urelas | 9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe
Size

520KB
MD5

7aeb4fb5521d15566fbc495db4b72cc1
SHA1

a0239f1af6ce25d4e4837a9ff7ef1ee03a11c11b
SHA256

9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37
SHA512

c3eec6503f28ee2af019ea9db49987ab5cc69737816351e6c060c7504d7566163ea45d5559a805a60f43753d27738b4c2395894d47afd43bab626984243bb22d
SSDEEP

12288:1dOLKTCqqwXCcdgT89+MvA+BisqYpxHtW:1AlQC+fs0M

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2160	nuegl.exe
2148	qeavv.exe

Loads dropped DLL 2 IoCs

pid	Process
2856	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe
2160	nuegl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe
2148	qeavv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2160	2856	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	28
PID 2856 wrote to memory of 2160	2856	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	28
PID 2856 wrote to memory of 2160	2856	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	28
PID 2856 wrote to memory of 2160	2856	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	28
PID 2856 wrote to memory of 2108	2856	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	29
PID 2856 wrote to memory of 2108	2856	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	29
PID 2856 wrote to memory of 2108	2856	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	29
PID 2856 wrote to memory of 2108	2856	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	29
PID 2160 wrote to memory of 2148	2160	nuegl.exe	33
PID 2160 wrote to memory of 2148	2160	nuegl.exe	33
PID 2160 wrote to memory of 2148	2160	nuegl.exe	33
PID 2160 wrote to memory of 2148	2160	nuegl.exe	33

C:\Users\Admin\AppData\Local\Temp\9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe
"C:\Users\Admin\AppData\Local\Temp\9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\nuegl.exe
  "C:\Users\Admin\AppData\Local\Temp\nuegl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\qeavv.exe
    "C:\Users\Admin\AppData\Local\Temp\qeavv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3f95bdbc3a47d2059509649c45fea216

SHA1
b0306d47dc9b09b7a9eac56a20896e4b86a13bdb

SHA256
e8facd23218ac24a5f5788d7dfc811b8bc4e0775a9d35ad23740b9d6526200d5

SHA512
3a52f2da96e72a59c6f72011d662f22692cfc76abe370ee0ea316bfbfe4db6a3bd9f67b7f37d0794a292210749742c81ef21208492aa15b1425111f4f754993b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f9511d9ce55797a06c0abdeabf89628e

SHA1
d05215304a02a87d707f584f52701016d549466d

SHA256
fe2220917937a327b68ca8f80ebadd3d93aa801a6edb302b9d31a8457d6985b1

SHA512
bd9cce334628a1d2fe482b555058fb7acb54f2630c4e7e06972e6f2e1f9efd46101eb4ed6ec9d1f2343546469c6fe20d8af55500851b7662423537a078355e92

Download Submit
\Users\Admin\AppData\Local\Temp\nuegl.exe

Filesize
520KB

MD5
65402f2d2ae03b9c89b8e48580636e0f

SHA1
3499d2c887ac605d9ba4cf1fec0bb076380daf24

SHA256
b9dd188a866c41388afd933fb33bc7d49cb551e3a194caa2b0b0319c1b79f1c2

SHA512
418698235d7c291fa5cbe793febab5be8795b88b5dd77e062a2d1757d6938cb978b74e34387f589f6162d454b80c5677b04d96059664a046eecde7e2fd9b13e8

Download Submit
\Users\Admin\AppData\Local\Temp\qeavv.exe

Filesize
241KB

MD5
10835ed45f7c6d193e71cf624642e79d

SHA1
c8736f012f9c194e3c9865b13383dd351fb99d1e

SHA256
9cac43bf1cb546ca4bdb706f449e681570ce9ddc291c27410cbc604bfd16c8cd

SHA512
0a52e4a1b161f93b838e0dc1feae7b1a973deb97c74aa5e0050ac97dd2d0439f79550fa2a494ce73c2e464eae993d9a4d44bdb9842488ff0267b257b92d54a0d

Download Submit
memory/2148-32-0x0000000000CB0000-0x0000000000D66000-memory.dmp

Filesize
728KB

Download
memory/2148-39-0x0000000000CB0000-0x0000000000D66000-memory.dmp

Filesize
728KB

Download
memory/2148-38-0x0000000000CB0000-0x0000000000D66000-memory.dmp

Filesize
728KB

Download
memory/2148-37-0x0000000000CB0000-0x0000000000D66000-memory.dmp

Filesize
728KB

Download
memory/2148-36-0x0000000000CB0000-0x0000000000D66000-memory.dmp

Filesize
728KB

Download
memory/2148-35-0x0000000000CB0000-0x0000000000D66000-memory.dmp

Filesize
728KB

Download
memory/2148-33-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2160-31-0x0000000003580000-0x0000000003636000-memory.dmp

Filesize
728KB

Download
memory/2160-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2160-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2160-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2856-1-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2856-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2856-11-0x0000000002A80000-0x0000000002B06000-memory.dmp

Filesize
536KB

Download
memory/2856-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download