urelas | f27fe47674baa074682184abacef5581279610f58efb35d7a4042856bfda759c

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe
Size

320KB
MD5

052b72b2430cc11ea5808fabca8057a0
SHA1

9d25e7396c093b783647c15cd5ae9d0402499e76
SHA256

f27fe47674baa074682184abacef5581279610f58efb35d7a4042856bfda759c
SHA512

a16ba1261430aaad705594f2670ea9ed14a4946376fc69bb11185043116bff96bb5cb08f86f43d7e4cdafeb12a137237a47dc8c37cebc34b6a99056321bc3b75
SSDEEP

6144:sY4zSop9m06QbGTCnTRoOIH3FPA7AthtLpp:PkXpd6jqiOIHZAA

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
3008	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1532	feezt.exe
1704	ecnony.exe
2108	xuudx.exe

Loads dropped DLL 3 IoCs

pid	Process
2232	NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe
1532	feezt.exe
1704	ecnony.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe
2108	xuudx.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1532	2232	NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe	28
PID 2232 wrote to memory of 1532	2232	NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe	28
PID 2232 wrote to memory of 1532	2232	NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe	28
PID 2232 wrote to memory of 1532	2232	NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe	28
PID 2232 wrote to memory of 3008	2232	NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe	30
PID 2232 wrote to memory of 3008	2232	NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe	30
PID 2232 wrote to memory of 3008	2232	NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe	30
PID 2232 wrote to memory of 3008	2232	NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe	30
PID 1532 wrote to memory of 1704	1532	feezt.exe	31
PID 1532 wrote to memory of 1704	1532	feezt.exe	31
PID 1532 wrote to memory of 1704	1532	feezt.exe	31
PID 1532 wrote to memory of 1704	1532	feezt.exe	31
PID 1704 wrote to memory of 2108	1704	ecnony.exe	36
PID 1704 wrote to memory of 2108	1704	ecnony.exe	36
PID 1704 wrote to memory of 2108	1704	ecnony.exe	36
PID 1704 wrote to memory of 2108	1704	ecnony.exe	36
PID 1704 wrote to memory of 564	1704	ecnony.exe	34
PID 1704 wrote to memory of 564	1704	ecnony.exe	34
PID 1704 wrote to memory of 564	1704	ecnony.exe	34
PID 1704 wrote to memory of 564	1704	ecnony.exe	34

C:\Users\Admin\AppData\Local\Temp\NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.052b72b2430cc11ea5808fabca8057a0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\feezt.exe
  "C:\Users\Admin\AppData\Local\Temp\feezt.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\ecnony.exe
    "C:\Users\Admin\AppData\Local\Temp\ecnony.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:564
  - - C:\Users\Admin\AppData\Local\Temp\xuudx.exe
      "C:\Users\Admin\AppData\Local\Temp\xuudx.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
a16ec5e804e37c0193883f87c71a2490

SHA1
353f9d01168eca28e9817faead14c9d9f39a9b30

SHA256
5f744f9dd70f906e0d9f78182c3d522c26cf73974f285b1fae072f20b8241efd

SHA512
351442ffda53fae9c827ac3accc3ecf99fed11b875a6634abfcb9a96e7f9688b601bb5a399b7523aa7d67b81350254c66f352d07536cd3db43ec35a7fd61f305

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
a16ec5e804e37c0193883f87c71a2490

SHA1
353f9d01168eca28e9817faead14c9d9f39a9b30

SHA256
5f744f9dd70f906e0d9f78182c3d522c26cf73974f285b1fae072f20b8241efd

SHA512
351442ffda53fae9c827ac3accc3ecf99fed11b875a6634abfcb9a96e7f9688b601bb5a399b7523aa7d67b81350254c66f352d07536cd3db43ec35a7fd61f305

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
5c6387681a6dfc16fb1037295561e301

SHA1
9afa6333feb4a0aa0dce9ef214e45e3904246c89

SHA256
57143106b75c1fcf206336ab18297323ed4ee81284b889a38713c0d5dbbc2217

SHA512
a26d3c2966d80cf5349a57c96d0c65141512ff63b16680bb0f780cd96f266a555583ce5db63bc8fcff64c89772a85619c36ae524f89fe78da51983da8d6a2e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
5c6387681a6dfc16fb1037295561e301

SHA1
9afa6333feb4a0aa0dce9ef214e45e3904246c89

SHA256
57143106b75c1fcf206336ab18297323ed4ee81284b889a38713c0d5dbbc2217

SHA512
a26d3c2966d80cf5349a57c96d0c65141512ff63b16680bb0f780cd96f266a555583ce5db63bc8fcff64c89772a85619c36ae524f89fe78da51983da8d6a2e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecnony.exe

Filesize
320KB

MD5
4fb1c3279f0bc62f724fcabdebba6d50

SHA1
0110c1608ec7a246bcab32d9252f7771e65caac9

SHA256
81d217358b6d528ed66c6263bbf690f0bad740a418571dd632f03fbce19fc91e

SHA512
2fb11a1db5d1051298f8faee6ffbf36e46cb9e03f3a8191590589b16294bf21d09866ef0924279f86f7244328bcfc051eb19a15c32c94dc7f6001b0e9c327c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecnony.exe

Filesize
320KB

MD5
4fb1c3279f0bc62f724fcabdebba6d50

SHA1
0110c1608ec7a246bcab32d9252f7771e65caac9

SHA256
81d217358b6d528ed66c6263bbf690f0bad740a418571dd632f03fbce19fc91e

SHA512
2fb11a1db5d1051298f8faee6ffbf36e46cb9e03f3a8191590589b16294bf21d09866ef0924279f86f7244328bcfc051eb19a15c32c94dc7f6001b0e9c327c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecnony.exe

Filesize
320KB

MD5
4fb1c3279f0bc62f724fcabdebba6d50

SHA1
0110c1608ec7a246bcab32d9252f7771e65caac9

SHA256
81d217358b6d528ed66c6263bbf690f0bad740a418571dd632f03fbce19fc91e

SHA512
2fb11a1db5d1051298f8faee6ffbf36e46cb9e03f3a8191590589b16294bf21d09866ef0924279f86f7244328bcfc051eb19a15c32c94dc7f6001b0e9c327c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\feezt.exe

Filesize
320KB

MD5
6fb0062821e024d271a7d9ca8b3ba272

SHA1
11b380de59c9eae5c770b1b1141af3b9d9687244

SHA256
92c275f01b8d390821792ba4f45c31f735ca8fe2ffd8f7cb7357789fd5a3d4cc

SHA512
2419b88ca8af23a6e16e824a660f19f56f16be6af6d346826a453748c996907bac466b9b0a3c552114432138f75253b57015e1b5f05ca29d754f167aec925add

Download Submit
C:\Users\Admin\AppData\Local\Temp\feezt.exe

Filesize
320KB

MD5
6fb0062821e024d271a7d9ca8b3ba272

SHA1
11b380de59c9eae5c770b1b1141af3b9d9687244

SHA256
92c275f01b8d390821792ba4f45c31f735ca8fe2ffd8f7cb7357789fd5a3d4cc

SHA512
2419b88ca8af23a6e16e824a660f19f56f16be6af6d346826a453748c996907bac466b9b0a3c552114432138f75253b57015e1b5f05ca29d754f167aec925add

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
399b2ff2279b1d7348ce439e6587ba17

SHA1
cee3d3744e61bbfa9b85b85c48f3fdd7aa5506d6

SHA256
4760baadc63da2d5f1f77f361f4a913df43ce957303caf85ef9f00b6b6257421

SHA512
44c19e944cc0ea40f7d80abb340b80201e3010241e950e5b45897644624fd523f419436eb8a69cc7a529c5c6f39ad4eef52a6b2baed1e52fa714eafd2b20aa52

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuudx.exe

Filesize
223KB

MD5
b20f106c93f78a901aa8336ff79b3461

SHA1
e68b4ef935a77996745163f5170a9f37e27ef3b7

SHA256
1f9c6c0b4a08055792ab559a7bdccd157bc24cb63821569edc1fe706a6b5e02a

SHA512
886eea806725f105efb83e780a0b191f90bb175097b17be952b132699ef39c01dd4144321f3ecca12b06f2d9fc50501f03fd4a68572b0b850164437bb02d8389

Download Submit
\Users\Admin\AppData\Local\Temp\ecnony.exe

Filesize
320KB

MD5
4fb1c3279f0bc62f724fcabdebba6d50

SHA1
0110c1608ec7a246bcab32d9252f7771e65caac9

SHA256
81d217358b6d528ed66c6263bbf690f0bad740a418571dd632f03fbce19fc91e

SHA512
2fb11a1db5d1051298f8faee6ffbf36e46cb9e03f3a8191590589b16294bf21d09866ef0924279f86f7244328bcfc051eb19a15c32c94dc7f6001b0e9c327c74

Download Submit
\Users\Admin\AppData\Local\Temp\feezt.exe

Filesize
320KB

MD5
6fb0062821e024d271a7d9ca8b3ba272

SHA1
11b380de59c9eae5c770b1b1141af3b9d9687244

SHA256
92c275f01b8d390821792ba4f45c31f735ca8fe2ffd8f7cb7357789fd5a3d4cc

SHA512
2419b88ca8af23a6e16e824a660f19f56f16be6af6d346826a453748c996907bac466b9b0a3c552114432138f75253b57015e1b5f05ca29d754f167aec925add

Download Submit
\Users\Admin\AppData\Local\Temp\xuudx.exe

Filesize
223KB

MD5
b20f106c93f78a901aa8336ff79b3461

SHA1
e68b4ef935a77996745163f5170a9f37e27ef3b7

SHA256
1f9c6c0b4a08055792ab559a7bdccd157bc24cb63821569edc1fe706a6b5e02a

SHA512
886eea806725f105efb83e780a0b191f90bb175097b17be952b132699ef39c01dd4144321f3ecca12b06f2d9fc50501f03fd4a68572b0b850164437bb02d8389

Download Submit
memory/1532-33-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1532-22-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/1532-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1704-54-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1704-53-0x0000000003600000-0x00000000036A0000-memory.dmp

Filesize
640KB

Download
memory/1704-35-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1704-36-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1704-37-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2108-59-0x0000000000BE0000-0x0000000000C80000-memory.dmp

Filesize
640KB

Download
memory/2108-55-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2108-56-0x0000000000BE0000-0x0000000000C80000-memory.dmp

Filesize
640KB

Download
memory/2108-60-0x0000000000BE0000-0x0000000000C80000-memory.dmp

Filesize
640KB

Download
memory/2108-61-0x0000000000BE0000-0x0000000000C80000-memory.dmp

Filesize
640KB

Download
memory/2108-62-0x0000000000BE0000-0x0000000000C80000-memory.dmp

Filesize
640KB

Download
memory/2108-63-0x0000000000BE0000-0x0000000000C80000-memory.dmp

Filesize
640KB

Download
memory/2232-4-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2232-1-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2232-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2232-21-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2232-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2232-9-0x00000000024F0000-0x000000000255F000-memory.dmp

Filesize
444KB

Download