urelas | 241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17

General

Target

241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe
Size

308KB
MD5

0c7f2705b8b8579ef2e66ae106918bb6
SHA1

dfd1a2c305bbd96be8901c7e5c17db39ea0d6c99
SHA256

241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17
SHA512

029ea391e60cc0f97e55fd8e9f27fbf6aa1493939c1335d2befb556a919a5b9cb442d6621af81178ef8446ca45fd87bdcb619e8af6ead92739c25b75bcaac96c
SSDEEP

3072:dQisJFjI/DmZwx0eJSUbx3ECbZS42t8sJ4yYdfp4Qz28h+0W6Y4704jGopBhjo:dQi+reSUbnbA8VKQq8hpW6p75PpBhjo

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2268 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

cuduw.exewuenzo.execovyw.exe

pid process

2068 cuduw.exe
2688 wuenzo.exe
1984 covyw.exe

pid	process
2268	cmd.exe

pid	process
2068	cuduw.exe
2688	wuenzo.exe
1984	covyw.exe

Loads dropped DLL 5 IoCs

Processes:

241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.execuduw.exewuenzo.exe

pid	process
1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe
1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe
2068	cuduw.exe
2068	cuduw.exe
2688	wuenzo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

covyw.exe

pid	process
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe
1984	covyw.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.execuduw.exewuenzo.exe

description	pid	process	target process
PID 1780 wrote to memory of 2068	1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe	cuduw.exe
PID 1780 wrote to memory of 2068	1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe	cuduw.exe
PID 1780 wrote to memory of 2068	1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe	cuduw.exe
PID 1780 wrote to memory of 2068	1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe	cuduw.exe
PID 1780 wrote to memory of 2268	1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe	cmd.exe
PID 1780 wrote to memory of 2268	1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe	cmd.exe
PID 1780 wrote to memory of 2268	1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe	cmd.exe
PID 1780 wrote to memory of 2268	1780	241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe	cmd.exe
PID 2068 wrote to memory of 2688	2068	cuduw.exe	wuenzo.exe
PID 2068 wrote to memory of 2688	2068	cuduw.exe	wuenzo.exe
PID 2068 wrote to memory of 2688	2068	cuduw.exe	wuenzo.exe
PID 2068 wrote to memory of 2688	2068	cuduw.exe	wuenzo.exe
PID 2688 wrote to memory of 1984	2688	wuenzo.exe	covyw.exe
PID 2688 wrote to memory of 1984	2688	wuenzo.exe	covyw.exe
PID 2688 wrote to memory of 1984	2688	wuenzo.exe	covyw.exe
PID 2688 wrote to memory of 1984	2688	wuenzo.exe	covyw.exe
PID 2688 wrote to memory of 2364	2688	wuenzo.exe	cmd.exe
PID 2688 wrote to memory of 2364	2688	wuenzo.exe	cmd.exe
PID 2688 wrote to memory of 2364	2688	wuenzo.exe	cmd.exe
PID 2688 wrote to memory of 2364	2688	wuenzo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe
"C:\Users\Admin\AppData\Local\Temp\241579ff52743523cf5cb6a1cff63a7cfab869f3000593a3a88aa89061d0fb17.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\cuduw.exe
  "C:\Users\Admin\AppData\Local\Temp\cuduw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\wuenzo.exe
    "C:\Users\Admin\AppData\Local\Temp\wuenzo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\covyw.exe
      "C:\Users\Admin\AppData\Local\Temp\covyw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f7f29753779913c2032652c682dfbaaa

SHA1
418bbfd7eab16f2cc9c6a0ba6afb23b868b2c0c1

SHA256
1af75e132e4e074a796052267e66c690514da9092ade54fc6a3ec969e94f492d

SHA512
7f6711a39ad474c240a845e06559fe14f3cefc809ba3d85cec05c57065906af9859e3a22ed1898f0a605b6e6f0ff23861fa7f142b06a925c965ed39bf9234746

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d00d6d5c9eb714bee5b53c1c61f7b120

SHA1
e793cae26a4c74eb658c463a7191e57b00784320

SHA256
efc3b97fe4f8f20d2edc0448336276c5866231e14ef327abe97c519728c6578d

SHA512
b7d684130b59927129d302f40f8fbac4894af2e1a6d0c1fa018b80bfab8cf5bd045abe8a1d5357a18ba14a66fe7a8adc0404a1abec5797546dfcf739a5b8b341

Download Submit
C:\Users\Admin\AppData\Local\Temp\covyw.exe

Filesize
111KB

MD5
47871611a84e0052cddf39fc620d9042

SHA1
ada8b48c875fde07061f413a1510dd8e17a66180

SHA256
097c875a16baa70e7cfe035fcb54396ef29c1e8d8141a89183a086bb8314766d

SHA512
ee566e5fd12957f51697fb6d30c52a6e72a316626862eef684edc50b1282d73c45ac0bb8d378cb6e1a50ec99a3aff4390e91f1ad35021dd92453e68f91b78362

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b817538a54bf150edcb013d9e562fca2

SHA1
3fb853cfc8d4c7c556654b39314fe9b2dc15e989

SHA256
1e169054e1f35a86e7ce7023bea1970628ed94588078265c803f86f889cc1545

SHA512
0d2e847d62fb0843a2e7cab673432188b730787f96643f2ffd276e2b29d043d131aff027d079f5e6fd1267363785b40d08eeceac0badaa10739d04445671ba5e

Download Submit
\Users\Admin\AppData\Local\Temp\cuduw.exe

Filesize
308KB

MD5
bccf83d4cf4c65b4deabdf577eb1d338

SHA1
eb5e27be17ce572a0cf8ebecd817327f6d26173e

SHA256
39115c923b4fde5b4fd0c72e1e3d5fa3d9367d0b4260a52e1d26090464debeed

SHA512
60656ee512b6c060e9eee5f5e4c53b07ab8dcba20c240b3391fcafbde9e3d5480190a72dbfcc73ba3c96596ac447d976121600234ebb61c575153067c865b62b

Download Submit
memory/1780-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1780-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1780-12-0x0000000002BD0000-0x0000000002C1C000-memory.dmp

Filesize
304KB

Download
memory/1984-59-0x0000000000C70000-0x0000000000CF8000-memory.dmp

Filesize
544KB

Download
memory/1984-56-0x0000000000C70000-0x0000000000CF8000-memory.dmp

Filesize
544KB

Download
memory/1984-45-0x0000000000C70000-0x0000000000CF8000-memory.dmp

Filesize
544KB

Download
memory/1984-60-0x0000000000C70000-0x0000000000CF8000-memory.dmp

Filesize
544KB

Download
memory/1984-61-0x0000000000C70000-0x0000000000CF8000-memory.dmp

Filesize
544KB

Download
memory/1984-62-0x0000000000C70000-0x0000000000CF8000-memory.dmp

Filesize
544KB

Download
memory/1984-63-0x0000000000C70000-0x0000000000CF8000-memory.dmp

Filesize
544KB

Download
memory/1984-64-0x0000000000C70000-0x0000000000CF8000-memory.dmp

Filesize
544KB

Download
memory/2068-34-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2068-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2688-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2688-54-0x0000000003130000-0x00000000031B8000-memory.dmp

Filesize
544KB

Download
memory/2688-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads