Overview

overview

10

Static

static

10

NEAS.55c4e...JC.exe

windows7-x64

10

NEAS.55c4e...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.55c4e380e3ec20b6e7ef267f5c1c69f7_JC.exe

  • Size

    463KB

  • MD5

    55c4e380e3ec20b6e7ef267f5c1c69f7

  • SHA1

    e02c0ef2b028b70c91a391a5ca0078ba87a34bfc

  • SHA256

    c557410a1bb3cc7ece7241276d06766ffa3d142e16eb00f0ceb6b55a2f6735d6

  • SHA512

    01a391a4beba2406fd312628bc2741b977d8ac5bfdce27d42a44ab0a949520ed75fb7c4897955a187f6ad5307fa8fc24df51e6bc08254bd07ba162a567a8a726

  • SSDEEP

    6144:P8Eoe/IebBVMweZGhHdJBV70FVKLbfW2x8VyMsmD6gzOmjpi+pMJQ8uUm9unpmK:vDdUGhHdJ370FVKmP0Ml+gzzjp+lsuX

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.55c4e380e3ec20b6e7ef267f5c1c69f7_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.55c4e380e3ec20b6e7ef267f5c1c69f7_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      "C:\Users\Admin\AppData\Local\Temp\sander.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
        "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1056
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
      2⤵
        PID:4688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
      Filesize

      293B

      MD5

      930eff0272dda1976dfaca8fc67c55da

      SHA1

      0da14e974c95eabe94cfcef21377da13719fb276

      SHA256

      331e71467a242fc81c18c9170ebac1e5a419445287931aece19471268a0f2856

      SHA512

      f2e5f0c8ac1eefddf248c490942cff3e912b076bbcd8d35893889f02a70c984162a71865ad1a7158f79ec309db3bbe5960dc5ef7a1375664bb1e500564ddfe7d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
      Filesize

      221KB

      MD5

      516fe006618c1845dbabd870514f6e7f

      SHA1

      cbabb4b95a1ed73efc5dd0a3f9aed9bf188cd622

      SHA256

      3ffd0a7b60d9eb606017752681045440b99213f19357ce5a39d5eb75add32a4f

      SHA512

      ee6312631ff2e044ba9cded852f6f5d419dd1e8eb9557fb1102b7b1f4d27942acd645cab2076e12022ca813cbf2ad83af90c14f3ced2d5d9cb7e56da01b58dd8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
      Filesize

      221KB

      MD5

      516fe006618c1845dbabd870514f6e7f

      SHA1

      cbabb4b95a1ed73efc5dd0a3f9aed9bf188cd622

      SHA256

      3ffd0a7b60d9eb606017752681045440b99213f19357ce5a39d5eb75add32a4f

      SHA512

      ee6312631ff2e044ba9cded852f6f5d419dd1e8eb9557fb1102b7b1f4d27942acd645cab2076e12022ca813cbf2ad83af90c14f3ced2d5d9cb7e56da01b58dd8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
      Filesize

      221KB

      MD5

      516fe006618c1845dbabd870514f6e7f

      SHA1

      cbabb4b95a1ed73efc5dd0a3f9aed9bf188cd622

      SHA256

      3ffd0a7b60d9eb606017752681045440b99213f19357ce5a39d5eb75add32a4f

      SHA512

      ee6312631ff2e044ba9cded852f6f5d419dd1e8eb9557fb1102b7b1f4d27942acd645cab2076e12022ca813cbf2ad83af90c14f3ced2d5d9cb7e56da01b58dd8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      04113afab96ff36e7da4cabf336079cf

      SHA1

      2ab6a01f123c1ef4227cb134612749b67a237bf6

      SHA256

      8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

      SHA512

      68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      Filesize

      463KB

      MD5

      ccb1df3fdddb91f15963bd802bc43acd

      SHA1

      e3ca2690ca6f9740b8089ce3cb81a1c6c3cd7aaf

      SHA256

      a6d79463b7f42053048dfc706b1322df8741c7ad237db68a37065e6d3b7f1a8f

      SHA512

      bf9ee724f8431f300add08fb1eb9e4e974d81b62ce4ad2c784f7e3417d05a08b051c2b7f00fa915bc8d1bd6fea6c2b0d8c42bcef8450d933583b114e74edf82b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      Filesize

      463KB

      MD5

      ccb1df3fdddb91f15963bd802bc43acd

      SHA1

      e3ca2690ca6f9740b8089ce3cb81a1c6c3cd7aaf

      SHA256

      a6d79463b7f42053048dfc706b1322df8741c7ad237db68a37065e6d3b7f1a8f

      SHA512

      bf9ee724f8431f300add08fb1eb9e4e974d81b62ce4ad2c784f7e3417d05a08b051c2b7f00fa915bc8d1bd6fea6c2b0d8c42bcef8450d933583b114e74edf82b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      Filesize

      463KB

      MD5

      ccb1df3fdddb91f15963bd802bc43acd

      SHA1

      e3ca2690ca6f9740b8089ce3cb81a1c6c3cd7aaf

      SHA256

      a6d79463b7f42053048dfc706b1322df8741c7ad237db68a37065e6d3b7f1a8f

      SHA512

      bf9ee724f8431f300add08fb1eb9e4e974d81b62ce4ad2c784f7e3417d05a08b051c2b7f00fa915bc8d1bd6fea6c2b0d8c42bcef8450d933583b114e74edf82b

      Download Submit

    • memory/400-29-0x0000000000FE0000-0x0000000001062000-memory.dmp

      Filesize

      520KB

      Download

    • memory/400-10-0x0000000000FE0000-0x0000000001062000-memory.dmp

      Filesize

      520KB

      Download

    • memory/400-18-0x0000000000FE0000-0x0000000001062000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1056-34-0x0000000000F20000-0x0000000000F22000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1056-28-0x0000000000F20000-0x0000000000F22000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1056-27-0x0000000000E50000-0x0000000000EF1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/1056-30-0x0000000000E50000-0x0000000000EF1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/1056-33-0x0000000000E50000-0x0000000000EF1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/1056-35-0x0000000000E50000-0x0000000000EF1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/1056-36-0x0000000000E50000-0x0000000000EF1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/1056-37-0x0000000000E50000-0x0000000000EF1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/1056-38-0x0000000000E50000-0x0000000000EF1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/4124-3-0x0000000000FA0000-0x0000000001022000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4124-0-0x0000000000FA0000-0x0000000001022000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4124-16-0x0000000000FA0000-0x0000000001022000-memory.dmp

      Filesize

      520KB

      Download