urelas | aae96674a0b19705dc25eef5837517d6e4eb43d0785b5d6d234d0fb001f1a587

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2128d65eea52936c695b39b8b54303d0.exe
Size

484KB
MD5

2128d65eea52936c695b39b8b54303d0
SHA1

f2afc7542687cd63fef814f699ca1dfe356c9389
SHA256

aae96674a0b19705dc25eef5837517d6e4eb43d0785b5d6d234d0fb001f1a587
SHA512

5071ec98ad8a24c78829e67c3eedeb38ccfcc317d2141443af616525050391622e437ea0ba683d1a34ffa33a263d1a01f19119d77e762ad21b3bbce46b6380cf
SSDEEP

6144:KxBWeMRygxDLbHxlSBxzJb1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDq+t5:63MQIDKJPTq+Xxvo0U+d3s/fCX0a5

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1676	wimoj.exe
2528	igbem.exe

Loads dropped DLL 2 IoCs

pid	Process
2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe
1676	wimoj.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2600-0-0x0000000000B30000-0x0000000000BD7000-memory.dmp	upx
behavioral1/files/0x002c000000015cb4-4.dat	upx
behavioral1/memory/2600-6-0x0000000002960000-0x0000000002A07000-memory.dmp	upx
behavioral1/files/0x002c000000015cb4-9.dat	upx
behavioral1/memory/2600-17-0x0000000000B30000-0x0000000000BD7000-memory.dmp	upx
behavioral1/memory/1676-20-0x0000000000860000-0x0000000000907000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-23.dat	upx
behavioral1/memory/1676-28-0x0000000000860000-0x0000000000907000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-27.dat	upx
behavioral1/memory/1676-25-0x0000000002E40000-0x0000000002EFA000-memory.dmp	upx
behavioral1/memory/2528-29-0x0000000001120000-0x00000000011DA000-memory.dmp	upx
behavioral1/memory/2528-30-0x0000000001120000-0x00000000011DA000-memory.dmp	upx
behavioral1/memory/2528-31-0x0000000001120000-0x00000000011DA000-memory.dmp	upx
behavioral1/memory/2528-32-0x0000000001120000-0x00000000011DA000-memory.dmp	upx
behavioral1/memory/2528-33-0x0000000001120000-0x00000000011DA000-memory.dmp	upx
behavioral1/memory/2528-34-0x0000000001120000-0x00000000011DA000-memory.dmp	upx
behavioral1/memory/2528-35-0x0000000001120000-0x00000000011DA000-memory.dmp	upx
behavioral1/memory/2528-36-0x0000000001120000-0x00000000011DA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe
1676	wimoj.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe
2528	igbem.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1676	2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe	28
PID 2600 wrote to memory of 1676	2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe	28
PID 2600 wrote to memory of 1676	2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe	28
PID 2600 wrote to memory of 1676	2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe	28
PID 2600 wrote to memory of 2784	2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe	29
PID 2600 wrote to memory of 2784	2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe	29
PID 2600 wrote to memory of 2784	2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe	29
PID 2600 wrote to memory of 2784	2600	NEAS.2128d65eea52936c695b39b8b54303d0.exe	29
PID 1676 wrote to memory of 2528	1676	wimoj.exe	33
PID 1676 wrote to memory of 2528	1676	wimoj.exe	33
PID 1676 wrote to memory of 2528	1676	wimoj.exe	33
PID 1676 wrote to memory of 2528	1676	wimoj.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.2128d65eea52936c695b39b8b54303d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2128d65eea52936c695b39b8b54303d0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\wimoj.exe
  "C:\Users\Admin\AppData\Local\Temp\wimoj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\igbem.exe
    "C:\Users\Admin\AppData\Local\Temp\igbem.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
085190a83c796ec4ae750fa40f950570

SHA1
9fd834adf35941bcd0b754c7135c95076609cc05

SHA256
26be5329163392f1b37089d7cfcbefc6001ce40458991ee5afc448229b439099

SHA512
83df415427403b0a075c18fb9ec70c6970663e49c7f44df9b58639cf6536e1e95e1b78677431e1f0fd3208aac5634e5c6bf1fe77d6ab604bbca242f23d47edb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
085190a83c796ec4ae750fa40f950570

SHA1
9fd834adf35941bcd0b754c7135c95076609cc05

SHA256
26be5329163392f1b37089d7cfcbefc6001ce40458991ee5afc448229b439099

SHA512
83df415427403b0a075c18fb9ec70c6970663e49c7f44df9b58639cf6536e1e95e1b78677431e1f0fd3208aac5634e5c6bf1fe77d6ab604bbca242f23d47edb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b4df75d9c681682e50ad8abb10466c0b

SHA1
208591109612cb0727618a4517091721f06f81d3

SHA256
4403e1338c675c8f305ed6b802eea3bfa2833ff2c8f7439b8e9a77d830a3778d

SHA512
1e19168bb4d2ab4e6839e5a5d6fd526889cda902d0addd2ae691e5cd94e75c13cf079bfe2fc26f8e45c72681afa87d1afa51fcbc3a1201b8e1522ec9b7ae58f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\igbem.exe

Filesize
243KB

MD5
2e1972aef7815fb65fb0b1360cc6ae7d

SHA1
1c6512e67be17584bc2e2f5ea09decc7b111c9a8

SHA256
0b98a657509ec15051a2edebaf25cda9abab26e36f88d9a6c1fde770791f9bd6

SHA512
a5f9e45509a924f721a5581ab911bdbbcb21e1c6e53d6b62ec6773e50596dbf68d5f7f7ccb1e23e46a5ca7531418d602a7c1d0f15c91ab9980d8f65793917970

Download Submit
C:\Users\Admin\AppData\Local\Temp\wimoj.exe

Filesize
484KB

MD5
2e9aa81b29d7684d44f91f55b92d5f3c

SHA1
3402350c8db076618bf1871ac89603af2c5d646c

SHA256
c3ad339daab2448f8ea7cb37d3c2f0329f66ab9d3aa17cb7893427254afaa70c

SHA512
9766c712bc92f340dfeff154445eaa9a1309b58e84ad4dd2afa3085cb09bea470de69be4b3c6896ef50d469006bc8542b068e4d73ddd7162d0e7a4b97fbc6cbd

Download Submit
\Users\Admin\AppData\Local\Temp\igbem.exe

Filesize
243KB

MD5
2e1972aef7815fb65fb0b1360cc6ae7d

SHA1
1c6512e67be17584bc2e2f5ea09decc7b111c9a8

SHA256
0b98a657509ec15051a2edebaf25cda9abab26e36f88d9a6c1fde770791f9bd6

SHA512
a5f9e45509a924f721a5581ab911bdbbcb21e1c6e53d6b62ec6773e50596dbf68d5f7f7ccb1e23e46a5ca7531418d602a7c1d0f15c91ab9980d8f65793917970

Download Submit
\Users\Admin\AppData\Local\Temp\wimoj.exe

Filesize
484KB

MD5
2e9aa81b29d7684d44f91f55b92d5f3c

SHA1
3402350c8db076618bf1871ac89603af2c5d646c

SHA256
c3ad339daab2448f8ea7cb37d3c2f0329f66ab9d3aa17cb7893427254afaa70c

SHA512
9766c712bc92f340dfeff154445eaa9a1309b58e84ad4dd2afa3085cb09bea470de69be4b3c6896ef50d469006bc8542b068e4d73ddd7162d0e7a4b97fbc6cbd

Download Submit
memory/1676-28-0x0000000000860000-0x0000000000907000-memory.dmp

Filesize
668KB

Download
memory/1676-25-0x0000000002E40000-0x0000000002EFA000-memory.dmp

Filesize
744KB

Download
memory/1676-20-0x0000000000860000-0x0000000000907000-memory.dmp

Filesize
668KB

Download
memory/2528-31-0x0000000001120000-0x00000000011DA000-memory.dmp

Filesize
744KB

Download
memory/2528-29-0x0000000001120000-0x00000000011DA000-memory.dmp

Filesize
744KB

Download
memory/2528-30-0x0000000001120000-0x00000000011DA000-memory.dmp

Filesize
744KB

Download
memory/2528-32-0x0000000001120000-0x00000000011DA000-memory.dmp

Filesize
744KB

Download
memory/2528-33-0x0000000001120000-0x00000000011DA000-memory.dmp

Filesize
744KB

Download
memory/2528-34-0x0000000001120000-0x00000000011DA000-memory.dmp

Filesize
744KB

Download
memory/2528-35-0x0000000001120000-0x00000000011DA000-memory.dmp

Filesize
744KB

Download
memory/2528-36-0x0000000001120000-0x00000000011DA000-memory.dmp

Filesize
744KB

Download
memory/2600-17-0x0000000000B30000-0x0000000000BD7000-memory.dmp

Filesize
668KB

Download
memory/2600-6-0x0000000002960000-0x0000000002A07000-memory.dmp

Filesize
668KB

Download
memory/2600-0-0x0000000000B30000-0x0000000000BD7000-memory.dmp

Filesize
668KB

Download