urelas | ab606707a0af318a5c6de74150537db93d2c0f35b5a29c54a88ae4d34dbd2c35

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6240cda4202c834e1011a6f64d524990.exe
Size

404KB
MD5

6240cda4202c834e1011a6f64d524990
SHA1

2729d163ae56f2beeff217e4f818c3192d339094
SHA256

ab606707a0af318a5c6de74150537db93d2c0f35b5a29c54a88ae4d34dbd2c35
SHA512

fd968d3a78601a774fa54c2bdb0014417e58becf4a86f563780682d2fd463e31222f8014b25404b4b0f44af206d6db89d863109473163af6600aa062e6a1d2c7
SSDEEP

6144:UzU7blKDlTiCWhWapKRaRXOkN4Swel6f3IuOI:uU7M1ijWh0XOW4sEfHOI

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Executes dropped EXE 1 IoCs

pid	Process
1924	miogw.exe

Loads dropped DLL 2 IoCs

pid	Process
2440	NEAS.6240cda4202c834e1011a6f64d524990.exe
2440	NEAS.6240cda4202c834e1011a6f64d524990.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	2440	WerFault.exe	27

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1924	2440	NEAS.6240cda4202c834e1011a6f64d524990.exe	28
PID 2440 wrote to memory of 1924	2440	NEAS.6240cda4202c834e1011a6f64d524990.exe	28
PID 2440 wrote to memory of 1924	2440	NEAS.6240cda4202c834e1011a6f64d524990.exe	28
PID 2440 wrote to memory of 1924	2440	NEAS.6240cda4202c834e1011a6f64d524990.exe	28
PID 2440 wrote to memory of 2332	2440	NEAS.6240cda4202c834e1011a6f64d524990.exe	29
PID 2440 wrote to memory of 2332	2440	NEAS.6240cda4202c834e1011a6f64d524990.exe	29
PID 2440 wrote to memory of 2332	2440	NEAS.6240cda4202c834e1011a6f64d524990.exe	29
PID 2440 wrote to memory of 2332	2440	NEAS.6240cda4202c834e1011a6f64d524990.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.6240cda4202c834e1011a6f64d524990.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6240cda4202c834e1011a6f64d524990.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\miogw.exe
  "C:\Users\Admin\AppData\Local\Temp\miogw.exe"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 508
  2⤵
  - Program crash
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ebb7df1ed089fe96ed6e053208485dd2

SHA1
d1c3ec4e0c28238283e36c2d9dc08ed68ae6017c

SHA256
0314cae919a54b951cbbebc5eeb25226121f4a2beeddb83de2e225afe83b1340

SHA512
bbf64bb74ef3d7e5a6801ae5bc8b5bc2b6cb048dc56adcf29ee6461c1da6a25b681cb8e82429d58088d048daf03006aac6c74e5b57739e86016bc36f05cfbe5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\miogw.exe

Filesize
404KB

MD5
cbb929d47e02220d18174a178f601087

SHA1
ca26e8a014e578fac76edecaa246ce9a0303f0a1

SHA256
4c777816c69fac258531c1d57f2bc7abf3ba5a6f4fa4438dbb24a9d113ba339f

SHA512
7263746edc4266e7736af749803aa1b549d8a2d60fd8eeff14cdf19e77c895f2cd51e86a66ef50fdb7233d0dfbd9f01145809dabc9d4e9fd9189eb86d0a6b32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\miogw.exe

Filesize
404KB

MD5
cbb929d47e02220d18174a178f601087

SHA1
ca26e8a014e578fac76edecaa246ce9a0303f0a1

SHA256
4c777816c69fac258531c1d57f2bc7abf3ba5a6f4fa4438dbb24a9d113ba339f

SHA512
7263746edc4266e7736af749803aa1b549d8a2d60fd8eeff14cdf19e77c895f2cd51e86a66ef50fdb7233d0dfbd9f01145809dabc9d4e9fd9189eb86d0a6b32e

Download Submit
\Users\Admin\AppData\Local\Temp\miogw.exe

Filesize
404KB

MD5
cbb929d47e02220d18174a178f601087

SHA1
ca26e8a014e578fac76edecaa246ce9a0303f0a1

SHA256
4c777816c69fac258531c1d57f2bc7abf3ba5a6f4fa4438dbb24a9d113ba339f

SHA512
7263746edc4266e7736af749803aa1b549d8a2d60fd8eeff14cdf19e77c895f2cd51e86a66ef50fdb7233d0dfbd9f01145809dabc9d4e9fd9189eb86d0a6b32e

Download Submit
\Users\Admin\AppData\Local\Temp\miogw.exe

Filesize
404KB

MD5
cbb929d47e02220d18174a178f601087

SHA1
ca26e8a014e578fac76edecaa246ce9a0303f0a1

SHA256
4c777816c69fac258531c1d57f2bc7abf3ba5a6f4fa4438dbb24a9d113ba339f

SHA512
7263746edc4266e7736af749803aa1b549d8a2d60fd8eeff14cdf19e77c895f2cd51e86a66ef50fdb7233d0dfbd9f01145809dabc9d4e9fd9189eb86d0a6b32e

Download Submit
memory/1924-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1924-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2440-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2440-11-0x0000000002570000-0x00000000025D5000-memory.dmp

Filesize
404KB

Download