urelas | 19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe
Size

589KB
MD5

1eb26069580f7ab03e1121f479892e16
SHA1

47a4edfcacd3e4538a17f60a8f0714b70cac7ac4
SHA256

19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce
SHA512

5b8cbab02964aae8c63e0a4f0a308282b1d640f8a7a6a3d8f3e7429edc860d2d12233b6369b83257084fc1da08dd63c685d3d225bcc7a6b2e261d50d5c4373fb
SSDEEP

6144:+ajY1oC+/U8Vjlx4kk9HKda4L38+V8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQx:OOlx4kk9HKda4Y+WoSiQi4kVdcQzjo

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/3000-0-0x0000000000400000-0x00000000004C0000-memory.dmp	UPX
behavioral1/files/0x0037000000015c9b-4.dat	UPX
behavioral1/memory/2992-15-0x0000000000400000-0x00000000004C0000-memory.dmp	UPX
behavioral1/memory/3000-17-0x0000000000400000-0x00000000004C0000-memory.dmp	UPX
behavioral1/memory/2992-20-0x0000000000400000-0x00000000004C0000-memory.dmp	UPX
behavioral1/memory/2992-26-0x0000000000400000-0x00000000004C0000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	waibh.exe
2388	zokim.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe
2992	waibh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3000-0-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/files/0x0037000000015c9b-4.dat	upx
behavioral1/memory/2992-15-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3000-17-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2992-20-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2992-26-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe
2388	zokim.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2388	zokim.exe
Token: SeIncBasePriorityPrivilege	2388	zokim.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2992	3000	19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe	28
PID 3000 wrote to memory of 2992	3000	19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe	28
PID 3000 wrote to memory of 2992	3000	19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe	28
PID 3000 wrote to memory of 2992	3000	19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe	28
PID 3000 wrote to memory of 2608	3000	19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe	29
PID 3000 wrote to memory of 2608	3000	19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe	29
PID 3000 wrote to memory of 2608	3000	19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe	29
PID 3000 wrote to memory of 2608	3000	19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe	29
PID 2992 wrote to memory of 2388	2992	waibh.exe	33
PID 2992 wrote to memory of 2388	2992	waibh.exe	33
PID 2992 wrote to memory of 2388	2992	waibh.exe	33
PID 2992 wrote to memory of 2388	2992	waibh.exe	33

C:\Users\Admin\AppData\Local\Temp\19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe
"C:\Users\Admin\AppData\Local\Temp\19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\waibh.exe
  "C:\Users\Admin\AppData\Local\Temp\waibh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\zokim.exe
    "C:\Users\Admin\AppData\Local\Temp\zokim.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
272dd93523598bd45f86eb88c875f853

SHA1
ebe5f28a9a8d6b621b739c0383253bb7bb728327

SHA256
6f62508d93820aef7d16ab7076a3de7c7d5f4e49bf8a51877e3ad4d3da33c935

SHA512
0799a8a44cf5c7e6e05ef6924923ae3e2652860cfc4c34f384094cb1df4a8096315df75fb1a41f3e73e2e4353dfdd950da934677f2914a882639517320a7beb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
842ffe91fde55f6eba8752e3dc1dd523

SHA1
4b69cd894f810683d6ae0e54a03af2981f9446b7

SHA256
5411a3f7f64dd82d0707aea619800c9bc517b4864941daf82815d0eafd8eaa04

SHA512
0944a65985a550e6eec7be48aa7fd4be97ec042ee4729ed9ca04f305569df1852c2ed1055d7ff99522acead512387a1561ab770b3aa046585794480fe6d3c0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zokim.exe

Filesize
201KB

MD5
f6c8efaf0ac910f296a3773e2ccfeb4d

SHA1
4eca01488490234771a3e4dd92632e9480b46dca

SHA256
097dfa224c376751e8f7652e3e074089299b1fe36ca6c96e73f819b9c5651822

SHA512
0cb2371406b05f36f8493bad6ba69218943d169b6c6ef37b925df0482d8297cc8d9495bab9819309582a1ea6df2d7183c390cf04a08eaecd0273470255103f86

Download Submit
\Users\Admin\AppData\Local\Temp\waibh.exe

Filesize
589KB

MD5
49e3d03861114120d5524e33fefe367b

SHA1
4f0fff0a7634a77b200cd32e72c540f6b1e05568

SHA256
31e8459fae461f93c7c8abcf9a76e4a47a3514a779eabb393dd18ddb43e4ea27

SHA512
c38abdd636e99ee3c17add2ca005588432289dd68c90c75521b93110b437f706c4f65df046e02d56d28b96aa3059edabb6db31e671ca6a141996a0f8f0442e64

Download Submit
memory/2388-28-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2388-30-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2388-31-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2388-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2388-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2388-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2992-20-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2992-15-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2992-26-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3000-17-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3000-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download