urelas | 8f84f21ab6a84f60f07a09dcac091ba9b8628f1902d730b86de440d4f0912136

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe
Size

401KB
MD5

b418ce0c76a84c1fac87a18189e853c0
SHA1

d4fa5b459fac7e15be562cfbc5d650af587f2660
SHA256

8f84f21ab6a84f60f07a09dcac091ba9b8628f1902d730b86de440d4f0912136
SHA512

aae6a3cb38dbfc506a419d06f3ffe8977559d9be8faf1b878518f5613979943a645b4f36915ba20087595ad8ba109174a8d7688878764965c71a9232fc1e1a99
SSDEEP

6144:Jivd27I1O8aYQ7ATa7QG0tzC/mtPZBhVnnoMwPv2CdLeTSJVDvMj/xUT/PCYgi6:Jh8/BQ7Am7QnPZBhVwuCdq4VzWxUTu7

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	tukoy.exe
2596	coqog.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe
2684	tukoy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe
2596	coqog.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2684	2560	NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe	28
PID 2560 wrote to memory of 2684	2560	NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe	28
PID 2560 wrote to memory of 2684	2560	NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe	28
PID 2560 wrote to memory of 2684	2560	NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe	28
PID 2560 wrote to memory of 2880	2560	NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe	29
PID 2560 wrote to memory of 2880	2560	NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe	29
PID 2560 wrote to memory of 2880	2560	NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe	29
PID 2560 wrote to memory of 2880	2560	NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe	29
PID 2684 wrote to memory of 2596	2684	tukoy.exe	33
PID 2684 wrote to memory of 2596	2684	tukoy.exe	33
PID 2684 wrote to memory of 2596	2684	tukoy.exe	33
PID 2684 wrote to memory of 2596	2684	tukoy.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b418ce0c76a84c1fac87a18189e853c0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\tukoy.exe
  "C:\Users\Admin\AppData\Local\Temp\tukoy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\coqog.exe
    "C:\Users\Admin\AppData\Local\Temp\coqog.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
292B

MD5
cb2f613cb85de4c328d53ed085bd826a

SHA1
a2d462bbd8ac736f593888cccd548e91203592d6

SHA256
cbe597c0e608659b2b907853f5a9dfc8ec3665fad49fc9502f839825b33c368f

SHA512
727f1054fcca7505504aa707bcaaf95b9a0077c41be343da84e97381fac3536f2f4d678eca8ef79769ebbca0d2842a462d80aac5f4dde7cbb06123fe6e4acf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
292B

MD5
cb2f613cb85de4c328d53ed085bd826a

SHA1
a2d462bbd8ac736f593888cccd548e91203592d6

SHA256
cbe597c0e608659b2b907853f5a9dfc8ec3665fad49fc9502f839825b33c368f

SHA512
727f1054fcca7505504aa707bcaaf95b9a0077c41be343da84e97381fac3536f2f4d678eca8ef79769ebbca0d2842a462d80aac5f4dde7cbb06123fe6e4acf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\coqog.exe

Filesize
222KB

MD5
2519e03b65a9f6e997e511043e999f9c

SHA1
4e38136af8586011f3d55d55ae9e1cf903465269

SHA256
1d5200969d6c70d9a340caf097eb6d1c7daa1d32f96e41b228a784980b279f5b

SHA512
f426b4da09ee0edf6271b8cd0532f3091e1e4e572a12b09d1034f0fcee35430f93f75fdae91a3aa27ad326c4b2e5be2410a439a0993ba3ffd36f0c4bf4f71c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5731530fabfb5ece9f0781e7d12e055b

SHA1
cee8e7d681521b747f497ae608bfc2bbe7d54c60

SHA256
7c1dd9d1a211716e65f5cf779d2c6447a50b8bfc6eb41bfee5aa1053d5e2bdcf

SHA512
3dc386ec5490b3685b1692daa47680c91e0e81ff84af1aedfb1afc179d557c8030d826ef8e8cca836e9ebdb155a217f99ad673159ce9f560ee3e88862c05134b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tukoy.exe

Filesize
401KB

MD5
ae96590ae2ad9333c4ceb2475387e893

SHA1
ddb72cfb63de6d3d3d39e4d50644cf02b0c74aa9

SHA256
6062bb8d5099289f18a2ec444ba9e6e79208c1fde4315eb3fef170f2210906cd

SHA512
94863fb5215f435133327472fda870096a154e56e5419ffe54a263d75bea924fac6fefd9990a6bca0936c649c4efc358f7faf722c7eb8f4cc13e7896f8924a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tukoy.exe

Filesize
401KB

MD5
ae96590ae2ad9333c4ceb2475387e893

SHA1
ddb72cfb63de6d3d3d39e4d50644cf02b0c74aa9

SHA256
6062bb8d5099289f18a2ec444ba9e6e79208c1fde4315eb3fef170f2210906cd

SHA512
94863fb5215f435133327472fda870096a154e56e5419ffe54a263d75bea924fac6fefd9990a6bca0936c649c4efc358f7faf722c7eb8f4cc13e7896f8924a83

Download Submit
\Users\Admin\AppData\Local\Temp\coqog.exe

Filesize
222KB

MD5
2519e03b65a9f6e997e511043e999f9c

SHA1
4e38136af8586011f3d55d55ae9e1cf903465269

SHA256
1d5200969d6c70d9a340caf097eb6d1c7daa1d32f96e41b228a784980b279f5b

SHA512
f426b4da09ee0edf6271b8cd0532f3091e1e4e572a12b09d1034f0fcee35430f93f75fdae91a3aa27ad326c4b2e5be2410a439a0993ba3ffd36f0c4bf4f71c6b

Download Submit
\Users\Admin\AppData\Local\Temp\tukoy.exe

Filesize
401KB

MD5
ae96590ae2ad9333c4ceb2475387e893

SHA1
ddb72cfb63de6d3d3d39e4d50644cf02b0c74aa9

SHA256
6062bb8d5099289f18a2ec444ba9e6e79208c1fde4315eb3fef170f2210906cd

SHA512
94863fb5215f435133327472fda870096a154e56e5419ffe54a263d75bea924fac6fefd9990a6bca0936c649c4efc358f7faf722c7eb8f4cc13e7896f8924a83

Download Submit
memory/2560-6-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/2560-17-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/2560-0-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/2596-28-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/2596-29-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2596-31-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/2596-32-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/2596-33-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/2596-34-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/2596-35-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/2684-26-0x0000000000C50000-0x0000000000CB7000-memory.dmp

Filesize
412KB

Download
memory/2684-20-0x0000000000C50000-0x0000000000CB7000-memory.dmp

Filesize
412KB

Download