urelas | 7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe
Size

349KB
MD5

248149186ee11d00ed6e4166495fb1f3
SHA1

8c9d2e1f12e504ce54f7f4e0aa04f9213dff5f6e
SHA256

7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778
SHA512

456e5377812dcb8926f9c4588c9a0fd91b41c2e2cb6409b257625f649e48d9b53851a5046236ac2d5ef6df3d98922a19dd550c4650335d0b7e6afd37a9119784
SSDEEP

6144:SaVKyyzwbnUkoiqwcAR92o29tZTEr6UTdO5CksxCDy9pPbzBHU2ytluFn7:g7yUTihRQhE9ONs46pP3BHUbtE7

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	piuhv.exe
2276	roqye.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe
2688	piuhv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe
2276	roqye.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2688	1728	7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe	29
PID 1728 wrote to memory of 2688	1728	7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe	29
PID 1728 wrote to memory of 2688	1728	7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe	29
PID 1728 wrote to memory of 2688	1728	7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe	29
PID 1728 wrote to memory of 2492	1728	7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe	30
PID 1728 wrote to memory of 2492	1728	7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe	30
PID 1728 wrote to memory of 2492	1728	7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe	30
PID 1728 wrote to memory of 2492	1728	7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe	30
PID 2688 wrote to memory of 2276	2688	piuhv.exe	34
PID 2688 wrote to memory of 2276	2688	piuhv.exe	34
PID 2688 wrote to memory of 2276	2688	piuhv.exe	34
PID 2688 wrote to memory of 2276	2688	piuhv.exe	34

C:\Users\Admin\AppData\Local\Temp\7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe
"C:\Users\Admin\AppData\Local\Temp\7eaa919c50e3132fb83df3e017ca6c903d204ff6874908ab36a5f901d3103778.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\piuhv.exe
  "C:\Users\Admin\AppData\Local\Temp\piuhv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\roqye.exe
    "C:\Users\Admin\AppData\Local\Temp\roqye.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
9a92e07ea777eb97fe5daa1c1c8510c4

SHA1
ffde2cec0f30a2ffdf8eab8bc0695faad7b804bf

SHA256
eaf6b41f4bbc35a3282790d69cba7950d818d619592c4163da9dc087e9ec634b

SHA512
9e6798b78c16a57b2d0d6e88fa3885168050a936791d99899f7493d5eedef108dadbc312e1908431b79d60cf3e20e7dc9477bd882646e2f845f5e9c50dba1bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e8c8ac917099bfc4ed0eea3866bfb03e

SHA1
e79cc47f68f0c7261bbab618b46917e2a9924661

SHA256
345bfe79c398ea573df7d35b25a4dc586c78516d1ea6aca5f05c7ddda72d19b0

SHA512
0559566874652df97efd2c89077008c87b24fa726813312725119c0e189795335f89a69baeff71b8d66659b28c3b264e385f6d92039bc2430c38287eb165c842

Download Submit
C:\Users\Admin\AppData\Local\Temp\roqye.exe

Filesize
244KB

MD5
f3f7ba680ac32e54a9872065c3a638a3

SHA1
90c787935bf6c1a4ffe3a87db6ddc937eee98794

SHA256
f21d4b862c2a570b7593a62c1b9fc50d23e7d7d48944d86c390c158b1a4fd9d0

SHA512
a6db8d63a668071193f9046c1448703356d66382690f9b72a1ba85bbf24f825e50f4808f4b18cb0caeb5744781fac0a31af22f10d55425f70438ace1afdd1b0e

Download Submit
\Users\Admin\AppData\Local\Temp\piuhv.exe

Filesize
349KB

MD5
38776f0f894be2ff771743b68541859e

SHA1
633aede71edaf256dcfb8c29e1e66294628bb312

SHA256
44cbe2d268b0fbe10c36382fab36a21b04536a37ff07f34398711339c349f6a1

SHA512
94be88e135d9c60507fd8b3092c0bf7e1f7ab79da938899603fe53c57a4b896354d2e05ecf82cfaa49264766af5546cd267f7430700369d0eedf4e440a869d02

Download Submit
memory/1728-8-0x00000000011C0000-0x0000000001281000-memory.dmp

Filesize
772KB

Download
memory/1728-0-0x00000000012C0000-0x0000000001381000-memory.dmp

Filesize
772KB

Download
memory/1728-17-0x00000000012C0000-0x0000000001381000-memory.dmp

Filesize
772KB

Download
memory/2276-40-0x0000000000F80000-0x000000000103A000-memory.dmp

Filesize
744KB

Download
memory/2276-37-0x0000000000F80000-0x000000000103A000-memory.dmp

Filesize
744KB

Download
memory/2276-39-0x0000000000F80000-0x000000000103A000-memory.dmp

Filesize
744KB

Download
memory/2276-41-0x0000000000F80000-0x000000000103A000-memory.dmp

Filesize
744KB

Download
memory/2276-42-0x0000000000F80000-0x000000000103A000-memory.dmp

Filesize
744KB

Download
memory/2276-43-0x0000000000F80000-0x000000000103A000-memory.dmp

Filesize
744KB

Download
memory/2688-21-0x00000000009C0000-0x0000000000A81000-memory.dmp

Filesize
772KB

Download
memory/2688-35-0x00000000009C0000-0x0000000000A81000-memory.dmp

Filesize
772KB

Download
memory/2688-18-0x00000000009C0000-0x0000000000A81000-memory.dmp

Filesize
772KB

Download