urelas | 434119bcf36903f160aa3e0099aa9374576f3280190bb4c3e6b9e824446f4cd7

Analysis

max time kernel
67s
max time network
56s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d272f969b47773ba645c703210f4f6a0N.exe
Size

82KB
MD5

d272f969b47773ba645c703210f4f6a0
SHA1

15f02f2147d65ad211c714b8f9d6d0e8f002e410
SHA256

434119bcf36903f160aa3e0099aa9374576f3280190bb4c3e6b9e824446f4cd7
SHA512

fc6f43c35aec0df682fe8f01d499d36357167908afb21e7090f6f804af9663c814620301593f8dff04907234f91d7ee07c6093974782e67c37f8e8005a62d09e
SSDEEP

1536:JmBpNDAoG2kf4F+KfQwHq0NVFXqKseZ656KqBxhKYvonouy8GVUVhzv:8hDAb2VHR5aKsDIbTomAoutGVUVxv

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

620 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

opert.exe

pid process

2500 opert.exe
Loads dropped DLL 1 IoCs

Processes:

d272f969b47773ba645c703210f4f6a0N.exe

pid process

2104 d272f969b47773ba645c703210f4f6a0N.exe

pid	process
620	cmd.exe

pid	process
2500	opert.exe

pid	process
2104	d272f969b47773ba645c703210f4f6a0N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2104-0-0x0000000001100000-0x0000000001139000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\opert.exe	upx
behavioral1/memory/2500-10-0x0000000000A70000-0x0000000000AA9000-memory.dmp	upx
behavioral1/memory/2104-19-0x0000000001100000-0x0000000001139000-memory.dmp	upx
behavioral1/memory/2500-22-0x0000000000A70000-0x0000000000AA9000-memory.dmp	upx
behavioral1/memory/2500-28-0x0000000000A70000-0x0000000000AA9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d272f969b47773ba645c703210f4f6a0N.exe

description	pid	process	target process
PID 2104 wrote to memory of 2500	2104	d272f969b47773ba645c703210f4f6a0N.exe	opert.exe
PID 2104 wrote to memory of 2500	2104	d272f969b47773ba645c703210f4f6a0N.exe	opert.exe
PID 2104 wrote to memory of 2500	2104	d272f969b47773ba645c703210f4f6a0N.exe	opert.exe
PID 2104 wrote to memory of 2500	2104	d272f969b47773ba645c703210f4f6a0N.exe	opert.exe
PID 2104 wrote to memory of 620	2104	d272f969b47773ba645c703210f4f6a0N.exe	cmd.exe
PID 2104 wrote to memory of 620	2104	d272f969b47773ba645c703210f4f6a0N.exe	cmd.exe
PID 2104 wrote to memory of 620	2104	d272f969b47773ba645c703210f4f6a0N.exe	cmd.exe
PID 2104 wrote to memory of 620	2104	d272f969b47773ba645c703210f4f6a0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d272f969b47773ba645c703210f4f6a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d272f969b47773ba645c703210f4f6a0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\opert.exe
"C:\Users\Admin\AppData\Local\Temp\opert.exe"
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6735bbe93159782090eb9c49dde676c6

SHA1
6edec7009f27d90d36081a9d4a05fc6e6bde28e2

SHA256
f8925f72b19e3a2e14ebfda83d63a10e4a6f218d84cc30fb738caa9a575e1217

SHA512
8c85cef74bcd042b528424c1b99149bf5374c428f61a5f3c99e4f42460453b7a36cd0edbf8f76a042432800ee93916a7650b55e41d06f51566ad2cf3d69be696

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
2ed16c50805ea854a39d6ae7015615c2

SHA1
46f8bfcf8d7c593702992af51204ce68dff4cda7

SHA256
6edb32b7052e998ff2cb703e56999fe33a5a93bb5ea4ea5e294587219d675d1f

SHA512
9d4c167399477aaf13c9e41111cc95264a3c9a496ec0bc51c9de1b9345fd51d6470f52c3d4c5f12f045ff6d9f2673caa8cc920465edce2f8260139152936461a

Download Submit
\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
82KB

MD5
68743dd1851eebd5dbfdde1f0134cfd4

SHA1
29365f98638b6c350951bd747ea774aad7458a50

SHA256
1ee513829a8cb5b9f353c84968cc841058a8de80485159c86d11b71cb7953dbf

SHA512
dbf2c5b59c4426d7d39b073ce0db3ea850c9044304220aa2ba7c5aee651b2e581bfe9664bf8553a9ff53f365513c99aadb99e61f98c49e99a352eb704b2a8227

Download Submit
memory/2104-0-0x0000000001100000-0x0000000001139000-memory.dmp

Filesize
228KB

Download
memory/2104-9-0x00000000004E0000-0x0000000000519000-memory.dmp

Filesize
228KB

Download
memory/2104-19-0x0000000001100000-0x0000000001139000-memory.dmp

Filesize
228KB

Download
memory/2500-10-0x0000000000A70000-0x0000000000AA9000-memory.dmp

Filesize
228KB

Download
memory/2500-22-0x0000000000A70000-0x0000000000AA9000-memory.dmp

Filesize
228KB

Download
memory/2500-28-0x0000000000A70000-0x0000000000AA9000-memory.dmp

Filesize
228KB

Download