Overview

overview

10

Static

static

10

NEAS.faa05...20.exe

windows7-x64

10

NEAS.faa05...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2023, 05:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.faa0567709678cbd4466cc42ea682d20.exe

  • Size

    474KB

  • MD5

    faa0567709678cbd4466cc42ea682d20

  • SHA1

    5b978ba0e293e4ef3d2ad100fb5e977c74ff2159

  • SHA256

    4583b9eb705f7688ab247833d11cda0547dbecdbd5648950818989dba23f6717

  • SHA512

    04babb20f313f821edb18c689bf1ff85c9a46b412b72f9b3c443d6340e4ff72a1fce2249252e3ad971afa1d8d6c4e0dde3f72e0020d287f3cba9273a3025b5ce

  • SSDEEP

    12288:MrKQUXfDqcDib2vqYzGp53ncgqmy0VFHJw:MuQcGbOJKpVncgu

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.faa0567709678cbd4466cc42ea682d20.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.faa0567709678cbd4466cc42ea682d20.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Users\Admin\AppData\Local\Temp\revua.exe
      "C:\Users\Admin\AppData\Local\Temp\revua.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Users\Admin\AppData\Local\Temp\lucio.exe
        "C:\Users\Admin\AppData\Local\Temp\lucio.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1996
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:4780

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
            Filesize

            286B

            MD5

            2fa21b4dd1c3fb6a111fa9d7c79490c5

            SHA1

            e15c858b782fffa328fd85cf26054d29280002b2

            SHA256

            231b132eda58ac11020600a323bc2782810ab2821bf3ba8307653636cca29e2a

            SHA512

            b2f10d61137cf00497eec50b3357cac38f3eb0aa88e33172814439b9ef3b66a5fa3cdfae02a093c830c66f39fec8bd94a8f88e3ad53334b1acc3787fe7d664d9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
            Filesize

            512B

            MD5

            8f99ee7272dd1407113f396fe5a8898f

            SHA1

            f7b16930fcf441e055dbb5d1151cf14069a8169c

            SHA256

            b5d9b43a15a15d53fc75b7f7383b774d14dcdf51ae51401bbbedfbbea2f00e53

            SHA512

            60f9a9bd5964bf3eb23c947d8348c25add089917e4b6e21d128332f2b1feb3f1d0738c5fb5dc62b585dd1d4bfe22968e31ce8cb6231e039f0ebc62a270859855

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\lucio.exe
            Filesize

            223KB

            MD5

            48a1b4b432ca71b212b0020eb16ce6c9

            SHA1

            4c2b50ed16875994b9c55149c437c035c65f3466

            SHA256

            989d2bd8f01b83ad3f79261d3af53eef3632ada13ad48c145e82802208dc29fb

            SHA512

            f0b27d04decc526d75ec99c0125023b00e40a118648d636630f8d4cff22bad34661c8f6f6079dff4a6115787a440a9261e5fba09fd5528684bbcbd65c7c2c90c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\lucio.exe
            Filesize

            223KB

            MD5

            48a1b4b432ca71b212b0020eb16ce6c9

            SHA1

            4c2b50ed16875994b9c55149c437c035c65f3466

            SHA256

            989d2bd8f01b83ad3f79261d3af53eef3632ada13ad48c145e82802208dc29fb

            SHA512

            f0b27d04decc526d75ec99c0125023b00e40a118648d636630f8d4cff22bad34661c8f6f6079dff4a6115787a440a9261e5fba09fd5528684bbcbd65c7c2c90c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\lucio.exe
            Filesize

            223KB

            MD5

            48a1b4b432ca71b212b0020eb16ce6c9

            SHA1

            4c2b50ed16875994b9c55149c437c035c65f3466

            SHA256

            989d2bd8f01b83ad3f79261d3af53eef3632ada13ad48c145e82802208dc29fb

            SHA512

            f0b27d04decc526d75ec99c0125023b00e40a118648d636630f8d4cff22bad34661c8f6f6079dff4a6115787a440a9261e5fba09fd5528684bbcbd65c7c2c90c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\revua.exe
            Filesize

            474KB

            MD5

            f79a32ef2e4e0aafbcaa0125b80977af

            SHA1

            9708c2e7e454015c7b3985ff5d1ffe276b126dba

            SHA256

            048f06587dd3e9f36e4c6b9a4621628be0c115bde81b895f33b1a2cf6a0c7051

            SHA512

            9644885ec2b3786feb17fc4236b4df4691712752954fd889286179e01c4bc74bd866ec62797f986b64bc2176cce49573fd89f972eeb4f5cd14b13f7295fd9fbf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\revua.exe
            Filesize

            474KB

            MD5

            f79a32ef2e4e0aafbcaa0125b80977af

            SHA1

            9708c2e7e454015c7b3985ff5d1ffe276b126dba

            SHA256

            048f06587dd3e9f36e4c6b9a4621628be0c115bde81b895f33b1a2cf6a0c7051

            SHA512

            9644885ec2b3786feb17fc4236b4df4691712752954fd889286179e01c4bc74bd866ec62797f986b64bc2176cce49573fd89f972eeb4f5cd14b13f7295fd9fbf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\revua.exe
            Filesize

            474KB

            MD5

            f79a32ef2e4e0aafbcaa0125b80977af

            SHA1

            9708c2e7e454015c7b3985ff5d1ffe276b126dba

            SHA256

            048f06587dd3e9f36e4c6b9a4621628be0c115bde81b895f33b1a2cf6a0c7051

            SHA512

            9644885ec2b3786feb17fc4236b4df4691712752954fd889286179e01c4bc74bd866ec62797f986b64bc2176cce49573fd89f972eeb4f5cd14b13f7295fd9fbf

            Download Submit

          • memory/1996-27-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1996-25-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1996-24-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1996-28-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1996-29-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1996-30-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1996-31-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1996-32-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1996-33-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3308-0-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/5072-12-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download