Overview

overview

10

Static

static

10

NEAS.5a28d...e0.exe

windows7-x64

10

NEAS.5a28d...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2023, 20:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.5a28d6f64a40b3e80bdcff39b67df1e0.exe

  • Size

    463KB

  • MD5

    5a28d6f64a40b3e80bdcff39b67df1e0

  • SHA1

    524773a06f6c2a3325ec4e1ca72de2abb44d243d

  • SHA256

    3d1ffb6aeb7a9c23af7ef97afb41c8cddca766e535b2301286c2c4ce4050b1bf

  • SHA512

    7ac0c9d3178259ace1bc7619f9278af2fee1eb3ff3cb7f0943426174afa07e5e754fa9684dbdf3b29b8686ca531809333e0243c19f640c9be98289ba2c62925f

  • SSDEEP

    6144:P8Eoe/IebBVMweZGhHdJBV70FVKLbfW2x8VyMsmD6gzOmjpi+pMJQ8uUm9unpmh:vDdUGhHdJ370FVKmP0Ml+gzzjp+lsu8

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5a28d6f64a40b3e80bdcff39b67df1e0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5a28d6f64a40b3e80bdcff39b67df1e0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      "C:\Users\Admin\AppData\Local\Temp\sander.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
        "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
      2⤵
      • Deletes itself
      PID:2140

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
          Filesize

          287B

          MD5

          b9832515e4af88cb3ad8fd62749168cc

          SHA1

          6e4450bdfa74e24190c24b377d142806e2c6c03e

          SHA256

          973bdccc6ead6d82f3581dfcc0d47128b58c13ddac4439efd8b23587402b22d5

          SHA512

          67270cab451a0f406a24642ad45effbdbf1b4fbd87d91b900425bbc20c4b5dbdeb0d84103bfe96a474e9432d5672ce244c82dbd1068cdd3d6f8ac89c4b1f7ca3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
          Filesize

          287B

          MD5

          b9832515e4af88cb3ad8fd62749168cc

          SHA1

          6e4450bdfa74e24190c24b377d142806e2c6c03e

          SHA256

          973bdccc6ead6d82f3581dfcc0d47128b58c13ddac4439efd8b23587402b22d5

          SHA512

          67270cab451a0f406a24642ad45effbdbf1b4fbd87d91b900425bbc20c4b5dbdeb0d84103bfe96a474e9432d5672ce244c82dbd1068cdd3d6f8ac89c4b1f7ca3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
          Filesize

          221KB

          MD5

          c4db3c52a70aad97642f77bb883d51e1

          SHA1

          32d140273f436d6f5f82cb7d7ae30a9465aa26f3

          SHA256

          f7ef8cd79c13dcaf786f105fffd2860fa8be3bdc89e4d365fc16578e97c5e481

          SHA512

          0fafc2bb62f087aaa0d4e2bf2658c167c7d987a3ff7d7eeea32997c9dbf8dc03af0b06318b6fe83588e90a822df671021f1a3b7708a95675d99bd7a3e10f2c2d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
          Filesize

          512B

          MD5

          04113afab96ff36e7da4cabf336079cf

          SHA1

          2ab6a01f123c1ef4227cb134612749b67a237bf6

          SHA256

          8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

          SHA512

          68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\sander.exe
          Filesize

          463KB

          MD5

          10c9b2a6b9f090ac0c7076ab59d292bc

          SHA1

          d1528ead227b123221757280e3931f471db554e9

          SHA256

          d134a577d57c0bcd9e6cd83d7c9b2cc9635b05ec6721cb1d4e3ae284ac41593d

          SHA512

          b8b465a07fa19a98c8a7c03f359ad699253e4cb7ffa820735933727920c0324632a2b04f048b1f4588cf97040419cd7d0435ed4841a225d5192b2632a7b18637

          Download Submit

        • \Users\Admin\AppData\Local\Temp\ctfmom.exe
          Filesize

          221KB

          MD5

          c4db3c52a70aad97642f77bb883d51e1

          SHA1

          32d140273f436d6f5f82cb7d7ae30a9465aa26f3

          SHA256

          f7ef8cd79c13dcaf786f105fffd2860fa8be3bdc89e4d365fc16578e97c5e481

          SHA512

          0fafc2bb62f087aaa0d4e2bf2658c167c7d987a3ff7d7eeea32997c9dbf8dc03af0b06318b6fe83588e90a822df671021f1a3b7708a95675d99bd7a3e10f2c2d

          Download Submit

        • \Users\Admin\AppData\Local\Temp\sander.exe
          Filesize

          463KB

          MD5

          10c9b2a6b9f090ac0c7076ab59d292bc

          SHA1

          d1528ead227b123221757280e3931f471db554e9

          SHA256

          d134a577d57c0bcd9e6cd83d7c9b2cc9635b05ec6721cb1d4e3ae284ac41593d

          SHA512

          b8b465a07fa19a98c8a7c03f359ad699253e4cb7ffa820735933727920c0324632a2b04f048b1f4588cf97040419cd7d0435ed4841a225d5192b2632a7b18637

          Download Submit

        • memory/2116-17-0x0000000001360000-0x00000000013E2000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2116-0-0x0000000001360000-0x00000000013E2000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2116-7-0x0000000000D90000-0x0000000000E12000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2408-26-0x0000000003A00000-0x0000000003AA1000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2408-20-0x0000000000EF0000-0x0000000000F72000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2408-27-0x0000000000EF0000-0x0000000000F72000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2756-30-0x00000000010B0000-0x0000000001151000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2756-29-0x00000000010B0000-0x0000000001151000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2756-31-0x00000000000F0000-0x00000000000F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2756-34-0x00000000010B0000-0x0000000001151000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2756-35-0x00000000010B0000-0x0000000001151000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2756-36-0x00000000010B0000-0x0000000001151000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2756-37-0x00000000010B0000-0x0000000001151000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2756-38-0x00000000010B0000-0x0000000001151000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2756-39-0x00000000010B0000-0x0000000001151000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2756-40-0x00000000010B0000-0x0000000001151000-memory.dmp

          Filesize

          644KB

          Download