urelas | 2014ed28492f959fd0dd8e61a4b418ba6273c6748b7c5b2a333315f7ff86923e

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe
Size

124KB
MD5

cc8071267a830c96c9b12ba6eca48ba0
SHA1

4e9f68d45803ddef0a87afbe04603535259c4b3e
SHA256

2014ed28492f959fd0dd8e61a4b418ba6273c6748b7c5b2a333315f7ff86923e
SHA512

4803d28d18c0a7ec9bcd78e606c9d39b53aefe21b52e9562599b33b513633672531a0d3d9b561c057b1b37647c6554b50f126dd4a7bcb4e071677ebc8406caba
SSDEEP

1536:3C+ltNKIxyDjxxNA6vOOZsBLD/qMJEAhHmRYHE7mqfm0ym:3C+ltUIs9pO9/jj8YKmg

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2996	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
1172	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2996	1172	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	28
PID 1172 wrote to memory of 2996	1172	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	28
PID 1172 wrote to memory of 2996	1172	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	28
PID 1172 wrote to memory of 2996	1172	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	28
PID 1172 wrote to memory of 2720	1172	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	29
PID 1172 wrote to memory of 2720	1172	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	29
PID 1172 wrote to memory of 2720	1172	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	29
PID 1172 wrote to memory of 2720	1172	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6c7b9d5d0c8c895b27e9c92196ff145c

SHA1
5df3e0a05d84df13876a50c8607f6f86bf588380

SHA256
1246443d1394e56a60994bcc80a29239ffa86467f5fcfb4a962a50736b865dce

SHA512
64899b68c5812765762d076699fc007df0c4397a24999c3ad8cb3d7556737696b383b039c89b41099ee63249e7d76acbcf1fd84311de5abc98008b05fd176424

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
124KB

MD5
ef7de5ad12997f2baf6d79f8ced35e35

SHA1
29f21b0d957324b097ea78061252f389ca8903c1

SHA256
97b5fe3b77b71a7cd88a053fe1340bcfd1fd03f6c9ff1252116798e7e8c0146b

SHA512
11c64afcb81db51c009415f756fe0a1b08ee061731674ae6d3a6d4d2ef9ba88b3216a867b851b84d29431826d14d9fda863d14407500997e40b4d01987f51c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
699804403efdf1f7bd04d0099ba2d1d7

SHA1
8084e71ee200516edd30b0e716159dfa9ed413fa

SHA256
15ad2bce29a7df01ee0e6cc629167ed69a770503246e0bbac1c0427d8745e7b8

SHA512
e3d2aa4538d3505dc8d573428f8b1698d1058e240ee5d4778270c32d285ba51367580279979cf15e72d8253f12affdb2f38186dc52abac4da6979b880909e457

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
699804403efdf1f7bd04d0099ba2d1d7

SHA1
8084e71ee200516edd30b0e716159dfa9ed413fa

SHA256
15ad2bce29a7df01ee0e6cc629167ed69a770503246e0bbac1c0427d8745e7b8

SHA512
e3d2aa4538d3505dc8d573428f8b1698d1058e240ee5d4778270c32d285ba51367580279979cf15e72d8253f12affdb2f38186dc52abac4da6979b880909e457

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
124KB

MD5
ef7de5ad12997f2baf6d79f8ced35e35

SHA1
29f21b0d957324b097ea78061252f389ca8903c1

SHA256
97b5fe3b77b71a7cd88a053fe1340bcfd1fd03f6c9ff1252116798e7e8c0146b

SHA512
11c64afcb81db51c009415f756fe0a1b08ee061731674ae6d3a6d4d2ef9ba88b3216a867b851b84d29431826d14d9fda863d14407500997e40b4d01987f51c33

Download Submit
memory/1172-0-0x00000000012A0000-0x00000000012ED000-memory.dmp

Filesize
308KB

Download
memory/1172-6-0x00000000004A0000-0x00000000004ED000-memory.dmp

Filesize
308KB

Download
memory/1172-17-0x00000000012A0000-0x00000000012ED000-memory.dmp

Filesize
308KB

Download
memory/2996-20-0x0000000001090000-0x00000000010DD000-memory.dmp

Filesize
308KB

Download
memory/2996-22-0x0000000001090000-0x00000000010DD000-memory.dmp

Filesize
308KB

Download
memory/2996-28-0x0000000001090000-0x00000000010DD000-memory.dmp

Filesize
308KB

Download