urelas | 97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe
Size

69KB
MD5

5eec26e44af74ee197c86c818695481f
SHA1

53f2cd46774b850c69551851e096e20b089efafb
SHA256

97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b
SHA512

279ca61e3e2faa70b3730c8bcc2f394acc19fa1520ff316fbed54ac6999d7d50b433759e487709ca327168d26fbbcea6f2af3079d23b953362fdde571e225abb
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCaraw1:yLAYUzmdD0sMQl7d7IuhCaew

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2448 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

1296 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe

pid process

2156 97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2448	cmd.exe

pid	process
1296	biudfw.exe

pid	process
2156	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe

description	pid	process	target process
PID 2156 wrote to memory of 1296	2156	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	biudfw.exe
PID 2156 wrote to memory of 1296	2156	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	biudfw.exe
PID 2156 wrote to memory of 1296	2156	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	biudfw.exe
PID 2156 wrote to memory of 1296	2156	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	biudfw.exe
PID 2156 wrote to memory of 2448	2156	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	cmd.exe
PID 2156 wrote to memory of 2448	2156	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	cmd.exe
PID 2156 wrote to memory of 2448	2156	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	cmd.exe
PID 2156 wrote to memory of 2448	2156	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe
"C:\Users\Admin\AppData\Local\Temp\97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
Filesize
69KB

MD5
1e64ddd4566d8d931266f734a4099eaa

SHA1
599701b5f84cf0249e9250c5a38f81139e73c855

SHA256
1b59632f8c7ff533e83956e1c29e1bccbe5ca496da8eccf6cbd50d83cfb8d301

SHA512
5777a0ed3aa49bf5fd03b2d67f79c75315a1184802c5b8352c53dd2cff05fe59101cde636a896352367ec151a080090b4eb6dc8ba6f253739b7694f923ef274a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
338B

MD5
625345521209a6c774281d1109201ab6

SHA1
3ce335f49eb6200b2568a3ba378646954950b490

SHA256
00b4b2b4362a89b176fdcf470e51062b3c89bcde54993670c8f251786500093d

SHA512
b3d700cc4ff46909195b4362d3bcbfafab47fb5771bd0c41bea90d29a56d15417870efe4429ce31948e565c42fbf277fc7d468bd8ee63a075897c6d0e05c3b10

Download Submit
memory/1296-17-0x0000000000D90000-0x0000000000DB7000-memory.dmp

Filesize
156KB

Download
memory/1296-22-0x0000000000D90000-0x0000000000DB7000-memory.dmp

Filesize
156KB

Download
memory/1296-24-0x0000000000D90000-0x0000000000DB7000-memory.dmp

Filesize
156KB

Download
memory/1296-30-0x0000000000D90000-0x0000000000DB7000-memory.dmp

Filesize
156KB

Download
memory/2156-0-0x0000000001100000-0x0000000001127000-memory.dmp

Filesize
156KB

Download
memory/2156-15-0x00000000006A0000-0x00000000006C7000-memory.dmp

Filesize
156KB

Download
memory/2156-19-0x0000000001100000-0x0000000001127000-memory.dmp

Filesize
156KB

Download