urelas | d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe
Size

113KB
MD5

ff10385250e75dd03e1d52b24afe366f
SHA1

117feb2ae62db3e9bb9d9a21d2e8cf54df9d832c
SHA256

d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16
SHA512

dfbddb01628eabd718795cbc4709e7d894021490def8f90e0cfa52594c371714fa451ee40dad87f2cb5d63b526402a9b04342882d2dd81f780221806da4ab433
SSDEEP

1536:mCnrJLwAXDtIBcUyk+8CooNvy3GNbcq7+sWjcdgy64TNSeb:htpCP+/oGvWSldgy64TNSeb

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2492 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2948 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe

pid process

3008 d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2492	cmd.exe

pid	process
2948	biudfw.exe

pid	process
3008	d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe

description	pid	process	target process
PID 3008 wrote to memory of 2948	3008	d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe	biudfw.exe
PID 3008 wrote to memory of 2948	3008	d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe	biudfw.exe
PID 3008 wrote to memory of 2948	3008	d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe	biudfw.exe
PID 3008 wrote to memory of 2948	3008	d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe	biudfw.exe
PID 3008 wrote to memory of 2492	3008	d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe	cmd.exe
PID 3008 wrote to memory of 2492	3008	d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe	cmd.exe
PID 3008 wrote to memory of 2492	3008	d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe	cmd.exe
PID 3008 wrote to memory of 2492	3008	d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe
"C:\Users\Admin\AppData\Local\Temp\d5c79880d6c7618cbc1ea237cd79d7871fd1f4a5730a56ba98415fe6c7e2eb16.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f0d42f2e44d35f66afa6c7a98d053021

SHA1
f874284acb7ed4b80e2733ed4f66656bd2c5447d

SHA256
d2060822260cd38f5fc68b1f3b9f9b787b250e1a9fa417be79cdc692ca066f8d

SHA512
d5b9a5e504276623574ba2c16e6d305c86b20ff3e6353dbe251e04287583c27d825fddfe4325530c249cc95ddd3e0674c86acdf2e7f4bd3c3404eab51c022a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
2d1a47bf73082e7639fb5217367ed5e4

SHA1
0a8e244cc7969df1d79aed3d5674da4e2f000961

SHA256
c5c0271d7c1fe0ff8f08cbd67d1e08746c84e6504e8f9f6d4b10e0a90d023a74

SHA512
3a38b71091fb890a3c56fcc48cf84143ea8737dd24c493b473da4cdfff96db3bbacfb9752388fa52fb8cc6aee1edc0170f84dd9afcf30f8d0bf2e99c7b694de0

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
113KB

MD5
3e3d128ed101fb300a3aca194c440e47

SHA1
f476079b26f7e51eeb8967077e8c8c2c35146000

SHA256
967844f27e67d18c37b1627d4bcde51b0991a55145e74d45669134c54f81e833

SHA512
e4154ecf8d2a2afde737329feb9c36fa7545c2adbdb9bfcbf4dec61aad9027894dfd82996ff99bf8b4252c8624dd105a4378758595a7719185924ffafd3fd822

Download Submit
memory/2948-11-0x00000000008C0000-0x00000000008E7000-memory.dmp

Filesize
156KB

Download
memory/2948-21-0x00000000008C0000-0x00000000008E7000-memory.dmp

Filesize
156KB

Download
memory/3008-0-0x0000000001170000-0x0000000001197000-memory.dmp

Filesize
156KB

Download
memory/3008-7-0x00000000004B0000-0x00000000004D7000-memory.dmp

Filesize
156KB

Download
memory/3008-18-0x0000000001170000-0x0000000001197000-memory.dmp

Filesize
156KB

Download