urelas | 9fdd8257e221b382c325d1458cd560eb8cdbdce8f8b99ab83223b0a3bc850dbf

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 14:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe
Size

197KB
MD5

e0afc8c68348bb4437f76fd65224a9ff
SHA1

b532486f6e6044ebce46a67769c0cba5d767f1bc
SHA256

9fdd8257e221b382c325d1458cd560eb8cdbdce8f8b99ab83223b0a3bc850dbf
SHA512

8d25cf60c9ead5fddcf05f88c1162ea379225a0782ccb361fcba38eff0eb47382c94f21bd8effe1b3ea5ff7ab805abff0176da5a1a2265da2e3aac4a9e9f0787
SSDEEP

3072:gAwixCZ6Sh77R2Gpf606U8v0e7OIgPDFIbbzhPM67fIhgL4SY:gExhk7rh7NEOIYWlPM6r6WY

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2500	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2284	NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2500	2284	NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe	28
PID 2284 wrote to memory of 2500	2284	NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe	28
PID 2284 wrote to memory of 2500	2284	NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe	28
PID 2284 wrote to memory of 2500	2284	NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe	28
PID 2284 wrote to memory of 2824	2284	NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe	29
PID 2284 wrote to memory of 2824	2284	NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe	29
PID 2284 wrote to memory of 2824	2284	NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe	29
PID 2284 wrote to memory of 2824	2284	NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASe0afc8c68348bb4437f76fd65224a9ffexe_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
197KB

MD5
073d656d06df79cb818966a9735302ee

SHA1
3f8a477256ba364a7ddbba9344bc42d1c6f3ba8c

SHA256
254d68d5a2097714b80b24fedc04f5eea4a6abb49971507326f037174a5d687f

SHA512
c785eab225cc91969d74e60cd0af7800a9a74a90f233402283fa59e2cac357b3a8396680ea7a58a141be5f79633c986ddf4047215e34e3134f0ea61db09037bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2776cde4761cefd1198f4712989957b1

SHA1
c801245a080524e704e8e3da95700e58e9d1ca3c

SHA256
69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f

SHA512
bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
ed6a8de7d60e0f26e2ac21b75813cb7d

SHA1
82e46c440b45a1c37cad3865b4d73dc453c17c48

SHA256
3affa105ce4a9b1cfdc2a7e906d588b28ee95e4476cbe380a9358cdcf9b51124

SHA512
d439b937604a4d5e95bcefc273bb594ef2fa2bb63f46a95a8b5a0c59a83eeaea5305d3e3c077d16a592be629b172cc414970864143c8f34bcac34dfb73d44ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
ed6a8de7d60e0f26e2ac21b75813cb7d

SHA1
82e46c440b45a1c37cad3865b4d73dc453c17c48

SHA256
3affa105ce4a9b1cfdc2a7e906d588b28ee95e4476cbe380a9358cdcf9b51124

SHA512
d439b937604a4d5e95bcefc273bb594ef2fa2bb63f46a95a8b5a0c59a83eeaea5305d3e3c077d16a592be629b172cc414970864143c8f34bcac34dfb73d44ea7

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
197KB

MD5
073d656d06df79cb818966a9735302ee

SHA1
3f8a477256ba364a7ddbba9344bc42d1c6f3ba8c

SHA256
254d68d5a2097714b80b24fedc04f5eea4a6abb49971507326f037174a5d687f

SHA512
c785eab225cc91969d74e60cd0af7800a9a74a90f233402283fa59e2cac357b3a8396680ea7a58a141be5f79633c986ddf4047215e34e3134f0ea61db09037bf

Download Submit
memory/2284-0-0x00000000008A0000-0x00000000008D4000-memory.dmp

Filesize
208KB

Download
memory/2284-17-0x00000000008A0000-0x00000000008D4000-memory.dmp

Filesize
208KB

Download
memory/2284-6-0x0000000000960000-0x0000000000994000-memory.dmp

Filesize
208KB

Download
memory/2500-18-0x0000000000960000-0x0000000000994000-memory.dmp

Filesize
208KB

Download
memory/2500-21-0x0000000000960000-0x0000000000994000-memory.dmp

Filesize
208KB

Download
memory/2500-22-0x0000000000960000-0x0000000000994000-memory.dmp

Filesize
208KB

Download