urelas | 58857cb848530b79dadd1f232d9038f95d4a6eacc5c87360db3670f61139f3b9

Analysis

max time kernel
164s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe
Size

439KB
MD5

a8c0b75796e5a97a2a15e869281ba5e0
SHA1

dd9c4e9e546c06a5be4b0cf3716f64732977a3e0
SHA256

58857cb848530b79dadd1f232d9038f95d4a6eacc5c87360db3670f61139f3b9
SHA512

0945107755fbc13b1f8a1d2938a555bb6bab69b6f97b973487a29e5456f0d9b8a0a37e495215096f1d9f2ee4164502b019bf55997f005c5a4409b0fe51fd5020
SSDEEP

6144:09XG4oXs663ypJL9fWlmGy3AiWd3tWlRjiJEZ8yJt0TfC29qhs:0MPs663ypJ5WLy3pWd3tWDea5t0TfHz

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe

Executes dropped EXE 1 IoCs

pid	Process
4316	jives.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4472-0-0x0000000000040000-0x00000000000B1000-memory.dmp	upx
behavioral2/files/0x00060000000230ac-6.dat	upx
behavioral2/files/0x00060000000230ac-8.dat	upx
behavioral2/memory/4316-9-0x00000000002F0000-0x0000000000361000-memory.dmp	upx
behavioral2/files/0x00060000000230ac-10.dat	upx
behavioral2/memory/4472-14-0x0000000000040000-0x00000000000B1000-memory.dmp	upx
behavioral2/memory/4316-17-0x00000000002F0000-0x0000000000361000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4316	4472	NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe	92
PID 4472 wrote to memory of 4316	4472	NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe	92
PID 4472 wrote to memory of 4316	4472	NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe	92
PID 4472 wrote to memory of 4004	4472	NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe	93
PID 4472 wrote to memory of 4004	4472	NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe	93
PID 4472 wrote to memory of 4004	4472	NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a8c0b75796e5a97a2a15e869281ba5e0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Local\Temp\jives.exe
  "C:\Users\Admin\AppData\Local\Temp\jives.exe"
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
e71f8ce501432f35ab27012ac54d3fb1

SHA1
cf3ece9091a2a956e008519cab8360febdb5d068

SHA256
349be7d4a2ab56d407d9feb10461d865e383902fd62c92221eb200d31738ae45

SHA512
7562efc5696b5c177e9b4b007c976414dba6a2f12106a972c1fde028444b8b2c08b3e901b47fd07cdf935b6208fe4e0b094c2fa7c5a4a54096b2b7baf594c594

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ac2b14e3056758fc1f82cb8e451cace9

SHA1
778cfd0f339ab6f48dfc6df0ea8e0dca122dbde8

SHA256
51e10076909c5fb053fffdbcb6edc0849840bdf4b7807af75fd8ea439d7748a5

SHA512
48b3889167ed2ba6b9f5b9acbe2028054fb43ffe560f9a38b5988eef5c2091057b360e7ebe0c53f7f245bb861061e2a8c12ff24f709003995bdc4e9fc92e377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jives.exe

Filesize
439KB

MD5
81c4d29f2033390359ae92eb8e88b1e2

SHA1
1cbd577fe32d27b54c267568693429a890fda998

SHA256
47424a82e170fbdf0811cec3f2e36cd6407fa56dcc5c711f58db3e24ba750d49

SHA512
aee9e099919900c68b99bfe25a75ba9de2a0c12b9550070e4bb65192d6aa8191a12f40bad8f3291d0059b8b7b0e08d92437ac6793737cf80c9b00449d79919a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jives.exe

Filesize
439KB

MD5
81c4d29f2033390359ae92eb8e88b1e2

SHA1
1cbd577fe32d27b54c267568693429a890fda998

SHA256
47424a82e170fbdf0811cec3f2e36cd6407fa56dcc5c711f58db3e24ba750d49

SHA512
aee9e099919900c68b99bfe25a75ba9de2a0c12b9550070e4bb65192d6aa8191a12f40bad8f3291d0059b8b7b0e08d92437ac6793737cf80c9b00449d79919a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jives.exe

Filesize
439KB

MD5
81c4d29f2033390359ae92eb8e88b1e2

SHA1
1cbd577fe32d27b54c267568693429a890fda998

SHA256
47424a82e170fbdf0811cec3f2e36cd6407fa56dcc5c711f58db3e24ba750d49

SHA512
aee9e099919900c68b99bfe25a75ba9de2a0c12b9550070e4bb65192d6aa8191a12f40bad8f3291d0059b8b7b0e08d92437ac6793737cf80c9b00449d79919a4

Download Submit
memory/4316-9-0x00000000002F0000-0x0000000000361000-memory.dmp

Filesize
452KB

Download
memory/4316-17-0x00000000002F0000-0x0000000000361000-memory.dmp

Filesize
452KB

Download
memory/4472-0-0x0000000000040000-0x00000000000B1000-memory.dmp

Filesize
452KB

Download
memory/4472-14-0x0000000000040000-0x00000000000B1000-memory.dmp

Filesize
452KB

Download