urelas | 5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe
Size

73KB
MD5

63ca74b30001f2d7debbb7a1fc8fe491
SHA1

1fcac20f88719f1a912f9af40b6a9e4919f90f15
SHA256

5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a
SHA512

a2baa7c846b1000c4073b818fc478e98dcb534a7242a19eeee22e87dd493b2bbffbb19ea21cef5046989a071e7b0eb6e876b4e93e9e6c134f815224829568c20
SSDEEP

1536:JgajdM0t2hl9ET9xBOz3BODtysTHFQJmGh/ty:X32h7yxBGmtHQUGhFy

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2120 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

opert.exe

pid process

1960 opert.exe
Loads dropped DLL 1 IoCs

Processes:

5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe

pid process

1992 5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2120	cmd.exe

pid	process
1960	opert.exe

pid	process
1992	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe

description	pid	process	target process
PID 1992 wrote to memory of 1960	1992	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	opert.exe
PID 1992 wrote to memory of 1960	1992	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	opert.exe
PID 1992 wrote to memory of 1960	1992	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	opert.exe
PID 1992 wrote to memory of 1960	1992	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	opert.exe
PID 1992 wrote to memory of 2120	1992	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	cmd.exe
PID 1992 wrote to memory of 2120	1992	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	cmd.exe
PID 1992 wrote to memory of 2120	1992	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	cmd.exe
PID 1992 wrote to memory of 2120	1992	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe
"C:\Users\Admin\AppData\Local\Temp\5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\opert.exe
"C:\Users\Admin\AppData\Local\Temp\opert.exe"
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
6735bbe93159782090eb9c49dde676c6

SHA1
6edec7009f27d90d36081a9d4a05fc6e6bde28e2

SHA256
f8925f72b19e3a2e14ebfda83d63a10e4a6f218d84cc30fb738caa9a575e1217

SHA512
8c85cef74bcd042b528424c1b99149bf5374c428f61a5f3c99e4f42460453b7a36cd0edbf8f76a042432800ee93916a7650b55e41d06f51566ad2cf3d69be696

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
338B

MD5
17fe8377b691db4d279b7f52dd16d0bc

SHA1
7053710e04c73c4e962dc91d09119696b4853ba2

SHA256
f038f36f538fd3a16cc2086f51c66256a80603e2c941a123e2de9e86836f6d20

SHA512
757067c28e180ba628314be75936941dd6ff28a80f40058766d5ccc29a736beccedb3513f717d05cc0a58c7e4a4760093e5c580472610246da313ec0deea45cf

Download Submit
\Users\Admin\AppData\Local\Temp\opert.exe
Filesize
73KB

MD5
63ca74b30001f2d7debbb7a1fc8fe491

SHA1
1fcac20f88719f1a912f9af40b6a9e4919f90f15

SHA256
5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a

SHA512
a2baa7c846b1000c4073b818fc478e98dcb534a7242a19eeee22e87dd493b2bbffbb19ea21cef5046989a071e7b0eb6e876b4e93e9e6c134f815224829568c20

Download Submit
memory/1960-18-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1960-17-0x0000000000170000-0x000000000019F000-memory.dmp

Filesize
188KB

Download
memory/1960-24-0x0000000000170000-0x000000000019F000-memory.dmp

Filesize
188KB

Download
memory/1960-26-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1960-31-0x0000000000170000-0x000000000019F000-memory.dmp

Filesize
188KB

Download
memory/1992-0-0x0000000000800000-0x000000000082F000-memory.dmp

Filesize
188KB

Download
memory/1992-1-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1992-16-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/1992-21-0x0000000000800000-0x000000000082F000-memory.dmp

Filesize
188KB

Download