urelas | 984d9cf4b34ed3602c3773af5aa6634f0fde8f5014412ff69064f40b53ca86e4

Analysis

max time kernel
163s
max time network
131s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 18:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe
Size

392KB
MD5

a9ee5717f9ed4aa52358a2dce5cd24e6
SHA1

fb07be112019076233e0012986e97738c06b9ea4
SHA256

984d9cf4b34ed3602c3773af5aa6634f0fde8f5014412ff69064f40b53ca86e4
SHA512

ace8009bb0a17385a51ec52e83f72edb1551a29a7c76c9c921d1e05ad75315318d66becf96111d4cc6ac12e78caa9090a05b3a416fcbd5ea3badeb9565ba75ab
SSDEEP

12288:fEOZQtZVa6JdD/lHoOMzXCGOoIVdDHMxj:fE1HVa2dDNIrrCGOoQDAj

Score

10^/10

urelas trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2964	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2080	aproy.exe
2344	mihec.exe

Loads dropped DLL 2 IoCs

pid	Process
1100	NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe
2080	aproy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe
2344	mihec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2344	mihec.exe
Token: SeIncBasePriorityPrivilege	2344	mihec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2080	1100	NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe	27
PID 1100 wrote to memory of 2080	1100	NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe	27
PID 1100 wrote to memory of 2080	1100	NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe	27
PID 1100 wrote to memory of 2080	1100	NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe	27
PID 1100 wrote to memory of 2964	1100	NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe	28
PID 1100 wrote to memory of 2964	1100	NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe	28
PID 1100 wrote to memory of 2964	1100	NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe	28
PID 1100 wrote to memory of 2964	1100	NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe	28
PID 2080 wrote to memory of 2344	2080	aproy.exe	32
PID 2080 wrote to memory of 2344	2080	aproy.exe	32
PID 2080 wrote to memory of 2344	2080	aproy.exe	32
PID 2080 wrote to memory of 2344	2080	aproy.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASa9ee5717f9ed4aa52358a2dce5cd24e6exe_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\aproy.exe
  "C:\Users\Admin\AppData\Local\Temp\aproy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\mihec.exe
    "C:\Users\Admin\AppData\Local\Temp\mihec.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  PID:2964

Network

No results found

121.88.5.183:11150

aproy.exe

152 B
3
121.88.5.184:11170

aproy.exe

152 B
3
121.88.5.182:11150

aproy.exe

152 B
3

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
307B

MD5
70f5f3d86a52653f179a833e5cc41241

SHA1
ba76332fc40e2ba4e0d3baba6be290249d4fdd64

SHA256
fcebea282d9e05680c0864aafaa294bd31bfd3fe6e1bee3462169cdc922dcd40

SHA512
065ec402443442d969e6d67e19e60d8a0b9a1529cc926c8b54a1754b6098d785c4645e75dbb0578218c4bc5346bf1b126bb96419e962bad1b3c03fdae8273eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
307B

MD5
70f5f3d86a52653f179a833e5cc41241

SHA1
ba76332fc40e2ba4e0d3baba6be290249d4fdd64

SHA256
fcebea282d9e05680c0864aafaa294bd31bfd3fe6e1bee3462169cdc922dcd40

SHA512
065ec402443442d969e6d67e19e60d8a0b9a1529cc926c8b54a1754b6098d785c4645e75dbb0578218c4bc5346bf1b126bb96419e962bad1b3c03fdae8273eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\aproy.exe

Filesize
392KB

MD5
916df2b6f8b324d0408b239e593c31c0

SHA1
fd9ef6039693b628c426916624f507152fcfd894

SHA256
774b238cb362b79c71a5f63e65d62034be5cd5d1903c7ffb4482af2499e101fd

SHA512
54dfa171bf1914a627f5cb3f631a00fa4276beced34418c4b4841c1ccd738f5ff5098d53650b0151b42aff255589c91244d79ba79617d9d9bb3b906f59948659

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0afc79ae2b5f5b955195a4405f5b52fc

SHA1
a4d45be7c2f27795f01bc6408fc1754721fa4391

SHA256
91157df7ce0446b4fecb45391e4f0be69f1f6521e4faba9aea2506e0a81c0247

SHA512
3460b3c273f5e4acaeee76b3ca986fef434bb259a9243e77bc3f19d1ebd2937cb3d2fc997a8ab776cfc45bb08ca9ed5ce59327f4009fc13ba91caf234d3e8b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\mihec.exe

Filesize
182KB

MD5
bc6657925ea916dd1b71e0d66a67dc71

SHA1
1da94f6866a55bff89731c2a6dad9180d6095ca1

SHA256
2e5a1ee706e44f670872395c03697715be86105796e707044cfce542dcb7700a

SHA512
c7fb2c82d939615938b35d7b6d4064bbbfbc27aae9d28de7e832d64e98563ca76ebfd407e41cd55111562e274e167ff4f12d06fd95559bf706347732f3fca2df

Download Submit
\Users\Admin\AppData\Local\Temp\aproy.exe

Filesize
392KB

MD5
916df2b6f8b324d0408b239e593c31c0

SHA1
fd9ef6039693b628c426916624f507152fcfd894

SHA256
774b238cb362b79c71a5f63e65d62034be5cd5d1903c7ffb4482af2499e101fd

SHA512
54dfa171bf1914a627f5cb3f631a00fa4276beced34418c4b4841c1ccd738f5ff5098d53650b0151b42aff255589c91244d79ba79617d9d9bb3b906f59948659

Download Submit
\Users\Admin\AppData\Local\Temp\mihec.exe

Filesize
182KB

MD5
bc6657925ea916dd1b71e0d66a67dc71

SHA1
1da94f6866a55bff89731c2a6dad9180d6095ca1

SHA256
2e5a1ee706e44f670872395c03697715be86105796e707044cfce542dcb7700a

SHA512
c7fb2c82d939615938b35d7b6d4064bbbfbc27aae9d28de7e832d64e98563ca76ebfd407e41cd55111562e274e167ff4f12d06fd95559bf706347732f3fca2df

Download Submit
memory/1100-0-0x0000000000A10000-0x0000000000A75000-memory.dmp

Filesize
404KB

Download
memory/1100-6-0x00000000022F0000-0x0000000002355000-memory.dmp

Filesize
404KB

Download
memory/1100-18-0x0000000000A10000-0x0000000000A75000-memory.dmp

Filesize
404KB

Download
memory/2080-27-0x00000000001B0000-0x0000000000215000-memory.dmp

Filesize
404KB

Download
memory/2080-10-0x00000000001B0000-0x0000000000215000-memory.dmp

Filesize
404KB

Download
memory/2080-26-0x0000000003020000-0x00000000030B7000-memory.dmp

Filesize
604KB

Download
memory/2344-30-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download
memory/2344-32-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/2344-34-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download
memory/2344-35-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download
memory/2344-36-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download
memory/2344-37-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download
memory/2344-38-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download
memory/2344-39-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download
memory/2344-40-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download
memory/2344-41-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download