urelas | a3d93ac6346281e7dee8546016bf2114e3d45e39210b1b45d4a70246d4fa4265

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe
Size

454KB
MD5

1be0175b239625d2b3ed3642c0a703e0
SHA1

f24a9b1e5d8ca62d936c6f320eeaa7b38a6e9272
SHA256

a3d93ac6346281e7dee8546016bf2114e3d45e39210b1b45d4a70246d4fa4265
SHA512

e661f10c66c97276665888c29c3e8341e87d0be098ae7750617e63a582817bbd6ef66860787f4de2fa6f1bb321bcf5e6053c10587c748eaa8bdb3a7334b859f7
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhVOpdFRdm/3le:LMpASIcWYx2U6hAJVN0

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2616	myyfr.exe
2788	upneve.exe
1140	cimad.exe

Loads dropped DLL 4 IoCs

pid	Process
1588	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe
2616	myyfr.exe
2788	upneve.exe
2788	upneve.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2616	1588	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	28
PID 1588 wrote to memory of 2616	1588	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	28
PID 1588 wrote to memory of 2616	1588	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	28
PID 1588 wrote to memory of 2616	1588	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	28
PID 1588 wrote to memory of 2860	1588	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	29
PID 1588 wrote to memory of 2860	1588	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	29
PID 1588 wrote to memory of 2860	1588	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	29
PID 1588 wrote to memory of 2860	1588	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	29
PID 2616 wrote to memory of 2788	2616	myyfr.exe	31
PID 2616 wrote to memory of 2788	2616	myyfr.exe	31
PID 2616 wrote to memory of 2788	2616	myyfr.exe	31
PID 2616 wrote to memory of 2788	2616	myyfr.exe	31
PID 2788 wrote to memory of 1140	2788	upneve.exe	36
PID 2788 wrote to memory of 1140	2788	upneve.exe	36
PID 2788 wrote to memory of 1140	2788	upneve.exe	36
PID 2788 wrote to memory of 1140	2788	upneve.exe	36
PID 2788 wrote to memory of 2916	2788	upneve.exe	35
PID 2788 wrote to memory of 2916	2788	upneve.exe	35
PID 2788 wrote to memory of 2916	2788	upneve.exe	35
PID 2788 wrote to memory of 2916	2788	upneve.exe	35

C:\Users\Admin\AppData\Local\Temp\NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\myyfr.exe
  "C:\Users\Admin\AppData\Local\Temp\myyfr.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\upneve.exe
    "C:\Users\Admin\AppData\Local\Temp\upneve.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\cimad.exe
      "C:\Users\Admin\AppData\Local\Temp\cimad.exe"
      4⤵
      Executes dropped EXE
      PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
4d19b5404a4ca690dd1f5cd3ff892ade

SHA1
1bbe4cfbb2cbf082f715e8b83ad0f5e5c5f2b831

SHA256
c3b9ee46b3091cf5ac75ade8d501c1d7f49d7d02efd8d38a30676ea3760b48e5

SHA512
aafff6fdbc7b4cc9809863645d5bee8f49bc4065a04107cb4a407d8a4304b644e3d0dd878d3021baf0e99cba19c3ab6e725726ad36a2fd2d49d1da8d03c5f548

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
4d19b5404a4ca690dd1f5cd3ff892ade

SHA1
1bbe4cfbb2cbf082f715e8b83ad0f5e5c5f2b831

SHA256
c3b9ee46b3091cf5ac75ade8d501c1d7f49d7d02efd8d38a30676ea3760b48e5

SHA512
aafff6fdbc7b4cc9809863645d5bee8f49bc4065a04107cb4a407d8a4304b644e3d0dd878d3021baf0e99cba19c3ab6e725726ad36a2fd2d49d1da8d03c5f548

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
cce71f3d8ef465a418dc5d412017da33

SHA1
1d4abb870d2e9d07465f2b7071093896bf1bf09f

SHA256
c0af8f991fb2f41870ffcce9e038919464bcd2aa49216d2b74409571bfeafdb9

SHA512
d8a9e20132f369eba5b83195fa6e79cf53e4f5fec585a13cd99e7fbc57f399e2b127a43848ec7c61a63aa138d794e9d6fb26f6760a9dbb323d48e93f2ca9eed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
cce71f3d8ef465a418dc5d412017da33

SHA1
1d4abb870d2e9d07465f2b7071093896bf1bf09f

SHA256
c0af8f991fb2f41870ffcce9e038919464bcd2aa49216d2b74409571bfeafdb9

SHA512
d8a9e20132f369eba5b83195fa6e79cf53e4f5fec585a13cd99e7fbc57f399e2b127a43848ec7c61a63aa138d794e9d6fb26f6760a9dbb323d48e93f2ca9eed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cimad.exe

Filesize
223KB

MD5
cddcad657387f3d8099b028b39547a3f

SHA1
16d6e8ded19162c4062deaea413d318b18f0a9f4

SHA256
12bfb3a678f887a55f2f933bed43c9b1a1b8854de74784557eeb572b3ed678f1

SHA512
19ecfb617b231e5877b1f86ad6d6c875275e8fc424961a85e108bed6bd959ec0fbe55f321f25b142f3dca0fdf61942c7692d9019e0d06ec75fc50372b0bfdb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\cimad.exe

Filesize
223KB

MD5
cddcad657387f3d8099b028b39547a3f

SHA1
16d6e8ded19162c4062deaea413d318b18f0a9f4

SHA256
12bfb3a678f887a55f2f933bed43c9b1a1b8854de74784557eeb572b3ed678f1

SHA512
19ecfb617b231e5877b1f86ad6d6c875275e8fc424961a85e108bed6bd959ec0fbe55f321f25b142f3dca0fdf61942c7692d9019e0d06ec75fc50372b0bfdb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
599a31f3586ae3b184ea0771825ade0b

SHA1
71c99a4e4ad91c0c151ceef9e4994a00b7ef9027

SHA256
3eb442c7cfdd854725a2d78300fd6d46752d597a28d926e379deceb6d3c1c57a

SHA512
f094e9f111b206bf0d659b58a49df6365898b775e5a8157dc826dccb2f61736608ef91c22ed949dd97b1ddd286eeaa1dfd028f25ec80e2318b378fa954f44c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\myyfr.exe

Filesize
454KB

MD5
21e9acbeceb60c5ebf0e8b63e2314b45

SHA1
f23eddd3fdf9a657ac46669a24e56c5347582022

SHA256
03ef2b9e649cdac75645b6f96c0467aad69033099fd10d90932281c5ca0e10ef

SHA512
9a9204977c41bbcc7b6604154bd1bd47105cc8baa6bf6d7265129a312265e9b4cd8dd5658681834df515f5a3b67fc315b725b083b4a1c01f207be28ded80bbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\myyfr.exe

Filesize
454KB

MD5
21e9acbeceb60c5ebf0e8b63e2314b45

SHA1
f23eddd3fdf9a657ac46669a24e56c5347582022

SHA256
03ef2b9e649cdac75645b6f96c0467aad69033099fd10d90932281c5ca0e10ef

SHA512
9a9204977c41bbcc7b6604154bd1bd47105cc8baa6bf6d7265129a312265e9b4cd8dd5658681834df515f5a3b67fc315b725b083b4a1c01f207be28ded80bbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\upneve.exe

Filesize
454KB

MD5
6a7f5ed02595b9a587260545a2df051e

SHA1
4f11c79438fd3bd82544e33e22c6203cc8b667a5

SHA256
60dc97d635bffa238033ac90499146fd2ba18401ed21d8f375538582827c0951

SHA512
9f252534cefe09436f6ee8ef08d399573af21e0a4816441767c6731136f296e7aef40791d5f6b6d521855d274f9f0ccb587be856e2afc6f5643574a2f4ff5129

Download Submit
C:\Users\Admin\AppData\Local\Temp\upneve.exe

Filesize
454KB

MD5
6a7f5ed02595b9a587260545a2df051e

SHA1
4f11c79438fd3bd82544e33e22c6203cc8b667a5

SHA256
60dc97d635bffa238033ac90499146fd2ba18401ed21d8f375538582827c0951

SHA512
9f252534cefe09436f6ee8ef08d399573af21e0a4816441767c6731136f296e7aef40791d5f6b6d521855d274f9f0ccb587be856e2afc6f5643574a2f4ff5129

Download Submit
C:\Users\Admin\AppData\Local\Temp\upneve.exe

Filesize
454KB

MD5
6a7f5ed02595b9a587260545a2df051e

SHA1
4f11c79438fd3bd82544e33e22c6203cc8b667a5

SHA256
60dc97d635bffa238033ac90499146fd2ba18401ed21d8f375538582827c0951

SHA512
9f252534cefe09436f6ee8ef08d399573af21e0a4816441767c6731136f296e7aef40791d5f6b6d521855d274f9f0ccb587be856e2afc6f5643574a2f4ff5129

Download Submit
\Users\Admin\AppData\Local\Temp\cimad.exe

Filesize
223KB

MD5
cddcad657387f3d8099b028b39547a3f

SHA1
16d6e8ded19162c4062deaea413d318b18f0a9f4

SHA256
12bfb3a678f887a55f2f933bed43c9b1a1b8854de74784557eeb572b3ed678f1

SHA512
19ecfb617b231e5877b1f86ad6d6c875275e8fc424961a85e108bed6bd959ec0fbe55f321f25b142f3dca0fdf61942c7692d9019e0d06ec75fc50372b0bfdb95

Download Submit
\Users\Admin\AppData\Local\Temp\cimad.exe

Filesize
223KB

MD5
cddcad657387f3d8099b028b39547a3f

SHA1
16d6e8ded19162c4062deaea413d318b18f0a9f4

SHA256
12bfb3a678f887a55f2f933bed43c9b1a1b8854de74784557eeb572b3ed678f1

SHA512
19ecfb617b231e5877b1f86ad6d6c875275e8fc424961a85e108bed6bd959ec0fbe55f321f25b142f3dca0fdf61942c7692d9019e0d06ec75fc50372b0bfdb95

Download Submit
\Users\Admin\AppData\Local\Temp\myyfr.exe

Filesize
454KB

MD5
21e9acbeceb60c5ebf0e8b63e2314b45

SHA1
f23eddd3fdf9a657ac46669a24e56c5347582022

SHA256
03ef2b9e649cdac75645b6f96c0467aad69033099fd10d90932281c5ca0e10ef

SHA512
9a9204977c41bbcc7b6604154bd1bd47105cc8baa6bf6d7265129a312265e9b4cd8dd5658681834df515f5a3b67fc315b725b083b4a1c01f207be28ded80bbad

Download Submit
\Users\Admin\AppData\Local\Temp\upneve.exe

Filesize
454KB

MD5
6a7f5ed02595b9a587260545a2df051e

SHA1
4f11c79438fd3bd82544e33e22c6203cc8b667a5

SHA256
60dc97d635bffa238033ac90499146fd2ba18401ed21d8f375538582827c0951

SHA512
9f252534cefe09436f6ee8ef08d399573af21e0a4816441767c6731136f296e7aef40791d5f6b6d521855d274f9f0ccb587be856e2afc6f5643574a2f4ff5129

Download Submit
memory/1588-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1588-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2616-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2788-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2788-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2788-38-0x0000000003740000-0x00000000037E0000-memory.dmp

Filesize
640KB

Download
memory/2788-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download