urelas | 4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe
Size

370KB
MD5

b33392085cac871c0419f5dfe397dd88
SHA1

2d960bf4926db71fdb34d9af1e23916919e01738
SHA256

4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad
SHA512

611112722e3c71fb167bbfbc2ccbff808d0c3012d7d2710b9511d84274198c75b42fcba3397c655e73d776c7b8c025b446d24e3d741e7ffd6edcc3ecd399fc8c
SSDEEP

6144:CuJkl8DV12C28tLN2/FkCO0aHftvCGCBhDOHjTPmXHk62p8:CzGL2C2aZ2/F1XaveOHjT4

Score

10^/10

urelas trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Executes dropped EXE 1 IoCs

Processes:

wosur.exe

pid process

2816 wosur.exe

pid	process
2816	wosur.exe

Loads dropped DLL 2 IoCs

Processes:

4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe

pid	process
2372	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe
2372	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe

description	pid	process	target process
PID 2372 wrote to memory of 2816	2372	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe	wosur.exe
PID 2372 wrote to memory of 2816	2372	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe	wosur.exe
PID 2372 wrote to memory of 2816	2372	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe	wosur.exe
PID 2372 wrote to memory of 2816	2372	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe	wosur.exe

C:\Users\Admin\AppData\Local\Temp\4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe
"C:\Users\Admin\AppData\Local\Temp\4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\wosur.exe
"C:\Users\Admin\AppData\Local\Temp\wosur.exe"
2⤵
- Executes dropped EXE
PID:2816

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
b30b85445bc9d2a928e2da9610f46d0c

SHA1
590a7b6bd339fa995a1558912d8c98164b2c53db

SHA256
3fd1cc9bfb63534ffee02c3a9cf4094579c6cd3f571bf52da9270050892c8e31

SHA512
592c54d196662c2288a07d246943208e0ff64f0a1c598798fe8e6fc84bc700665c93dc5affef6c7066a08c2b0ac321030311874cd11caf03fc74bced89011abb

Download Submit
\Users\Admin\AppData\Local\Temp\wosur.exe
Filesize
371KB

MD5
ce37698d5ba4f9004b4ae31788604649

SHA1
641a166e024ef0087d63e94bdce821f0ec86bca7

SHA256
a616c5c1ac351e34d4cc5bae66623bedf1a9714089b00565b4d8e03b3e5e4664

SHA512
166039783e17ae7035f28bd5135e123b1db554369dc5a69acbbf9eddcedee18bbb57b94f01875c90e252d1e9a93f1aab76403a3163d3f98e501141fda60f2e9c

Download Submit