urelas | 451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe
Size

63KB
MD5

e725484c9776a8565bf009f1f4135e04
SHA1

eff2d00e6483e9a5cc3868c8047e1015cf2ede94
SHA256

451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577
SHA512

36005f9188256801502a336ac2702a5e3ce1fb1f4260172fa291f0061f15bf17b73bab3fb4326a19ecd3afc5236d09ce83e74bccf7fbebf964490fcb225da08b
SSDEEP

1536:6bQx5oPsr2vFxDPhAvzgAQzFZ77MzeTmUDv:6bQRSHpAvzyf7MzeThDv

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2900 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2132 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe

pid process

2540 451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2900	cmd.exe

pid	process
2132	biudfw.exe

pid	process
2540	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe

description	pid	process	target process
PID 2540 wrote to memory of 2132	2540	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	biudfw.exe
PID 2540 wrote to memory of 2132	2540	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	biudfw.exe
PID 2540 wrote to memory of 2132	2540	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	biudfw.exe
PID 2540 wrote to memory of 2132	2540	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	biudfw.exe
PID 2540 wrote to memory of 2900	2540	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	cmd.exe
PID 2540 wrote to memory of 2900	2540	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	cmd.exe
PID 2540 wrote to memory of 2900	2540	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	cmd.exe
PID 2540 wrote to memory of 2900	2540	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe
"C:\Users\Admin\AppData\Local\Temp\451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
Filesize
64KB

MD5
085dc26875e66bf4728c3690c28d9639

SHA1
195c218367e8298814abd3820d795b8217265b53

SHA256
c425d1ed91b4ccebb234b17c80bd8cc6578e358330c950d9277518e0e60e9ce9

SHA512
f525f26e70ff9370b6db347ae998706c9d0043f81901dee0c47c2abb74de396184348828db30e90530d08425eae52362a702ea1a55c4effd346ac9a224f7daac

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
efd90b3ac908d5482af367de3a82184a

SHA1
de9f01d2ed0247b7b347e55c5a09721a60147fb9

SHA256
44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d

SHA512
6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
338B

MD5
f06a161a5225aca7be536128b321576e

SHA1
8635b13a7f20f888d77a2260b4c0daedf843f40c

SHA256
9a9927963e030a526a13501ab7e65ecc5af3178204e757342184bbb128a92362

SHA512
8be45fd2b0917e56e402e0e3ee3b7ddd2cc42b5eb4a1dd64a9cf336e95f96dad3a9c8fb7eea5803c5764db415e5698b66ceacbc5dfa7407583d378c53ce8368d

Download Submit
memory/2132-10-0x0000000000F40000-0x0000000000F65000-memory.dmp

Filesize
148KB

Download
memory/2132-22-0x0000000000F40000-0x0000000000F65000-memory.dmp

Filesize
148KB

Download
memory/2132-24-0x0000000000F40000-0x0000000000F65000-memory.dmp

Filesize
148KB

Download
memory/2132-31-0x0000000000F40000-0x0000000000F65000-memory.dmp

Filesize
148KB

Download
memory/2540-0-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/2540-9-0x0000000000560000-0x0000000000585000-memory.dmp

Filesize
148KB

Download
memory/2540-19-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download