urelas | 3f5922020afc585c228569bd660271d56af1a8dc9534aebf0c624b3e090b8722

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 08:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a4ea33709df3ce221d3be12e067f7c60.exe
Size

462KB
MD5

a4ea33709df3ce221d3be12e067f7c60
SHA1

1526904e22da7501b3cbbdaa36e3ab403606f4fe
SHA256

3f5922020afc585c228569bd660271d56af1a8dc9534aebf0c624b3e090b8722
SHA512

835a82030001ad761aa6b1099c28209fb7d3dc6cb774fce663ddd25c08de9ee5c9a34edebc21cb9ebdb4a613bb83382e1dedc881ad614b962812fe478a84a950
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6mwrxcvkzmSOphmH:PMpASIcWYx2U6kQnt

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2168	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2120	vitij.exe
2668	jonyru.exe
2192	iqnid.exe

Loads dropped DLL 8 IoCs

pid	Process
1788	NEAS.a4ea33709df3ce221d3be12e067f7c60.exe
2120	vitij.exe
2668	jonyru.exe
2668	jonyru.exe
484	WerFault.exe
484	WerFault.exe
484	WerFault.exe
484	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
484	2192	WerFault.exe	34

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2120	1788	NEAS.a4ea33709df3ce221d3be12e067f7c60.exe	28
PID 1788 wrote to memory of 2120	1788	NEAS.a4ea33709df3ce221d3be12e067f7c60.exe	28
PID 1788 wrote to memory of 2120	1788	NEAS.a4ea33709df3ce221d3be12e067f7c60.exe	28
PID 1788 wrote to memory of 2120	1788	NEAS.a4ea33709df3ce221d3be12e067f7c60.exe	28
PID 1788 wrote to memory of 2168	1788	NEAS.a4ea33709df3ce221d3be12e067f7c60.exe	30
PID 1788 wrote to memory of 2168	1788	NEAS.a4ea33709df3ce221d3be12e067f7c60.exe	30
PID 1788 wrote to memory of 2168	1788	NEAS.a4ea33709df3ce221d3be12e067f7c60.exe	30
PID 1788 wrote to memory of 2168	1788	NEAS.a4ea33709df3ce221d3be12e067f7c60.exe	30
PID 2120 wrote to memory of 2668	2120	vitij.exe	31
PID 2120 wrote to memory of 2668	2120	vitij.exe	31
PID 2120 wrote to memory of 2668	2120	vitij.exe	31
PID 2120 wrote to memory of 2668	2120	vitij.exe	31
PID 2668 wrote to memory of 2192	2668	jonyru.exe	34
PID 2668 wrote to memory of 2192	2668	jonyru.exe	34
PID 2668 wrote to memory of 2192	2668	jonyru.exe	34
PID 2668 wrote to memory of 2192	2668	jonyru.exe	34
PID 2668 wrote to memory of 1092	2668	jonyru.exe	36
PID 2668 wrote to memory of 1092	2668	jonyru.exe	36
PID 2668 wrote to memory of 1092	2668	jonyru.exe	36
PID 2668 wrote to memory of 1092	2668	jonyru.exe	36
PID 2192 wrote to memory of 484	2192	iqnid.exe	37
PID 2192 wrote to memory of 484	2192	iqnid.exe	37
PID 2192 wrote to memory of 484	2192	iqnid.exe	37
PID 2192 wrote to memory of 484	2192	iqnid.exe	37

C:\Users\Admin\AppData\Local\Temp\NEAS.a4ea33709df3ce221d3be12e067f7c60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a4ea33709df3ce221d3be12e067f7c60.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\vitij.exe
  "C:\Users\Admin\AppData\Local\Temp\vitij.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\jonyru.exe
    "C:\Users\Admin\AppData\Local\Temp\jonyru.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\iqnid.exe
      "C:\Users\Admin\AppData\Local\Temp\iqnid.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 36
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
61ff9e46bbebcd9b0587e29d054f89e3

SHA1
850fa9e66645a6ee6f0cc6a575a25cf1a68e0fd2

SHA256
e974244c72cc7f5068419ae13737e0980be8dd1e86b000e079083bb22416a4d2

SHA512
2fa61a3f5ceb0a2effaef6261e52d66d5a00857e75d41a79d8273f47d9acfc229866a8c8dab12552008aa16e8e90b7a051634f31d965a9aae9dc95f594900896

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
61ff9e46bbebcd9b0587e29d054f89e3

SHA1
850fa9e66645a6ee6f0cc6a575a25cf1a68e0fd2

SHA256
e974244c72cc7f5068419ae13737e0980be8dd1e86b000e079083bb22416a4d2

SHA512
2fa61a3f5ceb0a2effaef6261e52d66d5a00857e75d41a79d8273f47d9acfc229866a8c8dab12552008aa16e8e90b7a051634f31d965a9aae9dc95f594900896

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
286B

MD5
bbe3f8be2df65bea4e3f02ecb238952b

SHA1
32e34d9ad65d2993f97c637e52e8ad283ee0a6ae

SHA256
b990a895bceb1403bf82b3cbdec6267a2ef60a8bac8005ad21461d5a3bc959a1

SHA512
24c319a89cf38355d8cab2054f0b4a2a809735068939505a65daa318d805394c4043357e96748ea65111e2509d7bb5f5fa07a0b6019579312fc586ebb716c9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
286B

MD5
bbe3f8be2df65bea4e3f02ecb238952b

SHA1
32e34d9ad65d2993f97c637e52e8ad283ee0a6ae

SHA256
b990a895bceb1403bf82b3cbdec6267a2ef60a8bac8005ad21461d5a3bc959a1

SHA512
24c319a89cf38355d8cab2054f0b4a2a809735068939505a65daa318d805394c4043357e96748ea65111e2509d7bb5f5fa07a0b6019579312fc586ebb716c9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e45fc860e4c1596faccb34509f61bbad

SHA1
102309133738b63dfd7d57a94bd40bd3b2caa27e

SHA256
bb14352051745e3db48c3a58961ac2301a02cfadb0bbb354febd78dcbc1e019a

SHA512
690e5eeab7defe28e693aa8878e3f2db39b9e03f3554877a81c61eeba4d16b03b1cff92c086118b2f82d7221b3747dcf225a22216b3b10598a3aa1146329c13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqnid.exe

Filesize
223KB

MD5
3d95a5cae78d3e742decd8dd10628127

SHA1
523ccba9072ca2f418d4c1f89ef0173ee5c19617

SHA256
57d18a19d77641e32c507b0840b98daefac8aeb45919b6165a18749274ab41db

SHA512
c15440ca03a30720b64924848803c4756b010839cef1043d257a2a558b2a4298931d475bd114760638153db6fcd2cf73842ca9a17465fc2f4bf5762f245f8605

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqnid.exe

Filesize
223KB

MD5
3d95a5cae78d3e742decd8dd10628127

SHA1
523ccba9072ca2f418d4c1f89ef0173ee5c19617

SHA256
57d18a19d77641e32c507b0840b98daefac8aeb45919b6165a18749274ab41db

SHA512
c15440ca03a30720b64924848803c4756b010839cef1043d257a2a558b2a4298931d475bd114760638153db6fcd2cf73842ca9a17465fc2f4bf5762f245f8605

Download Submit
C:\Users\Admin\AppData\Local\Temp\jonyru.exe

Filesize
462KB

MD5
d2eeb53fef57ec5b96a572d78735c6b7

SHA1
936361ea3d0977da6c2f4e397e56982f66e83b7c

SHA256
093ce0e8f2a807497bb4eb8c1f896b273bc31d81b2153ab35ea2f5ce1fbecd7b

SHA512
c3eee43d303081accd398a6804c3f3f93d508a0cc0a5e6fe645366feda9b451f17e6618cac371110a9c72d303b280e2f8e009dc599173f43eefbd959ab6d1a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\jonyru.exe

Filesize
462KB

MD5
d2eeb53fef57ec5b96a572d78735c6b7

SHA1
936361ea3d0977da6c2f4e397e56982f66e83b7c

SHA256
093ce0e8f2a807497bb4eb8c1f896b273bc31d81b2153ab35ea2f5ce1fbecd7b

SHA512
c3eee43d303081accd398a6804c3f3f93d508a0cc0a5e6fe645366feda9b451f17e6618cac371110a9c72d303b280e2f8e009dc599173f43eefbd959ab6d1a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\jonyru.exe

Filesize
462KB

MD5
d2eeb53fef57ec5b96a572d78735c6b7

SHA1
936361ea3d0977da6c2f4e397e56982f66e83b7c

SHA256
093ce0e8f2a807497bb4eb8c1f896b273bc31d81b2153ab35ea2f5ce1fbecd7b

SHA512
c3eee43d303081accd398a6804c3f3f93d508a0cc0a5e6fe645366feda9b451f17e6618cac371110a9c72d303b280e2f8e009dc599173f43eefbd959ab6d1a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vitij.exe

Filesize
462KB

MD5
23ecdb01b7d8c144c25670d7ec61613b

SHA1
fb94098ad434b0920fa667ea4991a66f3aa11ca5

SHA256
c6f2d84de90fc912c114ab92f977ebea84c1fd6723c38420620a4b0171251eea

SHA512
eb86c323c10c17e6842df91cccb2d1bcbc1cea1c798a09145f4b039d2ebfd5290ab349bd58c285f4a18264a71dfc5a1c53aee32269a61ed4db45ce39c41a81cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vitij.exe

Filesize
462KB

MD5
23ecdb01b7d8c144c25670d7ec61613b

SHA1
fb94098ad434b0920fa667ea4991a66f3aa11ca5

SHA256
c6f2d84de90fc912c114ab92f977ebea84c1fd6723c38420620a4b0171251eea

SHA512
eb86c323c10c17e6842df91cccb2d1bcbc1cea1c798a09145f4b039d2ebfd5290ab349bd58c285f4a18264a71dfc5a1c53aee32269a61ed4db45ce39c41a81cf

Download Submit
\Users\Admin\AppData\Local\Temp\iqnid.exe

Filesize
223KB

MD5
3d95a5cae78d3e742decd8dd10628127

SHA1
523ccba9072ca2f418d4c1f89ef0173ee5c19617

SHA256
57d18a19d77641e32c507b0840b98daefac8aeb45919b6165a18749274ab41db

SHA512
c15440ca03a30720b64924848803c4756b010839cef1043d257a2a558b2a4298931d475bd114760638153db6fcd2cf73842ca9a17465fc2f4bf5762f245f8605

Download Submit
\Users\Admin\AppData\Local\Temp\iqnid.exe

Filesize
223KB

MD5
3d95a5cae78d3e742decd8dd10628127

SHA1
523ccba9072ca2f418d4c1f89ef0173ee5c19617

SHA256
57d18a19d77641e32c507b0840b98daefac8aeb45919b6165a18749274ab41db

SHA512
c15440ca03a30720b64924848803c4756b010839cef1043d257a2a558b2a4298931d475bd114760638153db6fcd2cf73842ca9a17465fc2f4bf5762f245f8605

Download Submit
\Users\Admin\AppData\Local\Temp\iqnid.exe

Filesize
223KB

MD5
3d95a5cae78d3e742decd8dd10628127

SHA1
523ccba9072ca2f418d4c1f89ef0173ee5c19617

SHA256
57d18a19d77641e32c507b0840b98daefac8aeb45919b6165a18749274ab41db

SHA512
c15440ca03a30720b64924848803c4756b010839cef1043d257a2a558b2a4298931d475bd114760638153db6fcd2cf73842ca9a17465fc2f4bf5762f245f8605

Download Submit
\Users\Admin\AppData\Local\Temp\iqnid.exe

Filesize
223KB

MD5
3d95a5cae78d3e742decd8dd10628127

SHA1
523ccba9072ca2f418d4c1f89ef0173ee5c19617

SHA256
57d18a19d77641e32c507b0840b98daefac8aeb45919b6165a18749274ab41db

SHA512
c15440ca03a30720b64924848803c4756b010839cef1043d257a2a558b2a4298931d475bd114760638153db6fcd2cf73842ca9a17465fc2f4bf5762f245f8605

Download Submit
\Users\Admin\AppData\Local\Temp\iqnid.exe

Filesize
223KB

MD5
3d95a5cae78d3e742decd8dd10628127

SHA1
523ccba9072ca2f418d4c1f89ef0173ee5c19617

SHA256
57d18a19d77641e32c507b0840b98daefac8aeb45919b6165a18749274ab41db

SHA512
c15440ca03a30720b64924848803c4756b010839cef1043d257a2a558b2a4298931d475bd114760638153db6fcd2cf73842ca9a17465fc2f4bf5762f245f8605

Download Submit
\Users\Admin\AppData\Local\Temp\iqnid.exe

Filesize
223KB

MD5
3d95a5cae78d3e742decd8dd10628127

SHA1
523ccba9072ca2f418d4c1f89ef0173ee5c19617

SHA256
57d18a19d77641e32c507b0840b98daefac8aeb45919b6165a18749274ab41db

SHA512
c15440ca03a30720b64924848803c4756b010839cef1043d257a2a558b2a4298931d475bd114760638153db6fcd2cf73842ca9a17465fc2f4bf5762f245f8605

Download Submit
\Users\Admin\AppData\Local\Temp\jonyru.exe

Filesize
462KB

MD5
d2eeb53fef57ec5b96a572d78735c6b7

SHA1
936361ea3d0977da6c2f4e397e56982f66e83b7c

SHA256
093ce0e8f2a807497bb4eb8c1f896b273bc31d81b2153ab35ea2f5ce1fbecd7b

SHA512
c3eee43d303081accd398a6804c3f3f93d508a0cc0a5e6fe645366feda9b451f17e6618cac371110a9c72d303b280e2f8e009dc599173f43eefbd959ab6d1a85

Download Submit
\Users\Admin\AppData\Local\Temp\vitij.exe

Filesize
462KB

MD5
23ecdb01b7d8c144c25670d7ec61613b

SHA1
fb94098ad434b0920fa667ea4991a66f3aa11ca5

SHA256
c6f2d84de90fc912c114ab92f977ebea84c1fd6723c38420620a4b0171251eea

SHA512
eb86c323c10c17e6842df91cccb2d1bcbc1cea1c798a09145f4b039d2ebfd5290ab349bd58c285f4a18264a71dfc5a1c53aee32269a61ed4db45ce39c41a81cf

Download Submit
memory/1788-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1788-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2120-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2192-48-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2668-47-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2668-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2668-39-0x0000000002D50000-0x0000000002DF0000-memory.dmp

Filesize
640KB

Download
memory/2668-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download