Overview

overview

10

Static

static

10

NEAS.aa6a4...30.exe

windows7-x64

10

NEAS.aa6a4...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2023 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.aa6a4991054497ef793ad97082145a30.exe

  • Size

    136KB

  • MD5

    aa6a4991054497ef793ad97082145a30

  • SHA1

    3b7f9223f00a56c4ee387768639f711c372a3ada

  • SHA256

    9a0b1102da969a2c602582e6f8d6783f0f7bd01c08d4d34799f78f49418ba446

  • SHA512

    8a9f2994765c0732df0c37dc85d906fc3391f567deb558198cdc25db29340e7f71715233db6a68d5fd1522e6565e10e62228cdff5e36423fd8305119975ec1f7

  • SSDEEP

    1536:P/oEkqfCZ10zcT9Yh8AIXcjyz9cOXfiXGImcatMrsWjcdf6odgR5AP0:P/5kqCxiXEcO3XfGf2tMUf6odgR5Ac

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.aa6a4991054497ef793ad97082145a30.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.aa6a4991054497ef793ad97082145a30.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      PID:3608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      Filesize

      136KB

      MD5

      07a6872987f03d7bc616d6ccb0ce9a1e

      SHA1

      1ec68229116ed540185c1919b18073bcadd891fe

      SHA256

      769063bb585aa04c190421972915c0aa12a4d2e155a0f6054c8651bdddb67329

      SHA512

      8d05214b858b879979fa8d1e8dbcc3822376ffcdaec65dd5a3568126b633358712ef35d7bbd3634469103b05f505a82868c8d4b4779eab63a284a3628562499f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      Filesize

      136KB

      MD5

      07a6872987f03d7bc616d6ccb0ce9a1e

      SHA1

      1ec68229116ed540185c1919b18073bcadd891fe

      SHA256

      769063bb585aa04c190421972915c0aa12a4d2e155a0f6054c8651bdddb67329

      SHA512

      8d05214b858b879979fa8d1e8dbcc3822376ffcdaec65dd5a3568126b633358712ef35d7bbd3634469103b05f505a82868c8d4b4779eab63a284a3628562499f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      Filesize

      136KB

      MD5

      07a6872987f03d7bc616d6ccb0ce9a1e

      SHA1

      1ec68229116ed540185c1919b18073bcadd891fe

      SHA256

      769063bb585aa04c190421972915c0aa12a4d2e155a0f6054c8651bdddb67329

      SHA512

      8d05214b858b879979fa8d1e8dbcc3822376ffcdaec65dd5a3568126b633358712ef35d7bbd3634469103b05f505a82868c8d4b4779eab63a284a3628562499f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      0ecda9ecaa423d5a8481985b7d3d5a77

      SHA1

      ecc237c20c234cf9c0e20b39a39ab27244dc7971

      SHA256

      caed69520592602de846673610507a47e22e0fb108e8e88ba1a85b314607f0a9

      SHA512

      82ce4bfc411781d187b6151383064f18e22b37f5f03d783476fed1c8ba74ee38dc74b16badf96961e22d6b63ae31425ae785c17fa3bd5d767ae3b0bd9652fe3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
      Filesize

      284B

      MD5

      f32996e035b0ceae1817b95718bb0ac1

      SHA1

      4234f2b9c53fec7caae9134aed8b5c7d75c750ff

      SHA256

      8b18469027d322830321947dee9f0c54a875f6a3f08d1a439275dc4e44e55535

      SHA512

      37bf59cd2d0c6853b5ac4acd2897c44a626e668b2a720ebadc3dc0bd6af37c1738f8ab79419461bc12e37e7d0af901d6fc873c5294b8b5b0fd12a9020656420b

      Download Submit

    • memory/1368-0-0x0000000000CD0000-0x0000000000CF7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1368-17-0x0000000000CD0000-0x0000000000CF7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3608-12-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3608-20-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download