urelas | 86cc68de2266eaf0560de17db6ecb6b709def9c57ce97d02e5bc0b29ac3d1757

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe
Size

424KB
MD5

e3fefcba5a3db158d0bf494df1a80cf0
SHA1

ff90099b08b134a55bc39970c4f3952d32ca501f
SHA256

86cc68de2266eaf0560de17db6ecb6b709def9c57ce97d02e5bc0b29ac3d1757
SHA512

520200330946490715abf5fae7d73d934a812f759e89633dab8b7561091b597fd27dd20d5b2d3d88aba7439255073989522da6946b33f7d679bfa1420e86dccc
SSDEEP

6144:to3wRi+1Py3V0a2WkQ6P9N2Y/Op9eXQ6fU//BFuHt07Vx9Ulw:w6f1PyKa2u6P9N2y3U/mHyUw

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2308	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
388	cuasp.exe
2296	ovojc.exe

Loads dropped DLL 2 IoCs

pid	Process
1740	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe
388	cuasp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe
2296	ovojc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 388	1740	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	28
PID 1740 wrote to memory of 388	1740	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	28
PID 1740 wrote to memory of 388	1740	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	28
PID 1740 wrote to memory of 388	1740	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	28
PID 1740 wrote to memory of 2308	1740	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	29
PID 1740 wrote to memory of 2308	1740	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	29
PID 1740 wrote to memory of 2308	1740	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	29
PID 1740 wrote to memory of 2308	1740	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	29
PID 388 wrote to memory of 2296	388	cuasp.exe	33
PID 388 wrote to memory of 2296	388	cuasp.exe	33
PID 388 wrote to memory of 2296	388	cuasp.exe	33
PID 388 wrote to memory of 2296	388	cuasp.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\cuasp.exe
  "C:\Users\Admin\AppData\Local\Temp\cuasp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\ovojc.exe
    "C:\Users\Admin\AppData\Local\Temp\ovojc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
3220a78c74f8c72a2bc4ab163889aa4c

SHA1
ea6312cf00fff3b5f9809b600ebed5399d9c9aa8

SHA256
906a392b0af8ee7573e5a6cba81bc2eb335609b9ba8d9bc76a6cc6f41af29c3a

SHA512
d79ee57992db81599a99513ab02986a82653beb9fb1d6d4aa9eeea00c0c1b9df76dd198cf7d83843d000e43cebc6798c2e99855ac0bc6318e6c6b7fab9a40018

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
3220a78c74f8c72a2bc4ab163889aa4c

SHA1
ea6312cf00fff3b5f9809b600ebed5399d9c9aa8

SHA256
906a392b0af8ee7573e5a6cba81bc2eb335609b9ba8d9bc76a6cc6f41af29c3a

SHA512
d79ee57992db81599a99513ab02986a82653beb9fb1d6d4aa9eeea00c0c1b9df76dd198cf7d83843d000e43cebc6798c2e99855ac0bc6318e6c6b7fab9a40018

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuasp.exe

Filesize
424KB

MD5
2b63c8a2a36df2fb0a8dcbd9be48a3d9

SHA1
8495ea9bb4eccb2c451b7eed4cf018472ec45539

SHA256
b4a7118c45a80d5590e719325fd262480e96ecc95699b06f3ea7729177befb70

SHA512
9f4fb026d43f1756380b50d9f848bbbc007de15efa7872ced1521e353d1862287df73b068cf4d4366a09f5705188c98abda3ed37264d4b46bcb11d26f2f77f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuasp.exe

Filesize
424KB

MD5
2b63c8a2a36df2fb0a8dcbd9be48a3d9

SHA1
8495ea9bb4eccb2c451b7eed4cf018472ec45539

SHA256
b4a7118c45a80d5590e719325fd262480e96ecc95699b06f3ea7729177befb70

SHA512
9f4fb026d43f1756380b50d9f848bbbc007de15efa7872ced1521e353d1862287df73b068cf4d4366a09f5705188c98abda3ed37264d4b46bcb11d26f2f77f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
110a328a58e4969f74f6b610d07859db

SHA1
c80d8c2c2fd8a8e57f743d30ada0e773eea56fd1

SHA256
dfe3e4ec41ab9238a35c9559051ba3c21c21d988932130744512c67909e69573

SHA512
7c20de992eba1460ed3ba71642a0606732acbebf459ce7fa5658562eb48b7c93e490c848298f2f10789db77d50bfb72e62579912fc997b1d63c3720583ee227f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovojc.exe

Filesize
208KB

MD5
fc87525ccf3a27086aa76fe043787a74

SHA1
40223b8fcbd7370bbcbeddf05221f97100ac3b5e

SHA256
93b6e6eadfaaba7a0c0b6a0e1ec4c93b55d9eea4ede83bde338a6a1ed4c039d4

SHA512
2e668272ebc8029db16cab4f5bfeb95a183ae3cf9932cf0a1ed2aa8c2a163076f7d4e9dc90828f3c63269ab7ff549090cb96617d6d470af9ec8c9e6fd95d75ab

Download Submit
\Users\Admin\AppData\Local\Temp\cuasp.exe

Filesize
424KB

MD5
2b63c8a2a36df2fb0a8dcbd9be48a3d9

SHA1
8495ea9bb4eccb2c451b7eed4cf018472ec45539

SHA256
b4a7118c45a80d5590e719325fd262480e96ecc95699b06f3ea7729177befb70

SHA512
9f4fb026d43f1756380b50d9f848bbbc007de15efa7872ced1521e353d1862287df73b068cf4d4366a09f5705188c98abda3ed37264d4b46bcb11d26f2f77f06

Download Submit
\Users\Admin\AppData\Local\Temp\ovojc.exe

Filesize
208KB

MD5
fc87525ccf3a27086aa76fe043787a74

SHA1
40223b8fcbd7370bbcbeddf05221f97100ac3b5e

SHA256
93b6e6eadfaaba7a0c0b6a0e1ec4c93b55d9eea4ede83bde338a6a1ed4c039d4

SHA512
2e668272ebc8029db16cab4f5bfeb95a183ae3cf9932cf0a1ed2aa8c2a163076f7d4e9dc90828f3c63269ab7ff549090cb96617d6d470af9ec8c9e6fd95d75ab

Download Submit
memory/388-27-0x0000000000210000-0x000000000027C000-memory.dmp

Filesize
432KB

Download
memory/388-21-0x0000000000210000-0x000000000027C000-memory.dmp

Filesize
432KB

Download
memory/388-28-0x0000000003420000-0x00000000034BE000-memory.dmp

Filesize
632KB

Download
memory/388-10-0x0000000000210000-0x000000000027C000-memory.dmp

Filesize
432KB

Download
memory/1740-0-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1740-18-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1740-6-0x0000000000580000-0x00000000005EC000-memory.dmp

Filesize
432KB

Download
memory/2296-31-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2296-30-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download
memory/2296-33-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download
memory/2296-34-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download
memory/2296-35-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download
memory/2296-36-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download
memory/2296-37-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download