

SHA1
0a16ee28fb677ace3d8bc9c49a28ec6dbc66b02a

SHA256
a999f58af56ed30d85e906ea6a2ac048394c849964c2179d0a88818c56a6efd0

SHA512
7331d1f6882924cb56f0b17155d568fc49859b334661d507c8321a235c4141b360a8e8bd8944348720753420e05e44f430c62e034695f2642eb4a819ad4cb855

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
33289deb1733366061fcdc78bd475423

SHA1
0538498f04e0e519a5c828a025a8c8e12bbffa67

SHA256
f160c1dd86e0079c16d22c04d61c6f8af9c087c83d13a7fb2f9edb1e71ce7c2c

SHA512
d68b9e371d2fd010d7936523b6767311e8464f054b29f298e0c208c2369c4dd3bc4ac5776135b1fe78505f973b985b342272cb5ca7be98713df1e09b2dad58ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiywmu.exe

Filesize
448KB

MD5
0b8109631541d85dab9d024f5b61ce4a

SHA1
e0aea305446f06fb117e0d96cd7684555372b715

SHA256
00cf1e17414ac8ea55a789d0730538db06a158a1b40903949e4b2e9a240e64bb

SHA512
d65f29f6dd1160ad92efbca7d1d29c8ae8335bf85d552b50c2e81699e2dc148574279a821cfb80ed138b821c64e0f01ff7a6d7afdb52f1ce31d8fe4c10154a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoyvb.exe

Filesize
223KB

MD5
604c58dfe548f4efd2e6ffc471013c5a

SHA1
4bd8bf37f90802f309d9eeecc8363b68fbe0caa8

SHA256
238e1b9538c3191b519a79fba0bb5657b16a0c9b633eed3ef4a1d6abb57d645b

SHA512
289092323b309190c23dbe02ffda393e43a21fc8389db54c29d3fcd049095a74c724de6f44321687e52bb612bc44ab4102e517b00a48c6e712e9e21b78fd8aca

Download Submit
\Users\Admin\AppData\Local\Temp\jeybu.exe

Filesize
448KB

MD5
96e219082d1099c567233833f00d15de

SHA1
39d50cd27b9cd4392d19bbdf26fa6ae5c24e37b0

SHA256
9fb6d63d1926acfe7729b32a5d0d99f3828591b8b5d55aabf2c451f406845f73

SHA512
b3fe6a82afa79bc12b2e694321e73b8f5a0803550cf985cf154c9033aece807f4111d4f269a77ab58bc7354a1d9414b1793a9ee28aa013d969a0e7d6a5344eb9

Download Submit
memory/1740-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1740-26-0x0000000003080000-0x00000000030EE000-memory.dmp

Filesize
440KB

Download
memory/2304-55-0x00000000013E0000-0x0000000001480000-memory.dmp

Filesize
640KB

Download
memory/2304-54-0x00000000013E0000-0x0000000001480000-memory.dmp

Filesize
640KB

Download
memory/2304-53-0x00000000013E0000-0x0000000001480000-memory.dmp

Filesize
640KB

Download
memory/2304-52-0x00000000013E0000-0x0000000001480000-memory.dmp

Filesize
640KB

Download
memory/2304-51-0x00000000013E0000-0x0000000001480000-memory.dmp

Filesize
640KB

Download
memory/2304-47-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2304-44-0x00000000013E0000-0x0000000001480000-memory.dmp

Filesize
640KB

Download
memory/2496-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2496-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2496-7-0x0000000002800000-0x000000000286E000-memory.dmp

Filesize
440KB

Download
memory/2672-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2672-36-0x0000000002EE0000-0x0000000002F80000-memory.dmp

Filesize
640KB

Download
memory/2672-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download