urelas | 535f2ff8292f1f2d152749caea268970564651bda90794101801691ec8ad5276

Analysis

max time kernel
153s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe
Size

418KB
MD5

05554556b58761e45cfe7e3fbee4dd80
SHA1

f3f8b0f26fb4457db1ae417753cf67ec35c80ec7
SHA256

535f2ff8292f1f2d152749caea268970564651bda90794101801691ec8ad5276
SHA512

b74839a78e05203431b1c3225305627fe8a9015f96d9304b941946bdc72bd63068592a1c1ea06a44747c4bd07f82543ec27fb6756027acb761b348e73e62f673
SSDEEP

6144:XxiqjFBwbGbGQfkOuuGDblGE2OeMfqP3mOa2cBlBPAsE+:XhjQK3f/utLeMfBnBc+

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2996	laryc.exe
2916	yjomvo.exe
1008	ynmif.exe

Loads dropped DLL 5 IoCs

pid	Process
2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe
2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe
2996	laryc.exe
2996	laryc.exe
2916	yjomvo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe
1008	ynmif.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2996	2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	28
PID 2832 wrote to memory of 2996	2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	28
PID 2832 wrote to memory of 2996	2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	28
PID 2832 wrote to memory of 2996	2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	28
PID 2832 wrote to memory of 2860	2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	29
PID 2832 wrote to memory of 2860	2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	29
PID 2832 wrote to memory of 2860	2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	29
PID 2832 wrote to memory of 2860	2832	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	29
PID 2996 wrote to memory of 2916	2996	laryc.exe	31
PID 2996 wrote to memory of 2916	2996	laryc.exe	31
PID 2996 wrote to memory of 2916	2996	laryc.exe	31
PID 2996 wrote to memory of 2916	2996	laryc.exe	31
PID 2916 wrote to memory of 1008	2916	yjomvo.exe	34
PID 2916 wrote to memory of 1008	2916	yjomvo.exe	34
PID 2916 wrote to memory of 1008	2916	yjomvo.exe	34
PID 2916 wrote to memory of 1008	2916	yjomvo.exe	34
PID 2916 wrote to memory of 2728	2916	yjomvo.exe	35
PID 2916 wrote to memory of 2728	2916	yjomvo.exe	35
PID 2916 wrote to memory of 2728	2916	yjomvo.exe	35
PID 2916 wrote to memory of 2728	2916	yjomvo.exe	35

C:\Users\Admin\AppData\Local\Temp\NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\laryc.exe
  "C:\Users\Admin\AppData\Local\Temp\laryc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\yjomvo.exe
    "C:\Users\Admin\AppData\Local\Temp\yjomvo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\ynmif.exe
      "C:\Users\Admin\AppData\Local\Temp\ynmif.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3026a472b20476a5835fdbe1598ad52c

SHA1
0fb60e3855479dec79790a8e039a7d0ab2a8fe31

SHA256
7bec0b90d5c75e5850215e56ba7114a66b10a2e3cbeb5aa750a1d2fa12f46214

SHA512
70b8b7ccc83b68fbb2f6b2db73fba1429afb476b8cc74493d2783e20ecf78bbcd3508ad77e47dd8b1520feff8584c5704b982d90e81b2d4f986e554e5a54949b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3026a472b20476a5835fdbe1598ad52c

SHA1
0fb60e3855479dec79790a8e039a7d0ab2a8fe31

SHA256
7bec0b90d5c75e5850215e56ba7114a66b10a2e3cbeb5aa750a1d2fa12f46214

SHA512
70b8b7ccc83b68fbb2f6b2db73fba1429afb476b8cc74493d2783e20ecf78bbcd3508ad77e47dd8b1520feff8584c5704b982d90e81b2d4f986e554e5a54949b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
2cc4bffbd3b5eb4d84373a1059fa4a65

SHA1
c13e114f2c61bcf7114dc2804cd8b4abade5d236

SHA256
68fab4fa5d521a5fe20bde405e975b19509ca59395a845cfcbe8ee08bee4d5fd

SHA512
4e409b415dd9161fb41903ff88dcf91182d68ed7e62f34f1b269f7d40d88b5d4b7cddb3b924f75b7354080c54099d48f26b962c70d61433a334fdd1cdf91834a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
2cc4bffbd3b5eb4d84373a1059fa4a65

SHA1
c13e114f2c61bcf7114dc2804cd8b4abade5d236

SHA256
68fab4fa5d521a5fe20bde405e975b19509ca59395a845cfcbe8ee08bee4d5fd

SHA512
4e409b415dd9161fb41903ff88dcf91182d68ed7e62f34f1b269f7d40d88b5d4b7cddb3b924f75b7354080c54099d48f26b962c70d61433a334fdd1cdf91834a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9809fb3d52b7d4b14e5edc7567f45c01

SHA1
ce4d2a850c39a3eb69ed9e3a879b6682169faca7

SHA256
fad41982f71820308052cb3762861de539c17d74319fbfa9f2a52394200408ee

SHA512
05717fc3778bc40c2317f668e0fcebaaa5821a9186039433deccf7acb5ced84307882707e3173f52e41ea1b30ea78f5f4ac609022e9fc56cfcac6fc755f88ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\laryc.exe

Filesize
418KB

MD5
1337778dc655857d912145ff85aee19b

SHA1
14275128edac87c6171f5acb0b89c9243144b839

SHA256
282c845a2f820f0bd0f9a30c9e696e10146909ecac966a2e8dfadaa331f829da

SHA512
61dca4e36a863b38424caa1d120929e0e93fc6227ba9a1a688b15ebe8c711a8cab303d007f926bf79e714ad110d81f7336a5391c26d953e5a521db9fcfe4f4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\laryc.exe

Filesize
418KB

MD5
1337778dc655857d912145ff85aee19b

SHA1
14275128edac87c6171f5acb0b89c9243144b839

SHA256
282c845a2f820f0bd0f9a30c9e696e10146909ecac966a2e8dfadaa331f829da

SHA512
61dca4e36a863b38424caa1d120929e0e93fc6227ba9a1a688b15ebe8c711a8cab303d007f926bf79e714ad110d81f7336a5391c26d953e5a521db9fcfe4f4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\laryc.exe

Filesize
418KB

MD5
1337778dc655857d912145ff85aee19b

SHA1
14275128edac87c6171f5acb0b89c9243144b839

SHA256
282c845a2f820f0bd0f9a30c9e696e10146909ecac966a2e8dfadaa331f829da

SHA512
61dca4e36a863b38424caa1d120929e0e93fc6227ba9a1a688b15ebe8c711a8cab303d007f926bf79e714ad110d81f7336a5391c26d953e5a521db9fcfe4f4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjomvo.exe

Filesize
418KB

MD5
1337778dc655857d912145ff85aee19b

SHA1
14275128edac87c6171f5acb0b89c9243144b839

SHA256
282c845a2f820f0bd0f9a30c9e696e10146909ecac966a2e8dfadaa331f829da

SHA512
61dca4e36a863b38424caa1d120929e0e93fc6227ba9a1a688b15ebe8c711a8cab303d007f926bf79e714ad110d81f7336a5391c26d953e5a521db9fcfe4f4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjomvo.exe

Filesize
418KB

MD5
1337778dc655857d912145ff85aee19b

SHA1
14275128edac87c6171f5acb0b89c9243144b839

SHA256
282c845a2f820f0bd0f9a30c9e696e10146909ecac966a2e8dfadaa331f829da

SHA512
61dca4e36a863b38424caa1d120929e0e93fc6227ba9a1a688b15ebe8c711a8cab303d007f926bf79e714ad110d81f7336a5391c26d953e5a521db9fcfe4f4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynmif.exe

Filesize
189KB

MD5
4658dcb06358894f13fb8518a96aa553

SHA1
88629e167866a7cf79639d0a588a2dd95cc5f009

SHA256
3df848b7346cf10ead7ec47cb20596fd54c0c91ae061826a79599be673664f38

SHA512
21cf1642a81b058dbc9790eb2be8cb179dcc82f5b031dc3b9080918812be22d58725fdb05a59279e485d29bd7f1657ee9ef6165eff3cfd5b94f042b26034b987

Download Submit
\Users\Admin\AppData\Local\Temp\laryc.exe

Filesize
418KB

MD5
1337778dc655857d912145ff85aee19b

SHA1
14275128edac87c6171f5acb0b89c9243144b839

SHA256
282c845a2f820f0bd0f9a30c9e696e10146909ecac966a2e8dfadaa331f829da

SHA512
61dca4e36a863b38424caa1d120929e0e93fc6227ba9a1a688b15ebe8c711a8cab303d007f926bf79e714ad110d81f7336a5391c26d953e5a521db9fcfe4f4de

Download Submit
\Users\Admin\AppData\Local\Temp\laryc.exe

Filesize
418KB

MD5
1337778dc655857d912145ff85aee19b

SHA1
14275128edac87c6171f5acb0b89c9243144b839

SHA256
282c845a2f820f0bd0f9a30c9e696e10146909ecac966a2e8dfadaa331f829da

SHA512
61dca4e36a863b38424caa1d120929e0e93fc6227ba9a1a688b15ebe8c711a8cab303d007f926bf79e714ad110d81f7336a5391c26d953e5a521db9fcfe4f4de

Download Submit
\Users\Admin\AppData\Local\Temp\yjomvo.exe

Filesize
418KB

MD5
1337778dc655857d912145ff85aee19b

SHA1
14275128edac87c6171f5acb0b89c9243144b839

SHA256
282c845a2f820f0bd0f9a30c9e696e10146909ecac966a2e8dfadaa331f829da

SHA512
61dca4e36a863b38424caa1d120929e0e93fc6227ba9a1a688b15ebe8c711a8cab303d007f926bf79e714ad110d81f7336a5391c26d953e5a521db9fcfe4f4de

Download Submit
\Users\Admin\AppData\Local\Temp\yjomvo.exe

Filesize
418KB

MD5
1337778dc655857d912145ff85aee19b

SHA1
14275128edac87c6171f5acb0b89c9243144b839

SHA256
282c845a2f820f0bd0f9a30c9e696e10146909ecac966a2e8dfadaa331f829da

SHA512
61dca4e36a863b38424caa1d120929e0e93fc6227ba9a1a688b15ebe8c711a8cab303d007f926bf79e714ad110d81f7336a5391c26d953e5a521db9fcfe4f4de

Download Submit
\Users\Admin\AppData\Local\Temp\ynmif.exe

Filesize
189KB

MD5
4658dcb06358894f13fb8518a96aa553

SHA1
88629e167866a7cf79639d0a588a2dd95cc5f009

SHA256
3df848b7346cf10ead7ec47cb20596fd54c0c91ae061826a79599be673664f38

SHA512
21cf1642a81b058dbc9790eb2be8cb179dcc82f5b031dc3b9080918812be22d58725fdb05a59279e485d29bd7f1657ee9ef6165eff3cfd5b94f042b26034b987

Download Submit
memory/1008-58-0x0000000001190000-0x000000000122B000-memory.dmp

Filesize
620KB

Download
memory/1008-55-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1008-62-0x0000000001190000-0x000000000122B000-memory.dmp

Filesize
620KB

Download
memory/1008-61-0x0000000001190000-0x000000000122B000-memory.dmp

Filesize
620KB

Download
memory/1008-60-0x0000000001190000-0x000000000122B000-memory.dmp

Filesize
620KB

Download
memory/1008-53-0x0000000001190000-0x000000000122B000-memory.dmp

Filesize
620KB

Download
memory/1008-59-0x0000000001190000-0x000000000122B000-memory.dmp

Filesize
620KB

Download
memory/2832-11-0x0000000002720000-0x0000000002788000-memory.dmp

Filesize
416KB

Download
memory/2832-22-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2832-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2916-45-0x0000000003550000-0x00000000035EB000-memory.dmp

Filesize
620KB

Download
memory/2916-34-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2916-36-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2916-54-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2996-33-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2996-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download