urelas | c7eba26582ac3e839c4255a3f5c140755acd34d389b7d17848f31e07706c4322

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe
Size

418KB
MD5

1ee9e84e05f1c9f1e91d82da382fdab0
SHA1

0bd2f78a0c8e345cf130a19ac236f80911ae9bc1
SHA256

c7eba26582ac3e839c4255a3f5c140755acd34d389b7d17848f31e07706c4322
SHA512

53f6037b9cb5cfd526fe5df51534e542db4ef5d591dcdc2d05902ae68fa6352bcff9d9f9bc24178f82567652016ae4413656f0e7939e4d28a7e3f4310db3147b
SSDEEP

6144:XxiqjFBwbGbGQfkOuuGDblGE2OeMfqP3mOa2cBlBPAsEv:XhjQK3f/utLeMfBnBcv

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3044	syrej.exe
1684	ijjyve.exe
2520	tekis.exe

Loads dropped DLL 5 IoCs

pid	Process
2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe
2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe
3044	syrej.exe
3044	syrej.exe
1684	ijjyve.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe
2520	tekis.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3044	2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe	28
PID 2176 wrote to memory of 3044	2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe	28
PID 2176 wrote to memory of 3044	2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe	28
PID 2176 wrote to memory of 3044	2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe	28
PID 2176 wrote to memory of 2828	2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe	29
PID 2176 wrote to memory of 2828	2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe	29
PID 2176 wrote to memory of 2828	2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe	29
PID 2176 wrote to memory of 2828	2176	NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe	29
PID 3044 wrote to memory of 1684	3044	syrej.exe	31
PID 3044 wrote to memory of 1684	3044	syrej.exe	31
PID 3044 wrote to memory of 1684	3044	syrej.exe	31
PID 3044 wrote to memory of 1684	3044	syrej.exe	31
PID 1684 wrote to memory of 2520	1684	ijjyve.exe	34
PID 1684 wrote to memory of 2520	1684	ijjyve.exe	34
PID 1684 wrote to memory of 2520	1684	ijjyve.exe	34
PID 1684 wrote to memory of 2520	1684	ijjyve.exe	34
PID 1684 wrote to memory of 2880	1684	ijjyve.exe	36
PID 1684 wrote to memory of 2880	1684	ijjyve.exe	36
PID 1684 wrote to memory of 2880	1684	ijjyve.exe	36
PID 1684 wrote to memory of 2880	1684	ijjyve.exe	36

C:\Users\Admin\AppData\Local\Temp\NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1ee9e84e05f1c9f1e91d82da382fdab0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\syrej.exe
  "C:\Users\Admin\AppData\Local\Temp\syrej.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\ijjyve.exe
    "C:\Users\Admin\AppData\Local\Temp\ijjyve.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\tekis.exe
      "C:\Users\Admin\AppData\Local\Temp\tekis.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b8ae134fbb3c0f961badaaff14cf38bd

SHA1
b9c1dc46ef305d4e7f7a10d88b1e427b2f45ed40

SHA256
2c4e38fa565576cc18c7c50b373f90a1d2003824942b6a3aae7ec184b64de25b

SHA512
68cad6afa47e2fd42fc87605ae5895d693278a33f4e8ece16975493b89ad6c2c91e65a426da93a75777eb2a4c7995ad897c57cb9fc621131b011c6d2ede05e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b8ae134fbb3c0f961badaaff14cf38bd

SHA1
b9c1dc46ef305d4e7f7a10d88b1e427b2f45ed40

SHA256
2c4e38fa565576cc18c7c50b373f90a1d2003824942b6a3aae7ec184b64de25b

SHA512
68cad6afa47e2fd42fc87605ae5895d693278a33f4e8ece16975493b89ad6c2c91e65a426da93a75777eb2a4c7995ad897c57cb9fc621131b011c6d2ede05e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
fd3bbfd269deb119a46584290f121398

SHA1
3847d12191dddcadfbc5960175b29b126371745e

SHA256
a18943a85825f31c1b0e07337bcb642a42f3a60ee813b5fce5ede5e4d2891341

SHA512
d13c7e867307c159c883d824c0830b9cffe717dd28be4a9e7f30c896eab54bbcacf7461e970689673ea448a8a746c3f9b3ad10a27006aba0a6a226091d8a85d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
fd3bbfd269deb119a46584290f121398

SHA1
3847d12191dddcadfbc5960175b29b126371745e

SHA256
a18943a85825f31c1b0e07337bcb642a42f3a60ee813b5fce5ede5e4d2891341

SHA512
d13c7e867307c159c883d824c0830b9cffe717dd28be4a9e7f30c896eab54bbcacf7461e970689673ea448a8a746c3f9b3ad10a27006aba0a6a226091d8a85d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f822cfa2efc7ae8b6e0bf3249b75c21d

SHA1
ffe255fd2a90e28baaa8edbbe66f7bab08fbf631

SHA256
303517c3be99f40a1c66a696ce9aa4774c39d1db503fb04d9e0b1639f18ae9e2

SHA512
924f9c61cf3a5a37a818ca3bfa38f4dfd8b30ed8bf14e37a043bbdfbfaf043ed1feff52b058ff74d798a1de822a0a6aa712262fce9ca82f6ef29e6c1d6ba6014

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijjyve.exe

Filesize
418KB

MD5
4d1f1a16efed3f79a6382a3f3611ad98

SHA1
1f5afb021c3123a54263593b0b698f0bf7a5d41a

SHA256
646b93c62c5ad8762f0e0574b63cbd11017730f99509a8bd8806c521763baec4

SHA512
bf52375adf378af93f2a6f528d2caea72917c51a9d73603f6657c3f75fbd449cae76abe5f79ecd7f2d9240be46c7342ea63d826e29a70e57aa787f27e6864467

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijjyve.exe

Filesize
418KB

MD5
4d1f1a16efed3f79a6382a3f3611ad98

SHA1
1f5afb021c3123a54263593b0b698f0bf7a5d41a

SHA256
646b93c62c5ad8762f0e0574b63cbd11017730f99509a8bd8806c521763baec4

SHA512
bf52375adf378af93f2a6f528d2caea72917c51a9d73603f6657c3f75fbd449cae76abe5f79ecd7f2d9240be46c7342ea63d826e29a70e57aa787f27e6864467

Download Submit
C:\Users\Admin\AppData\Local\Temp\syrej.exe

Filesize
418KB

MD5
4d1f1a16efed3f79a6382a3f3611ad98

SHA1
1f5afb021c3123a54263593b0b698f0bf7a5d41a

SHA256
646b93c62c5ad8762f0e0574b63cbd11017730f99509a8bd8806c521763baec4

SHA512
bf52375adf378af93f2a6f528d2caea72917c51a9d73603f6657c3f75fbd449cae76abe5f79ecd7f2d9240be46c7342ea63d826e29a70e57aa787f27e6864467

Download Submit
C:\Users\Admin\AppData\Local\Temp\syrej.exe

Filesize
418KB

MD5
4d1f1a16efed3f79a6382a3f3611ad98

SHA1
1f5afb021c3123a54263593b0b698f0bf7a5d41a

SHA256
646b93c62c5ad8762f0e0574b63cbd11017730f99509a8bd8806c521763baec4

SHA512
bf52375adf378af93f2a6f528d2caea72917c51a9d73603f6657c3f75fbd449cae76abe5f79ecd7f2d9240be46c7342ea63d826e29a70e57aa787f27e6864467

Download Submit
C:\Users\Admin\AppData\Local\Temp\syrej.exe

Filesize
418KB

MD5
4d1f1a16efed3f79a6382a3f3611ad98

SHA1
1f5afb021c3123a54263593b0b698f0bf7a5d41a

SHA256
646b93c62c5ad8762f0e0574b63cbd11017730f99509a8bd8806c521763baec4

SHA512
bf52375adf378af93f2a6f528d2caea72917c51a9d73603f6657c3f75fbd449cae76abe5f79ecd7f2d9240be46c7342ea63d826e29a70e57aa787f27e6864467

Download Submit
C:\Users\Admin\AppData\Local\Temp\tekis.exe

Filesize
189KB

MD5
6fd31accaa758245d7321dbe0e6158e3

SHA1
6ec592fc4deef1df6e6847fdcd80501f9bdd990d

SHA256
62b3f502170b8c8bb1ecbc2be73744495486a67fb7c98ce24dfa89caa6201a7c

SHA512
f52c74c41da7c88e77f5d8695ac8a304ea21e754dd8e6597864f59e1274b6d1d31bcd6fe28f49562487549515f570c2c40243f681ff35340a1214c72d10a35a4

Download Submit
\Users\Admin\AppData\Local\Temp\ijjyve.exe

Filesize
418KB

MD5
4d1f1a16efed3f79a6382a3f3611ad98

SHA1
1f5afb021c3123a54263593b0b698f0bf7a5d41a

SHA256
646b93c62c5ad8762f0e0574b63cbd11017730f99509a8bd8806c521763baec4

SHA512
bf52375adf378af93f2a6f528d2caea72917c51a9d73603f6657c3f75fbd449cae76abe5f79ecd7f2d9240be46c7342ea63d826e29a70e57aa787f27e6864467

Download Submit
\Users\Admin\AppData\Local\Temp\ijjyve.exe

Filesize
418KB

MD5
4d1f1a16efed3f79a6382a3f3611ad98

SHA1
1f5afb021c3123a54263593b0b698f0bf7a5d41a

SHA256
646b93c62c5ad8762f0e0574b63cbd11017730f99509a8bd8806c521763baec4

SHA512
bf52375adf378af93f2a6f528d2caea72917c51a9d73603f6657c3f75fbd449cae76abe5f79ecd7f2d9240be46c7342ea63d826e29a70e57aa787f27e6864467

Download Submit
\Users\Admin\AppData\Local\Temp\syrej.exe

Filesize
418KB

MD5
4d1f1a16efed3f79a6382a3f3611ad98

SHA1
1f5afb021c3123a54263593b0b698f0bf7a5d41a

SHA256
646b93c62c5ad8762f0e0574b63cbd11017730f99509a8bd8806c521763baec4

SHA512
bf52375adf378af93f2a6f528d2caea72917c51a9d73603f6657c3f75fbd449cae76abe5f79ecd7f2d9240be46c7342ea63d826e29a70e57aa787f27e6864467

Download Submit
\Users\Admin\AppData\Local\Temp\syrej.exe

Filesize
418KB

MD5
4d1f1a16efed3f79a6382a3f3611ad98

SHA1
1f5afb021c3123a54263593b0b698f0bf7a5d41a

SHA256
646b93c62c5ad8762f0e0574b63cbd11017730f99509a8bd8806c521763baec4

SHA512
bf52375adf378af93f2a6f528d2caea72917c51a9d73603f6657c3f75fbd449cae76abe5f79ecd7f2d9240be46c7342ea63d826e29a70e57aa787f27e6864467

Download Submit
\Users\Admin\AppData\Local\Temp\tekis.exe

Filesize
189KB

MD5
6fd31accaa758245d7321dbe0e6158e3

SHA1
6ec592fc4deef1df6e6847fdcd80501f9bdd990d

SHA256
62b3f502170b8c8bb1ecbc2be73744495486a67fb7c98ce24dfa89caa6201a7c

SHA512
f52c74c41da7c88e77f5d8695ac8a304ea21e754dd8e6597864f59e1274b6d1d31bcd6fe28f49562487549515f570c2c40243f681ff35340a1214c72d10a35a4

Download Submit
memory/1684-35-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1684-36-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1684-54-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1684-52-0x00000000037D0000-0x000000000386B000-memory.dmp

Filesize
620KB

Download
memory/2176-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2176-22-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2520-61-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/2520-53-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2520-55-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/2520-60-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/2520-62-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/2520-58-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/2520-59-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/3044-23-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3044-31-0x0000000001F00000-0x0000000001F68000-memory.dmp

Filesize
416KB

Download
memory/3044-32-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download