Overview

overview

10

Static

static

10

NEAS.de7ba...JC.exe

windows7-x64

10

NEAS.de7ba...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2023 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.de7bacc28ca752676e4fc165f4a5cf72_JC.exe

  • Size

    486KB

  • MD5

    de7bacc28ca752676e4fc165f4a5cf72

  • SHA1

    6f2ab2ee931ba30ddaaa3d784f7fa36a40b1650c

  • SHA256

    cdaf1701e26119bf1682b060842bfd5b8fa42a9d97aac0c42b8059365007ddc5

  • SHA512

    f0c1b0a5a974f4142409ca45f5c8234094dbab5eebbe9c1e6d70b84a5d5b8758d7cafc4f5b9ae2095300c86d24b5f03774dbd16895b2fe43ad610a139f9774c6

  • SSDEEP

    12288:30HPhglq2Uyt4R/7AR76o/RBpL133AdxF7t:30v/k4lkQ+RBphmxL

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.de7bacc28ca752676e4fc165f4a5cf72_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.de7bacc28ca752676e4fc165f4a5cf72_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\futyv.exe
      "C:\Users\Admin\AppData\Local\Temp\futyv.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4740
      • C:\Users\Admin\AppData\Local\Temp\sivof.exe
        "C:\Users\Admin\AppData\Local\Temp\sivof.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:3356

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      292B

      MD5

      2edf8fc4a97aadb2d9feb00b9e321bfd

      SHA1

      ec96467be33adc9ae372cfa8e613ecb9d181dfe0

      SHA256

      d72cf13affe228b35af9eb5405fba6e95eb597208cf1c6b0ee7e5e60a44acb0f

      SHA512

      3e2f2421ec25f5be770a1622588346d486185e537939577758cc542f9db2dba332fb3eab2ccbbc33753751be280abf0e84ae992311a9c22a84bc047a8e8cff14

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\futyv.exe
      Filesize

      486KB

      MD5

      e164b696cd292e4c522acc47607c511a

      SHA1

      a53e57bcef971e5935fa10a8e95aa1597091f8a6

      SHA256

      ebcbd7ded7c29d4f5db48bc94e76fce7c948e08c3d9d41e5fbc03363041e7cd5

      SHA512

      3e064151eba454cb762a6fce5be2901ecb490a5bc1d37d76f21df507a3aeed94b341d0336948c79b52c03df972a753036b85ceb1cb20dc3ce8d09e34745afb64

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\futyv.exe
      Filesize

      486KB

      MD5

      e164b696cd292e4c522acc47607c511a

      SHA1

      a53e57bcef971e5935fa10a8e95aa1597091f8a6

      SHA256

      ebcbd7ded7c29d4f5db48bc94e76fce7c948e08c3d9d41e5fbc03363041e7cd5

      SHA512

      3e064151eba454cb762a6fce5be2901ecb490a5bc1d37d76f21df507a3aeed94b341d0336948c79b52c03df972a753036b85ceb1cb20dc3ce8d09e34745afb64

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\futyv.exe
      Filesize

      486KB

      MD5

      e164b696cd292e4c522acc47607c511a

      SHA1

      a53e57bcef971e5935fa10a8e95aa1597091f8a6

      SHA256

      ebcbd7ded7c29d4f5db48bc94e76fce7c948e08c3d9d41e5fbc03363041e7cd5

      SHA512

      3e064151eba454cb762a6fce5be2901ecb490a5bc1d37d76f21df507a3aeed94b341d0336948c79b52c03df972a753036b85ceb1cb20dc3ce8d09e34745afb64

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      cea9d0004d790b55a5c799db35d618f4

      SHA1

      650c9ff8fcc61ce81572256fc8007c320bd59ce1

      SHA256

      f57a01019b6a388b8d45cf77d0637607ec06e6d94b4640c2480fc881ae7cd842

      SHA512

      8cc350624f170078cf1b6cb9e819da6d862b61ce2565bd5e6bfa55838fdf666337cd7e4c4539f8751d6b5634442c55d185a16e6b66bb872e800c4d5157dfdc0c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sivof.exe
      Filesize

      178KB

      MD5

      e9026a159e2dc4ad94f1e0d5c876b6b3

      SHA1

      bafcf155cb8e28e389ed1442fa4fb246d3610d22

      SHA256

      7239ddbace1d4253a28c0154ec35c3728591399a32b28c1d080912188741131d

      SHA512

      f0654f27d19689376ec584d8d2b0db8743ded100cb29e6835ea8399aee5d33c0ba62181d69f66aaa7a0ad740e62fde762e468364fdd6b0abdb802d9501e39208

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sivof.exe
      Filesize

      178KB

      MD5

      e9026a159e2dc4ad94f1e0d5c876b6b3

      SHA1

      bafcf155cb8e28e389ed1442fa4fb246d3610d22

      SHA256

      7239ddbace1d4253a28c0154ec35c3728591399a32b28c1d080912188741131d

      SHA512

      f0654f27d19689376ec584d8d2b0db8743ded100cb29e6835ea8399aee5d33c0ba62181d69f66aaa7a0ad740e62fde762e468364fdd6b0abdb802d9501e39208

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sivof.exe
      Filesize

      178KB

      MD5

      e9026a159e2dc4ad94f1e0d5c876b6b3

      SHA1

      bafcf155cb8e28e389ed1442fa4fb246d3610d22

      SHA256

      7239ddbace1d4253a28c0154ec35c3728591399a32b28c1d080912188741131d

      SHA512

      f0654f27d19689376ec584d8d2b0db8743ded100cb29e6835ea8399aee5d33c0ba62181d69f66aaa7a0ad740e62fde762e468364fdd6b0abdb802d9501e39208

      Download Submit

    • memory/1972-29-0x0000000000950000-0x0000000000952000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1972-26-0x00000000001E0000-0x000000000027F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1972-28-0x00000000001E0000-0x000000000027F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1972-33-0x00000000001E0000-0x000000000027F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1972-34-0x00000000001E0000-0x000000000027F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1972-35-0x00000000001E0000-0x000000000027F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1972-36-0x00000000001E0000-0x000000000027F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1972-37-0x00000000001E0000-0x000000000027F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/2924-14-0x0000000000230000-0x00000000002B1000-memory.dmp

      Filesize

      516KB

      Download

    • memory/2924-0-0x0000000000230000-0x00000000002B1000-memory.dmp

      Filesize

      516KB

      Download

    • memory/4740-17-0x0000000000180000-0x0000000000201000-memory.dmp

      Filesize

      516KB

      Download

    • memory/4740-11-0x0000000000180000-0x0000000000201000-memory.dmp

      Filesize

      516KB

      Download

    • memory/4740-27-0x0000000000180000-0x0000000000201000-memory.dmp

      Filesize

      516KB

      Download