urelas | d89db36777307b0ccee1e2a45bfaccc443ac73a7857abc180214f6c8a1ca0190

Analysis

max time kernel
153s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 19:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe
Size

291KB
MD5

60d1c44a86f8b6d8b59ca380556c9340
SHA1

aa55e9b3038377eb4ec6cac5ffa8bb1332922989
SHA256

d89db36777307b0ccee1e2a45bfaccc443ac73a7857abc180214f6c8a1ca0190
SHA512

af9f34e6620a70deb49c88f14c4637ee87a78bc7960f1c55074189c9db041b2030694754743ece2dfd35da6fe9cc1369e40efa8e71a1f1add7baba3b35b1a78b
SSDEEP

6144:zCKw0+tZvozAx9/dpwwyQHhjqZDq8NjPCjEGpAJiJ/L4IR:2JH0Ze8NzIWez4IR

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2120	daopl.exe
2528	rohud.exe

Loads dropped DLL 3 IoCs

pid	Process
1788	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe
2120	daopl.exe
2120	daopl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe
2528	rohud.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2120	1788	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	28
PID 1788 wrote to memory of 2120	1788	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	28
PID 1788 wrote to memory of 2120	1788	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	28
PID 1788 wrote to memory of 2120	1788	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	28
PID 1788 wrote to memory of 2608	1788	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	29
PID 1788 wrote to memory of 2608	1788	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	29
PID 1788 wrote to memory of 2608	1788	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	29
PID 1788 wrote to memory of 2608	1788	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	29
PID 2120 wrote to memory of 2528	2120	daopl.exe	33
PID 2120 wrote to memory of 2528	2120	daopl.exe	33
PID 2120 wrote to memory of 2528	2120	daopl.exe	33
PID 2120 wrote to memory of 2528	2120	daopl.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\daopl.exe
  "C:\Users\Admin\AppData\Local\Temp\daopl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\rohud.exe
    "C:\Users\Admin\AppData\Local\Temp\rohud.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
92a9f7de410456a6fe5ee312188a8c24

SHA1
e75dcbec67d7416a14e5dee1a156e2f812f42295

SHA256
3d21d3bf0bbdef3d6578b90889e7ddda84eeb90013459015e9b8c34c8071e9a1

SHA512
2286f3b52e6a1994d56a9381e026f0bdd74770d3e704beda1ffb45ff1f81e5396a715b4efa887dd126742368e8b9e1ee19e4c61b97928e639e3657d95c898a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
92a9f7de410456a6fe5ee312188a8c24

SHA1
e75dcbec67d7416a14e5dee1a156e2f812f42295

SHA256
3d21d3bf0bbdef3d6578b90889e7ddda84eeb90013459015e9b8c34c8071e9a1

SHA512
2286f3b52e6a1994d56a9381e026f0bdd74770d3e704beda1ffb45ff1f81e5396a715b4efa887dd126742368e8b9e1ee19e4c61b97928e639e3657d95c898a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\daopl.exe

Filesize
291KB

MD5
6d61d8a7a8e406e9be0f76814a43f361

SHA1
d0ca9c998535c0745144d7efc02e900a8236fbbb

SHA256
147f1adfb679ed4443e5db03a24da934d69340ca484843a029871b4e45468c48

SHA512
263e2bcd6d9159a1eb0bf6b4331b8f61aaa4b513b46403363343844f07cb4818d342b4cf0ded8f6dac6bce5f6d9c29a956c5d1ccb96d17c3b10f6fa26b3a62d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\daopl.exe

Filesize
291KB

MD5
6d61d8a7a8e406e9be0f76814a43f361

SHA1
d0ca9c998535c0745144d7efc02e900a8236fbbb

SHA256
147f1adfb679ed4443e5db03a24da934d69340ca484843a029871b4e45468c48

SHA512
263e2bcd6d9159a1eb0bf6b4331b8f61aaa4b513b46403363343844f07cb4818d342b4cf0ded8f6dac6bce5f6d9c29a956c5d1ccb96d17c3b10f6fa26b3a62d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b46d6007279f372820feb766ed7df8c7

SHA1
e325a9dcff5817ec29b0a3518be1ee369bf6238d

SHA256
eda115cbaabdcf538dc4a5afb9d7f4f9682b99f60f722cdd658efdc174661697

SHA512
49c3d4975c863d436a0aba115ad5f26990661a12c6d099a6f6ca9cdc13a4dd24464380151d1039b57c35e288440f30c2096ddf68b284c9231d44a7a87fc64ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rohud.exe

Filesize
208KB

MD5
76e0ce733c05ef12c061dd52b55f3a07

SHA1
1276fdd9b20bb2d2e3384cae09e7b1f06422cfdb

SHA256
a6df305d4a9de81f2b63f48b7499250b149fa2f0abe1f661d348da6a9fac3019

SHA512
675c4b714eba593e3c1772c7c035a444e9fd984fdf548ccde96f5c9558b21de294a4f4add9e35823608c534570bcd013e5362f324b9b68b45e438e751a2bf9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rohud.exe

Filesize
208KB

MD5
76e0ce733c05ef12c061dd52b55f3a07

SHA1
1276fdd9b20bb2d2e3384cae09e7b1f06422cfdb

SHA256
a6df305d4a9de81f2b63f48b7499250b149fa2f0abe1f661d348da6a9fac3019

SHA512
675c4b714eba593e3c1772c7c035a444e9fd984fdf548ccde96f5c9558b21de294a4f4add9e35823608c534570bcd013e5362f324b9b68b45e438e751a2bf9bb

Download Submit
\Users\Admin\AppData\Local\Temp\daopl.exe

Filesize
291KB

MD5
6d61d8a7a8e406e9be0f76814a43f361

SHA1
d0ca9c998535c0745144d7efc02e900a8236fbbb

SHA256
147f1adfb679ed4443e5db03a24da934d69340ca484843a029871b4e45468c48

SHA512
263e2bcd6d9159a1eb0bf6b4331b8f61aaa4b513b46403363343844f07cb4818d342b4cf0ded8f6dac6bce5f6d9c29a956c5d1ccb96d17c3b10f6fa26b3a62d9

Download Submit
\Users\Admin\AppData\Local\Temp\rohud.exe

Filesize
208KB

MD5
76e0ce733c05ef12c061dd52b55f3a07

SHA1
1276fdd9b20bb2d2e3384cae09e7b1f06422cfdb

SHA256
a6df305d4a9de81f2b63f48b7499250b149fa2f0abe1f661d348da6a9fac3019

SHA512
675c4b714eba593e3c1772c7c035a444e9fd984fdf548ccde96f5c9558b21de294a4f4add9e35823608c534570bcd013e5362f324b9b68b45e438e751a2bf9bb

Download Submit
\Users\Admin\AppData\Local\Temp\rohud.exe

Filesize
208KB

MD5
76e0ce733c05ef12c061dd52b55f3a07

SHA1
1276fdd9b20bb2d2e3384cae09e7b1f06422cfdb

SHA256
a6df305d4a9de81f2b63f48b7499250b149fa2f0abe1f661d348da6a9fac3019

SHA512
675c4b714eba593e3c1772c7c035a444e9fd984fdf548ccde96f5c9558b21de294a4f4add9e35823608c534570bcd013e5362f324b9b68b45e438e751a2bf9bb

Download Submit
memory/1788-17-0x0000000000040000-0x00000000000EE000-memory.dmp

Filesize
696KB

Download
memory/1788-0-0x0000000000040000-0x00000000000EE000-memory.dmp

Filesize
696KB

Download
memory/2120-9-0x0000000001270000-0x000000000131E000-memory.dmp

Filesize
696KB

Download
memory/2120-37-0x0000000003050000-0x00000000030EC000-memory.dmp

Filesize
624KB

Download
memory/2120-20-0x0000000001270000-0x000000000131E000-memory.dmp

Filesize
696KB

Download
memory/2120-38-0x0000000001270000-0x000000000131E000-memory.dmp

Filesize
696KB

Download
memory/2528-40-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2528-42-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2528-43-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2528-44-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2528-45-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2528-46-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2528-47-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download