urelas | f47dac99ccfaf1d1e12273bfc0ec20db9bfa85a111b9c754ca9e209133f11a6e

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe
Size

141KB
MD5

79f32ad8875d9c96a538ab5894973571
SHA1

f83a9084b7ef7e7031a061c69c254aa3156a17e1
SHA256

f47dac99ccfaf1d1e12273bfc0ec20db9bfa85a111b9c754ca9e209133f11a6e
SHA512

8f9a8dfab3e9274b0fd44ee9303d9b86f467a650366688895437e92eede201f5272347771914ca85f5879e898f17f9235f9df309a435997dc657cc267d57455f
SSDEEP

3072:K3kHmMsmRUOMfCECCeZlmgchdvz6xs9PY0X85jx08aAP52jKR2jKqRWX:zHbRUOqwC4mgg44jKojKqRy

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2224	wiqk.exe

Loads dropped DLL 1 IoCs

pid	Process
2444	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2224	2444	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	28
PID 2444 wrote to memory of 2224	2444	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	28
PID 2444 wrote to memory of 2224	2444	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	28
PID 2444 wrote to memory of 2224	2444	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	28
PID 2444 wrote to memory of 2616	2444	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	29
PID 2444 wrote to memory of 2616	2444	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	29
PID 2444 wrote to memory of 2616	2444	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	29
PID 2444 wrote to memory of 2616	2444	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\wiqk.exe
  "C:\Users\Admin\AppData\Local\Temp\wiqk.exe"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9de967703683664d93d1cdfdd58274c4

SHA1
f6c2fed12e653fae61237e66de92e59f035869b3

SHA256
5ab8b4088f08eb1cfc44d7f1ed1682de1adde57a688bad95d28d5c4cd8b5c7b3

SHA512
7c652833dd488ca822e25718b2c3f0b851c99745db6a5fde4dd277adc2b9f76b16906d4f0c642af7a392be08dce9094469d163038ce2dc5b41055e7a9a634307

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
c635b812ea49e55d192a94a3eef7672f

SHA1
47df60df111f3b54e2603126454962954a48fa1c

SHA256
3bb66fb5c11aef4d4ba2d320aef813ca36d465d2f6db8f44a5bae204a73bcabd

SHA512
1576b92f1c59391f8ffbe527bdf3d8c517152a6dcb6ff3a6a7fbf48e5f53e7c93a23cbaf2dba7b5d5aa6490c572727cdb3c60fdd917b19a71aa0a2819beec0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
c635b812ea49e55d192a94a3eef7672f

SHA1
47df60df111f3b54e2603126454962954a48fa1c

SHA256
3bb66fb5c11aef4d4ba2d320aef813ca36d465d2f6db8f44a5bae204a73bcabd

SHA512
1576b92f1c59391f8ffbe527bdf3d8c517152a6dcb6ff3a6a7fbf48e5f53e7c93a23cbaf2dba7b5d5aa6490c572727cdb3c60fdd917b19a71aa0a2819beec0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiqk.exe

Filesize
141KB

MD5
3df4fbc4acdf9b8f073ef0d0058ca5f3

SHA1
72f7fb685ccc94d5be37454c08f46f78ef5d603b

SHA256
5b852f39af0ae21d024000f4c78b60ef8508cab74cecef18973324103b267a20

SHA512
e45e110722ceebb732599f3b70a899c61b5ccfaa306f88d70facc8feee2b2c79edfee485450700dd47c2eb85c6b73c3a1c621e6c2255d629359c5d768977b744

Download Submit
\Users\Admin\AppData\Local\Temp\wiqk.exe

Filesize
141KB

MD5
3df4fbc4acdf9b8f073ef0d0058ca5f3

SHA1
72f7fb685ccc94d5be37454c08f46f78ef5d603b

SHA256
5b852f39af0ae21d024000f4c78b60ef8508cab74cecef18973324103b267a20

SHA512
e45e110722ceebb732599f3b70a899c61b5ccfaa306f88d70facc8feee2b2c79edfee485450700dd47c2eb85c6b73c3a1c621e6c2255d629359c5d768977b744

Download Submit
memory/2224-12-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2224-22-0x00000000000F0000-0x000000000011B000-memory.dmp

Filesize
172KB

Download
memory/2224-28-0x00000000000F0000-0x000000000011B000-memory.dmp

Filesize
172KB

Download
memory/2444-0-0x00000000008D0000-0x00000000008FB000-memory.dmp

Filesize
172KB

Download
memory/2444-1-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2444-7-0x0000000000770000-0x000000000079B000-memory.dmp

Filesize
172KB

Download
memory/2444-19-0x00000000008D0000-0x00000000008FB000-memory.dmp

Filesize
172KB

Download