Overview

overview

10

Static

static

7

NEAS.783e4...40.exe

windows7-x64

10

NEAS.783e4...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.783e4c28de36cd672c234a92645b1340.exe

  • Size

    325KB

  • MD5

    783e4c28de36cd672c234a92645b1340

  • SHA1

    6f023484531b23187bdfe5e88a57372cb06af81f

  • SHA256

    2d17bafb47d75014d4887351d14ba3faeec20155bd5cdf80d3ad5e24d01a476a

  • SHA512

    374452f1ecd15cb8e5fc1918bfe30484a3c7e52c917a39697ad7cc34e4dd569ee8071281e0ea3a867127598f3eaef6559a38f8e0493cbc5bc98b108c113b08d3

  • SSDEEP

    6144:cEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSx0lj:cEo/6YnZVB1rkAqcNAzQCed7J1oS6

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.783e4c28de36cd672c234a92645b1340.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.783e4c28de36cd672c234a92645b1340.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Users\Admin\AppData\Local\Temp\inlyd.exe
      "C:\Users\Admin\AppData\Local\Temp\inlyd.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Users\Admin\AppData\Local\Temp\korer.exe
        "C:\Users\Admin\AppData\Local\Temp\korer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    286B

    MD5

    d094d0340b3cd664ed86a7c3c0628d38

    SHA1

    f906079e5244da2977a5635314513d4106302919

    SHA256

    2b20832a11bb268cda15ff829671168e10cb2c7b0b9f5572cab0c9dc92fa7ec9

    SHA512

    9f82cf87542c88c3dd760598ce67a11342b6bead78737ccf7940d3c0d205562bdebb7546fab3ac0967b844387576107f4c7e9aac5ea216298c96926fe83cb184

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    286B

    MD5

    d094d0340b3cd664ed86a7c3c0628d38

    SHA1

    f906079e5244da2977a5635314513d4106302919

    SHA256

    2b20832a11bb268cda15ff829671168e10cb2c7b0b9f5572cab0c9dc92fa7ec9

    SHA512

    9f82cf87542c88c3dd760598ce67a11342b6bead78737ccf7940d3c0d205562bdebb7546fab3ac0967b844387576107f4c7e9aac5ea216298c96926fe83cb184

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    9bed4d5ce6bb7d15296d5d1dafbf658a

    SHA1

    6192fc18b89ebbe38e5cd8b5b844be0556559915

    SHA256

    e5a19537b475e915edf8565846dc603b1734e8e9022d976760c83aedb64daa06

    SHA512

    6ac2c49f9ea8aef49a01150ea3a0e465222c6d8a2aeebfaff1f4a6ccf2d8a75a52c4123ee61d49235a25eea573e1a493670e86203d8b69cb4d170487b0b10104

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\inlyd.exe
    Filesize

    325KB

    MD5

    8252fe11bff9cef57d4d2c3d4cacdea8

    SHA1

    aa75803c05635729efdf264c7407eec1a6cb266d

    SHA256

    7ca7a2d937094f6de97039aa4e5192334b046cae5eeacd70b886910027222a7e

    SHA512

    fe6095b6b4a7df45150c9d1b426869c547300d88d6c144a09bc9f15aa687e76c83f5d6ebf6ba548c3a74de6792c849c6c1965421b35c45524f42863a9da50021

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\inlyd.exe
    Filesize

    325KB

    MD5

    5e874f4934806eca18e30b25d7d226f8

    SHA1

    0a8eb36f46ef41b625e0a8c4d9fe4976197aeaff

    SHA256

    e9c68df2eadbec52ebd8d456970efc583201372a113018d87cb574ec9835dba3

    SHA512

    2f5d5d7a9aa2b1088e5e9242bfeaf7d35ffe2f36ef5d3c6d1656b9530d2280f746d9d480a7a09ee2c2b158009574c9fe511a4b76d9eb9f4fa181de3d9123d547

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\inlyd.exe
    Filesize

    325KB

    MD5

    5e874f4934806eca18e30b25d7d226f8

    SHA1

    0a8eb36f46ef41b625e0a8c4d9fe4976197aeaff

    SHA256

    e9c68df2eadbec52ebd8d456970efc583201372a113018d87cb574ec9835dba3

    SHA512

    2f5d5d7a9aa2b1088e5e9242bfeaf7d35ffe2f36ef5d3c6d1656b9530d2280f746d9d480a7a09ee2c2b158009574c9fe511a4b76d9eb9f4fa181de3d9123d547

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\korer.exe
    Filesize

    241KB

    MD5

    8dcb3c0a319a25fc3f2d5eadf6807c9d

    SHA1

    10f573e4f7fe2f48492336749a65ffab2a6780a4

    SHA256

    c23b44fc20963b92dc8ac423ed5628da7986c7b1459b1f5bc845bb0bba139d0e

    SHA512

    041662ef106706575ff38b19cb0bf43ca9e600a018d64c78739cfa4fc9830dbdb061302ecd8addb558bdc49a042ece935baca437ff7a4444475de2042ef0fd05

    Download Submit

  • \Users\Admin\AppData\Local\Temp\inlyd.exe
    Filesize

    325KB

    MD5

    5e874f4934806eca18e30b25d7d226f8

    SHA1

    0a8eb36f46ef41b625e0a8c4d9fe4976197aeaff

    SHA256

    e9c68df2eadbec52ebd8d456970efc583201372a113018d87cb574ec9835dba3

    SHA512

    2f5d5d7a9aa2b1088e5e9242bfeaf7d35ffe2f36ef5d3c6d1656b9530d2280f746d9d480a7a09ee2c2b158009574c9fe511a4b76d9eb9f4fa181de3d9123d547

    Download Submit

  • \Users\Admin\AppData\Local\Temp\korer.exe
    Filesize

    241KB

    MD5

    8dcb3c0a319a25fc3f2d5eadf6807c9d

    SHA1

    10f573e4f7fe2f48492336749a65ffab2a6780a4

    SHA256

    c23b44fc20963b92dc8ac423ed5628da7986c7b1459b1f5bc845bb0bba139d0e

    SHA512

    041662ef106706575ff38b19cb0bf43ca9e600a018d64c78739cfa4fc9830dbdb061302ecd8addb558bdc49a042ece935baca437ff7a4444475de2042ef0fd05

    Download Submit

  • memory/2144-17-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2144-0-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2180-39-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2180-42-0x0000000000A40000-0x0000000000AF6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2180-43-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2180-44-0x0000000000A40000-0x0000000000AF6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/3048-34-0x00000000032D0000-0x0000000003386000-memory.dmp

    Filesize

    728KB

    Download

  • memory/3048-22-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/3048-37-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/3048-20-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/3048-9-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download