urelas | 019d71fb4d55abe035b657292e0ddd89e3c827b9654337cab1dbd30583320a44

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08-10-2023 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a9f576a29aa60e35acfc621638239434_JC.exe
Size

418KB
MD5

a9f576a29aa60e35acfc621638239434
SHA1

3cf23e9c7446c0203c83be7770d42605d6816764
SHA256

019d71fb4d55abe035b657292e0ddd89e3c827b9654337cab1dbd30583320a44
SHA512

82c8269344cc12932afa11d8a2e3cfac3eaf0e854bf9e910d7359d3a052ba7e53b1d8f693413b26cf5fbcc4697854bfda9dc7230ddb649c6e23e77a118979630
SSDEEP

6144:XxiqjFBwbGbGQfkOuuGDblGE2OeMfqP3mOa2cBlBPAsEh:XhjQK3f/utLeMfBnBch

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3020	mexoo.exe
2636	diusdi.exe
1088	ucjyd.exe

Loads dropped DLL 5 IoCs

pid	Process
2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe
2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe
3020	mexoo.exe
3020	mexoo.exe
2636	diusdi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe
1088	ucjyd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 3020	2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	28
PID 2444 wrote to memory of 3020	2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	28
PID 2444 wrote to memory of 3020	2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	28
PID 2444 wrote to memory of 3020	2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	28
PID 2444 wrote to memory of 2712	2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	30
PID 2444 wrote to memory of 2712	2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	30
PID 2444 wrote to memory of 2712	2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	30
PID 2444 wrote to memory of 2712	2444	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	30
PID 3020 wrote to memory of 2636	3020	mexoo.exe	31
PID 3020 wrote to memory of 2636	3020	mexoo.exe	31
PID 3020 wrote to memory of 2636	3020	mexoo.exe	31
PID 3020 wrote to memory of 2636	3020	mexoo.exe	31
PID 2636 wrote to memory of 1088	2636	diusdi.exe	34
PID 2636 wrote to memory of 1088	2636	diusdi.exe	34
PID 2636 wrote to memory of 1088	2636	diusdi.exe	34
PID 2636 wrote to memory of 1088	2636	diusdi.exe	34
PID 2636 wrote to memory of 2888	2636	diusdi.exe	36
PID 2636 wrote to memory of 2888	2636	diusdi.exe	36
PID 2636 wrote to memory of 2888	2636	diusdi.exe	36
PID 2636 wrote to memory of 2888	2636	diusdi.exe	36

C:\Users\Admin\AppData\Local\Temp\NEAS.a9f576a29aa60e35acfc621638239434_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a9f576a29aa60e35acfc621638239434_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\mexoo.exe
  "C:\Users\Admin\AppData\Local\Temp\mexoo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\diusdi.exe
    "C:\Users\Admin\AppData\Local\Temp\diusdi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\ucjyd.exe
      "C:\Users\Admin\AppData\Local\Temp\ucjyd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2810950789012fbef94e5b83f773275a

SHA1
e8ec762166ead2b7ba2d8b2b34b688404826a37c

SHA256
d5aafaccfec1a4de30fc174308f61b3f6f3d5927143ef44d51014913926b7d92

SHA512
bb882428de01bb2e6abd9652bd55353e58702542372502c9cd6694b8fe1b4611a3127941e503306a4ec2288952561882465ea3a0657c853ba93341204b5d16ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2810950789012fbef94e5b83f773275a

SHA1
e8ec762166ead2b7ba2d8b2b34b688404826a37c

SHA256
d5aafaccfec1a4de30fc174308f61b3f6f3d5927143ef44d51014913926b7d92

SHA512
bb882428de01bb2e6abd9652bd55353e58702542372502c9cd6694b8fe1b4611a3127941e503306a4ec2288952561882465ea3a0657c853ba93341204b5d16ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
e0a7469a29220a6f7a8d0252aec5bd31

SHA1
b61e94e550409fafff7710795965267c79f320f6

SHA256
e5a70a45e004fe2266dcf669f3895181284cedda5af971c66c5eb20bf5c7e82f

SHA512
0c8be620ebb11f71fd85d53338bcecb93ee31444704b317f69472827029398d16004f82a0c02167a14d7bcddd47d461317934b93d7125ddae852c74a8995974a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
e0a7469a29220a6f7a8d0252aec5bd31

SHA1
b61e94e550409fafff7710795965267c79f320f6

SHA256
e5a70a45e004fe2266dcf669f3895181284cedda5af971c66c5eb20bf5c7e82f

SHA512
0c8be620ebb11f71fd85d53338bcecb93ee31444704b317f69472827029398d16004f82a0c02167a14d7bcddd47d461317934b93d7125ddae852c74a8995974a

Download Submit
C:\Users\Admin\AppData\Local\Temp\diusdi.exe

Filesize
418KB

MD5
a738184287ea09249767e0c675569585

SHA1
1ef50055fda862e61e7268447e0dd4119121f157

SHA256
54c2770929bbc032a92bd2b8a4d2a75988180ec9b3b13778e5c3a2236dbdf8cb

SHA512
3d47cb5d3ee30c1e51102b069f9ec3eb2ab7b3822149a3444a660de2de2ec1a1a33fdde67c0736cf2f5f297ba2891c74251d6c16971156f065648ac83098cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\diusdi.exe

Filesize
418KB

MD5
a738184287ea09249767e0c675569585

SHA1
1ef50055fda862e61e7268447e0dd4119121f157

SHA256
54c2770929bbc032a92bd2b8a4d2a75988180ec9b3b13778e5c3a2236dbdf8cb

SHA512
3d47cb5d3ee30c1e51102b069f9ec3eb2ab7b3822149a3444a660de2de2ec1a1a33fdde67c0736cf2f5f297ba2891c74251d6c16971156f065648ac83098cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f0a18f421258e7372cf4a9c2ea4a0b04

SHA1
61a3ce70e644d453f232fcccb5c1df5672c50f5b

SHA256
bbdf5b43922f8a8d950322f6be0dc7bc13178c4f655f07f6346fb6f646009533

SHA512
a5e72ebf60080ec5af91a0bde20e802bd00791447f7502d6808cad97cc0441a3d6cc61f71269a9283bc11f2765b003258c532fc21bbee96b458c6b08459be53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mexoo.exe

Filesize
418KB

MD5
a738184287ea09249767e0c675569585

SHA1
1ef50055fda862e61e7268447e0dd4119121f157

SHA256
54c2770929bbc032a92bd2b8a4d2a75988180ec9b3b13778e5c3a2236dbdf8cb

SHA512
3d47cb5d3ee30c1e51102b069f9ec3eb2ab7b3822149a3444a660de2de2ec1a1a33fdde67c0736cf2f5f297ba2891c74251d6c16971156f065648ac83098cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\mexoo.exe

Filesize
418KB

MD5
a738184287ea09249767e0c675569585

SHA1
1ef50055fda862e61e7268447e0dd4119121f157

SHA256
54c2770929bbc032a92bd2b8a4d2a75988180ec9b3b13778e5c3a2236dbdf8cb

SHA512
3d47cb5d3ee30c1e51102b069f9ec3eb2ab7b3822149a3444a660de2de2ec1a1a33fdde67c0736cf2f5f297ba2891c74251d6c16971156f065648ac83098cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\mexoo.exe

Filesize
418KB

MD5
a738184287ea09249767e0c675569585

SHA1
1ef50055fda862e61e7268447e0dd4119121f157

SHA256
54c2770929bbc032a92bd2b8a4d2a75988180ec9b3b13778e5c3a2236dbdf8cb

SHA512
3d47cb5d3ee30c1e51102b069f9ec3eb2ab7b3822149a3444a660de2de2ec1a1a33fdde67c0736cf2f5f297ba2891c74251d6c16971156f065648ac83098cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucjyd.exe

Filesize
189KB

MD5
d4fe4a1f0004252ecf64c59467ff3e22

SHA1
a0838422599a34f6de3cbf4057fa4de7cc85db60

SHA256
a660dfd57727ee61684232874f37159fcd1073729889e9d680aeda2cecdd33fd

SHA512
9f795e155a3453cabeb8f26958ddd996261bbf2418ba5b0c29fe5435e5cfa0fb82cc42afe84f45c7bf5c80377b66d26bbebddca3f426a60b1658139a695c7edd

Download Submit
\Users\Admin\AppData\Local\Temp\diusdi.exe

Filesize
418KB

MD5
a738184287ea09249767e0c675569585

SHA1
1ef50055fda862e61e7268447e0dd4119121f157

SHA256
54c2770929bbc032a92bd2b8a4d2a75988180ec9b3b13778e5c3a2236dbdf8cb

SHA512
3d47cb5d3ee30c1e51102b069f9ec3eb2ab7b3822149a3444a660de2de2ec1a1a33fdde67c0736cf2f5f297ba2891c74251d6c16971156f065648ac83098cc90

Download Submit
\Users\Admin\AppData\Local\Temp\diusdi.exe

Filesize
418KB

MD5
a738184287ea09249767e0c675569585

SHA1
1ef50055fda862e61e7268447e0dd4119121f157

SHA256
54c2770929bbc032a92bd2b8a4d2a75988180ec9b3b13778e5c3a2236dbdf8cb

SHA512
3d47cb5d3ee30c1e51102b069f9ec3eb2ab7b3822149a3444a660de2de2ec1a1a33fdde67c0736cf2f5f297ba2891c74251d6c16971156f065648ac83098cc90

Download Submit
\Users\Admin\AppData\Local\Temp\mexoo.exe

Filesize
418KB

MD5
a738184287ea09249767e0c675569585

SHA1
1ef50055fda862e61e7268447e0dd4119121f157

SHA256
54c2770929bbc032a92bd2b8a4d2a75988180ec9b3b13778e5c3a2236dbdf8cb

SHA512
3d47cb5d3ee30c1e51102b069f9ec3eb2ab7b3822149a3444a660de2de2ec1a1a33fdde67c0736cf2f5f297ba2891c74251d6c16971156f065648ac83098cc90

Download Submit
\Users\Admin\AppData\Local\Temp\mexoo.exe

Filesize
418KB

MD5
a738184287ea09249767e0c675569585

SHA1
1ef50055fda862e61e7268447e0dd4119121f157

SHA256
54c2770929bbc032a92bd2b8a4d2a75988180ec9b3b13778e5c3a2236dbdf8cb

SHA512
3d47cb5d3ee30c1e51102b069f9ec3eb2ab7b3822149a3444a660de2de2ec1a1a33fdde67c0736cf2f5f297ba2891c74251d6c16971156f065648ac83098cc90

Download Submit
\Users\Admin\AppData\Local\Temp\ucjyd.exe

Filesize
189KB

MD5
d4fe4a1f0004252ecf64c59467ff3e22

SHA1
a0838422599a34f6de3cbf4057fa4de7cc85db60

SHA256
a660dfd57727ee61684232874f37159fcd1073729889e9d680aeda2cecdd33fd

SHA512
9f795e155a3453cabeb8f26958ddd996261bbf2418ba5b0c29fe5435e5cfa0fb82cc42afe84f45c7bf5c80377b66d26bbebddca3f426a60b1658139a695c7edd

Download Submit
memory/1088-62-0x0000000000EE0000-0x0000000000F7B000-memory.dmp

Filesize
620KB

Download
memory/1088-58-0x0000000000EE0000-0x0000000000F7B000-memory.dmp

Filesize
620KB

Download
memory/1088-59-0x0000000000EE0000-0x0000000000F7B000-memory.dmp

Filesize
620KB

Download
memory/1088-60-0x0000000000EE0000-0x0000000000F7B000-memory.dmp

Filesize
620KB

Download
memory/1088-61-0x0000000000EE0000-0x0000000000F7B000-memory.dmp

Filesize
620KB

Download
memory/1088-54-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1088-55-0x0000000000EE0000-0x0000000000F7B000-memory.dmp

Filesize
620KB

Download
memory/2444-21-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2444-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2444-11-0x0000000002640000-0x00000000026A8000-memory.dmp

Filesize
416KB

Download
memory/2636-45-0x00000000030F0000-0x000000000318B000-memory.dmp

Filesize
620KB

Download
memory/2636-53-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2636-36-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2636-35-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3020-34-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3020-32-0x0000000002F90000-0x0000000002FF8000-memory.dmp

Filesize
416KB

Download