Overview

overview

10

Static

static

10

NEAS.63455...JC.exe

windows7-x64

10

NEAS.63455...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2023 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.634553c3552a5cf504088f62339f89f0_JC.exe

  • Size

    464KB

  • MD5

    634553c3552a5cf504088f62339f89f0

  • SHA1

    dff328fd46ccaa0a941735555b41e6657a01aa9e

  • SHA256

    02991152e889974570fc095dbc1fbdb9b6bfc06c9bde74ed2f1c8d97c1404c9b

  • SHA512

    6876b4b84dba225dfc2714a00545daa173752d7d1a785b790492b4bef0e82054a799cf69afaecf7aac553193a14df23982c7cb26a0d5e76c2f483bd40079050f

  • SSDEEP

    6144:k9H4y9VOpL/DeRRoSGFPRuDYBzFrY5dRA2AkCMnZi6c/2AS9kFwJARejm7I:kZF9VOpnqoSG1EcBhs9xAkLZMomI

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.634553c3552a5cf504088f62339f89f0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.634553c3552a5cf504088f62339f89f0_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      "C:\Users\Admin\AppData\Local\Temp\sander.exe"
      2⤵
      • Executes dropped EXE
      PID:3828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
      2⤵
        PID:3452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
      Filesize

      293B

      MD5

      7e36639bc30041095470dd7551201397

      SHA1

      54f96768d53904630c95cf73ddcd71b6a49196b9

      SHA256

      a072ba8d2e54316385090f97c7d97f0e3d2a732123c4cf67d2dde8c621d9b896

      SHA512

      a6f29e1af54e6f8ddb8d933ede0ab13efe4eadb9915dbbc777dc8cc6568b9995900fa325ced3e8eea27d0c05605a3672988ef2f0a64d64e6043200024d6e6851

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      178eba193b631d7b0653896453b678b2

      SHA1

      8878cae8fb5417248da5800e4d85b00149160404

      SHA256

      8c7800dfaf639b17e6b682b6fa2365275e6f80d07e6aa6bb56b676669d0e9db5

      SHA512

      936f9ec171c7ad5aa63c6691d9ea109a3f1ef31fe00bc26fe5afa8ae0ee21b5d3f65e873a242e7986f98bcb9abc82911dbf34bb907ed7a4973e959b7e90c69d5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      Filesize

      464KB

      MD5

      c62228cd43447ddf70f59a1f656c224e

      SHA1

      d297c35a73e51cb8ffb328cd9b4757eec1292bae

      SHA256

      4059e1da861cc7c3df70867d0d21ac65af2ef3a56605759c9bf3fd525e39e147

      SHA512

      457fea35afb62b2498907817147f55a35057e582b73895357e65b51ae0a808c1c152d2f929e18b5317c138b86fdb97cc991827b6e3c3f2a19d411e0b0fbbd135

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      Filesize

      464KB

      MD5

      c62228cd43447ddf70f59a1f656c224e

      SHA1

      d297c35a73e51cb8ffb328cd9b4757eec1292bae

      SHA256

      4059e1da861cc7c3df70867d0d21ac65af2ef3a56605759c9bf3fd525e39e147

      SHA512

      457fea35afb62b2498907817147f55a35057e582b73895357e65b51ae0a808c1c152d2f929e18b5317c138b86fdb97cc991827b6e3c3f2a19d411e0b0fbbd135

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      Filesize

      464KB

      MD5

      c62228cd43447ddf70f59a1f656c224e

      SHA1

      d297c35a73e51cb8ffb328cd9b4757eec1292bae

      SHA256

      4059e1da861cc7c3df70867d0d21ac65af2ef3a56605759c9bf3fd525e39e147

      SHA512

      457fea35afb62b2498907817147f55a35057e582b73895357e65b51ae0a808c1c152d2f929e18b5317c138b86fdb97cc991827b6e3c3f2a19d411e0b0fbbd135

      Download Submit

    • memory/3828-16-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/3828-17-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/4008-0-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/4008-13-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download