urelas | 0d485580396764c767f9f8b0d77358e44119fd70eecfdbb2eccc4d913987cd97

Analysis

max time kernel
117s
max time network
128s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 20:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe
Size

64KB
MD5

c1f8f8fb4b04fc1eaf947e92969674b0
SHA1

5c3f651ae6ff20685a020249cd1015cd4e8682c9
SHA256

0d485580396764c767f9f8b0d77358e44119fd70eecfdbb2eccc4d913987cd97
SHA512

9663b338983ab98503a3df5b02b1ad687bdf14996399895f9bfa1eb77d55261c165c63c59e2a648c5bcfcdcedf8c848120696cad52ab6b9dd5b0c0fdb692a1cf
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCa2:yLAYUzmdD0sMQl7d7IuhCa2

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1504	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2400	NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1504	2400	NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe	29
PID 2400 wrote to memory of 1504	2400	NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe	29
PID 2400 wrote to memory of 1504	2400	NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe	29
PID 2400 wrote to memory of 1504	2400	NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe	29
PID 2400 wrote to memory of 2028	2400	NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe	28
PID 2400 wrote to memory of 2028	2400	NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe	28
PID 2400 wrote to memory of 2028	2400	NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe	28
PID 2400 wrote to memory of 2028	2400	NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c1f8f8fb4b04fc1eaf947e92969674b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
64KB

MD5
109c808280a51ea31809acb220f24c19

SHA1
315213df63c328626d08892d3b72ec54bccf7675

SHA256
ebc30f7f0f74aa7ac101fa5e3015abcc4497c8536f792aaf20b90a7b91a8b310

SHA512
807e9e93e9fffb33a50a19471d263ba355d581e5eacb16262cc0e4caff15ffa42b226964438d974b0e53e134ebc10dd93f070d5cb9e1fba7cdf0b7af34729811

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
da22d0ea0ca9a91e164cb82b425b7a9c

SHA1
b22e16f1fb306b6e47bf6511f678456124e4419b

SHA256
a741d744a8e6528571163dad827666103360e366e477d2530bf03b9b6b623c2f

SHA512
0c6f12f765f75c70248b38d3ca94a8e09eba769e8dd7a8ad6c42839837ac7677619f9ee9d412cf5c707860e937d17af6e47906e87d5083023e65376c738cdf62

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
da22d0ea0ca9a91e164cb82b425b7a9c

SHA1
b22e16f1fb306b6e47bf6511f678456124e4419b

SHA256
a741d744a8e6528571163dad827666103360e366e477d2530bf03b9b6b623c2f

SHA512
0c6f12f765f75c70248b38d3ca94a8e09eba769e8dd7a8ad6c42839837ac7677619f9ee9d412cf5c707860e937d17af6e47906e87d5083023e65376c738cdf62

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
64KB

MD5
109c808280a51ea31809acb220f24c19

SHA1
315213df63c328626d08892d3b72ec54bccf7675

SHA256
ebc30f7f0f74aa7ac101fa5e3015abcc4497c8536f792aaf20b90a7b91a8b310

SHA512
807e9e93e9fffb33a50a19471d263ba355d581e5eacb16262cc0e4caff15ffa42b226964438d974b0e53e134ebc10dd93f070d5cb9e1fba7cdf0b7af34729811

Download Submit
memory/1504-10-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/1504-21-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/1504-23-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/1504-29-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/2400-0-0x0000000001290000-0x00000000012B7000-memory.dmp

Filesize
156KB

Download
memory/2400-6-0x0000000000390000-0x00000000003B7000-memory.dmp

Filesize
156KB

Download
memory/2400-18-0x0000000001290000-0x00000000012B7000-memory.dmp

Filesize
156KB

Download