urelas | 4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe
Size

337KB
MD5

54dce344fec2b8728cb8234ad8754db8
SHA1

308d53f9ae77fef90aa5778532193dcf160e5a99
SHA256

4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da
SHA512

9a95176008c68343b7d632fff7c5cfbaece0c1552db979013102cc449b38bbcaa3b229c485f2a155dffb6e8dcfc6ec41e6a9c3ab1aab9e5813f6c347e9ea4f96
SSDEEP

6144:yty5fbpxDuMcHYwt1gxloqtaE5iWbUMqfn8EijRUNafrHBw/gqr4bF:ytCLD7+51gxeq3gOU9EEQrhMgqM5

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2124	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1696	zyjin.exe
2636	ujtuof.exe
2772	vuryc.exe

Loads dropped DLL 5 IoCs

pid	Process
2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe
2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe
1696	zyjin.exe
1696	zyjin.exe
2636	ujtuof.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe
2772	vuryc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1696	2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe	28
PID 2152 wrote to memory of 1696	2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe	28
PID 2152 wrote to memory of 1696	2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe	28
PID 2152 wrote to memory of 1696	2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe	28
PID 2152 wrote to memory of 2124	2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe	29
PID 2152 wrote to memory of 2124	2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe	29
PID 2152 wrote to memory of 2124	2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe	29
PID 2152 wrote to memory of 2124	2152	4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe	29
PID 1696 wrote to memory of 2636	1696	zyjin.exe	31
PID 1696 wrote to memory of 2636	1696	zyjin.exe	31
PID 1696 wrote to memory of 2636	1696	zyjin.exe	31
PID 1696 wrote to memory of 2636	1696	zyjin.exe	31
PID 2636 wrote to memory of 2772	2636	ujtuof.exe	34
PID 2636 wrote to memory of 2772	2636	ujtuof.exe	34
PID 2636 wrote to memory of 2772	2636	ujtuof.exe	34
PID 2636 wrote to memory of 2772	2636	ujtuof.exe	34
PID 2636 wrote to memory of 2848	2636	ujtuof.exe	35
PID 2636 wrote to memory of 2848	2636	ujtuof.exe	35
PID 2636 wrote to memory of 2848	2636	ujtuof.exe	35
PID 2636 wrote to memory of 2848	2636	ujtuof.exe	35

C:\Users\Admin\AppData\Local\Temp\4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe
"C:\Users\Admin\AppData\Local\Temp\4c8c9dd30ab0a823ab6863a6127e183e981cfe1f5d9793c71999fb6a1652c3da.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\zyjin.exe
  "C:\Users\Admin\AppData\Local\Temp\zyjin.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\ujtuof.exe
    "C:\Users\Admin\AppData\Local\Temp\ujtuof.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\vuryc.exe
      "C:\Users\Admin\AppData\Local\Temp\vuryc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
43471dd271866a55154d01d18a81caf4

SHA1
40845b12c31484645df3363144833abb5fa09dcf

SHA256
ae681b87112e0874c543e4b5da3350dd0cdaa5ef0557337662778593f6e69730

SHA512
94e73b729f2b2577848d9f610e019d69ace30f623ecdc83820203b35606e75ec0c7ae6162644399302f74fe9b9c1c3292581f5128442be2d89e1a4d2469a3921

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
d34c96e184c607340500b245308e9e35

SHA1
e6a8ee7f7878be4a04ce08e457c94db352ebddca

SHA256
3b4239573c618538c8f95303da4acba89bd3a14e7d52bef45d258b357ccd6b56

SHA512
8b3c7fbc127cc9735d8226a7913668725dacdfaa05b72ab85bef613d5937d2ba92abb87379271bab35d255d264586096c9d86ec2f1a74f06b7a0897584628b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
70fb0345c480131e7b6e23f7ea1a819f

SHA1
520ccbefcc39f0c00faef45bae501049e2f202d4

SHA256
f1386cabb0de9436216121774ccde8e23662e781129c17750939db08068edf76

SHA512
6ffb20ec93b2f64f215d2376619fed01e3e428026e3601ee9251ceeaa2e4f77f828f981b43a9fcc2ba09291df041ecc5c68b09700fcb94a2289725a0fa07ed95

Download Submit
\Users\Admin\AppData\Local\Temp\ujtuof.exe

Filesize
337KB

MD5
1a2de776dad4c7386e94fb6624589c48

SHA1
9f888e4c4562ad39d0bf69b6dfe2f170e1832bf4

SHA256
5596d2b7fe4ee3d0fc092e68c34198fd7b80c21c725df473fd3d91c3bb3cee59

SHA512
b012bf014f7ab424b4533663e7b9cd61668daba7c47651f3587d7e33717cbad0391ce9ce0371f27cb847af160a0644075c570af6e231a4fe0387b38611eae787

Download Submit
\Users\Admin\AppData\Local\Temp\vuryc.exe

Filesize
223KB

MD5
1a04ed4bee07796cd6874ac1fcde48e2

SHA1
4752f6a3530b8d2f368f1f1766b3a173226a49b3

SHA256
ca80673b158e1b39571f3663d97ac80771bf0fca7a5265f72b481dad0e40d983

SHA512
c0028d3ac71febad55cf20969d088d71febe48302cfa239398bf3ecc1bc618e9b24cdbdfcc046bca5d36aea80451edcde9787fdf0fc41eefec81c33fc2896368

Download Submit
\Users\Admin\AppData\Local\Temp\zyjin.exe

Filesize
337KB

MD5
714632aa961564ecf15dc5faa25bddaa

SHA1
324dfe20ec7f2fd00e92ea4f6725e7bbaa9fd993

SHA256
30e97a78065bb9ff645d32ef51422396ec3ec4fc9a42d605c6dfc643c576a2c3

SHA512
5ce61fb25b6e646f4bd9eabd8272419d5c2df6a11e66a5385748636200261701e9f9c206136907e501042ebb68dbcc42c11a4dd41f67b211a60d32ca1267f56f

Download Submit
memory/1696-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1696-34-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2152-21-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2152-19-0x0000000002BD0000-0x0000000002C37000-memory.dmp

Filesize
412KB

Download
memory/2152-6-0x0000000002BD0000-0x0000000002C37000-memory.dmp

Filesize
412KB

Download
memory/2152-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2636-36-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2636-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2636-52-0x0000000003200000-0x00000000032A0000-memory.dmp

Filesize
640KB

Download
memory/2636-61-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2772-62-0x0000000000840000-0x00000000008E0000-memory.dmp

Filesize
640KB

Download
memory/2772-63-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2772-67-0x0000000000840000-0x00000000008E0000-memory.dmp

Filesize
640KB

Download
memory/2772-68-0x0000000000840000-0x00000000008E0000-memory.dmp

Filesize
640KB

Download
memory/2772-69-0x0000000000840000-0x00000000008E0000-memory.dmp

Filesize
640KB

Download
memory/2772-70-0x0000000000840000-0x00000000008E0000-memory.dmp

Filesize
640KB

Download
memory/2772-71-0x0000000000840000-0x00000000008E0000-memory.dmp

Filesize
640KB

Download