Overview

overview

10

Static

static

3

326a1837ac...ad.exe

windows7-x64

10

326a1837ac...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe

  • Size

    333KB

  • MD5

    581eab6e8b1c1d42771ae046ff6e65a8

  • SHA1

    2152ebcc38d31070aefe7ad02b414dc4a5b81b9f

  • SHA256

    326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad

  • SHA512

    659111e8f45e1579a517176ec43f9b6bf08a90f9d5d9af0274b01948f18e6e50526cf6ca376b0ba0f2505604134d34194dfe12b6ca8cea4dddedccdc8aef9326

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9H:vHW138/iXWlK885rKlGSekcj66ciWH

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe
    "C:\Users\Admin\AppData\Local\Temp\326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:612
    • C:\Users\Admin\AppData\Local\Temp\nyhus.exe
      "C:\Users\Admin\AppData\Local\Temp\nyhus.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Users\Admin\AppData\Local\Temp\saofr.exe
        "C:\Users\Admin\AppData\Local\Temp\saofr.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1368
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    4045389627a7bfcfac8f0a3c087b69da

    SHA1

    8f467818bb334860cfab312c1a3d54c75f566bc6

    SHA256

    6bcbee859f8c5406c9146dd2bb386da5bb9d91b8c79b9481caa945b4dd46941d

    SHA512

    0b5407abe3626706c366c35969ccbf214ceeb706a028af59b6fb1d599c40a81049329f7d84474fc8b318e9f521e3033ea2b1c04ccbafdc312e19592094499991

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    ba9456484d774e21fe5a5e86992f1f0b

    SHA1

    0a5dbc4212711d0db1e051985cab5dd042bcd65e

    SHA256

    8d78776697bb46483a341858bda574bf9f314144df6574135d7ec7635de05e9c

    SHA512

    cb3a071d01d36e946973e18cbde457e3efee6fa0afc7851da64af31c6d74b020db9ad16a6f49c79666b016ed18f556fc3838d60acafd3b0d6a914b10a2c59f94

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nyhus.exe
    Filesize

    333KB

    MD5

    44b6237e4eb4c7660bbce9c8ca464971

    SHA1

    7020b822f4cf9df122beeab07a406d62ef90b28c

    SHA256

    a1682ce9bf0ad8681d6b6d244a14825e08414235094a4c02057d1c5c73860e5e

    SHA512

    103adb97877cf93577ced3e6bad2f2781fa2fd94b4a28598aad292c399966dbb54a8774a937baf9b772b0e64a9bc52f86171d99c4a5b800b0343886fd03ca890

    Download Submit

  • \Users\Admin\AppData\Local\Temp\saofr.exe
    Filesize

    172KB

    MD5

    b4a82164c90aeadce56da1e07a38b159

    SHA1

    e3ee7aa53e14c357986947e40c8dc2fbc77e4c42

    SHA256

    8fa2a0bacfa465b0b05a5b2e8ae98b878eef7131b2afcfe47670be55e4289442

    SHA512

    2310ae2c0c3718ddd7d7381c54a9d33c2fc26444130403632bae0fd7e6846dea85f6c3bc25137658544655792aefd5f80d36a17316bda84fe49136deadaa15ad

    Download Submit

  • memory/588-15-0x0000000001310000-0x0000000001391000-memory.dmp

    Filesize

    516KB

    Download

  • memory/588-23-0x0000000001310000-0x0000000001391000-memory.dmp

    Filesize

    516KB

    Download

  • memory/588-18-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/588-38-0x0000000001310000-0x0000000001391000-memory.dmp

    Filesize

    516KB

    Download

  • memory/588-39-0x0000000001250000-0x00000000012E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/612-6-0x0000000002720000-0x00000000027A1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/612-0-0x0000000001290000-0x0000000001311000-memory.dmp

    Filesize

    516KB

    Download

  • memory/612-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/612-20-0x0000000001290000-0x0000000001311000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1368-44-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1368-41-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1368-46-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1368-47-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1368-48-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1368-49-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1368-50-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

    Download