urelas | ce88880c864e08ea3f05fda81c87f9836b911e749a5c06128ff680ec14a31e56

Analysis

max time kernel
162s
max time network
134s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.82d8f58a170837c3a8426a6a3d372740.exe
Size

436KB
MD5

82d8f58a170837c3a8426a6a3d372740
SHA1

b560ced3c13531bacd2df377e93b54cc430e157f
SHA256

ce88880c864e08ea3f05fda81c87f9836b911e749a5c06128ff680ec14a31e56
SHA512

c3fe4fdd54a124639ef2f863809ff9e8d59edb4f9f5e21b2c90270461255113c38fcaca6037995b87c9bdc76f401313239035bcacdcb8e794f0a2915ca64e943
SSDEEP

6144:0KcGGKC2No1dYL+cuGvd7jpBAbn+cioljJCnViTQBCA8R8Fs5cvxFQLrANOqk:G1KCJcuGvFpBAbnJj4nfBKmxFUrAlk

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	wejar.exe
2564	pomoh.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	NEAS.82d8f58a170837c3a8426a6a3d372740.exe
2152	wejar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe
2564	pomoh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2152	2392	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	27
PID 2392 wrote to memory of 2152	2392	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	27
PID 2392 wrote to memory of 2152	2392	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	27
PID 2392 wrote to memory of 2152	2392	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	27
PID 2392 wrote to memory of 2720	2392	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	28
PID 2392 wrote to memory of 2720	2392	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	28
PID 2392 wrote to memory of 2720	2392	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	28
PID 2392 wrote to memory of 2720	2392	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	28
PID 2152 wrote to memory of 2564	2152	wejar.exe	32
PID 2152 wrote to memory of 2564	2152	wejar.exe	32
PID 2152 wrote to memory of 2564	2152	wejar.exe	32
PID 2152 wrote to memory of 2564	2152	wejar.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.82d8f58a170837c3a8426a6a3d372740.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.82d8f58a170837c3a8426a6a3d372740.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\wejar.exe
  "C:\Users\Admin\AppData\Local\Temp\wejar.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\pomoh.exe
    "C:\Users\Admin\AppData\Local\Temp\pomoh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
9e0157787d337ab97816d790f66ba499

SHA1
8aea5be667d5a627b444cbe13ebce0ed7dca8d21

SHA256
a099c5cc7259c6a4875fae54ff2d720252932ee65d7450197181bb40eea90070

SHA512
b815f63578fc389140aedc29aa5a8f62552bb8223873739f8a70fb75605cc7a4ce16292fc6002223adaf766748c0ba81623c417fa389d4a03203e9e24c9c4292

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
9e0157787d337ab97816d790f66ba499

SHA1
8aea5be667d5a627b444cbe13ebce0ed7dca8d21

SHA256
a099c5cc7259c6a4875fae54ff2d720252932ee65d7450197181bb40eea90070

SHA512
b815f63578fc389140aedc29aa5a8f62552bb8223873739f8a70fb75605cc7a4ce16292fc6002223adaf766748c0ba81623c417fa389d4a03203e9e24c9c4292

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5f78d0b640685f0b72ae01a936db82aa

SHA1
e6cb6c5d6b3430a45fd3709b99f6c30d86703c0c

SHA256
7012edb41a684714301d60761b1c9e2feb095ce7b35999af30dc05968477f63a

SHA512
8629bdc89c1a69810b17aa42b39160a6b6aedf9a485d0f270067f0401af24ddc43291a24ca6a31e46eee64cb576940005276f6f18d99089060833712d18aa718

Download Submit
C:\Users\Admin\AppData\Local\Temp\pomoh.exe

Filesize
196KB

MD5
88dc8e3213da9b6beb6feef41e20fb1e

SHA1
7d9a9a0138fc101f82beab502a892e6f0486684f

SHA256
9d8099678996950f322bb4f50ad6323a1f723ef6be994439f5310f2057d8257b

SHA512
dccc5be45a482f434a2b4514630361a6ef46f487530508270a8e42d82ec32386a5262d8b1d0bc642620da487071a98b66084b301faa58daca621034748dab08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wejar.exe

Filesize
436KB

MD5
750402a1aa23e73b3b0fada41486368b

SHA1
a4ee0312ab81d8da24ceb93400a4d6e9fc6e8fe1

SHA256
7b80502add8f790344dddd975b55972a5dd928dce4430b9a7089e709615e0cf6

SHA512
e2b15dda4ec6fdaf52cd3e6b7681151c3e77cdc5d68c8d19f6cef2c1336350350db5564c61d9ee84d5c0a84bd19d4c482f3e3378f94919715f971a4cbcd5a472

Download Submit
C:\Users\Admin\AppData\Local\Temp\wejar.exe

Filesize
436KB

MD5
750402a1aa23e73b3b0fada41486368b

SHA1
a4ee0312ab81d8da24ceb93400a4d6e9fc6e8fe1

SHA256
7b80502add8f790344dddd975b55972a5dd928dce4430b9a7089e709615e0cf6

SHA512
e2b15dda4ec6fdaf52cd3e6b7681151c3e77cdc5d68c8d19f6cef2c1336350350db5564c61d9ee84d5c0a84bd19d4c482f3e3378f94919715f971a4cbcd5a472

Download Submit
\Users\Admin\AppData\Local\Temp\pomoh.exe

Filesize
196KB

MD5
88dc8e3213da9b6beb6feef41e20fb1e

SHA1
7d9a9a0138fc101f82beab502a892e6f0486684f

SHA256
9d8099678996950f322bb4f50ad6323a1f723ef6be994439f5310f2057d8257b

SHA512
dccc5be45a482f434a2b4514630361a6ef46f487530508270a8e42d82ec32386a5262d8b1d0bc642620da487071a98b66084b301faa58daca621034748dab08d

Download Submit
\Users\Admin\AppData\Local\Temp\wejar.exe

Filesize
436KB

MD5
750402a1aa23e73b3b0fada41486368b

SHA1
a4ee0312ab81d8da24ceb93400a4d6e9fc6e8fe1

SHA256
7b80502add8f790344dddd975b55972a5dd928dce4430b9a7089e709615e0cf6

SHA512
e2b15dda4ec6fdaf52cd3e6b7681151c3e77cdc5d68c8d19f6cef2c1336350350db5564c61d9ee84d5c0a84bd19d4c482f3e3378f94919715f971a4cbcd5a472

Download Submit
memory/2152-38-0x0000000002A90000-0x0000000002B25000-memory.dmp

Filesize
596KB

Download
memory/2152-22-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/2152-37-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/2152-11-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2392-1-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2392-7-0x00000000027E0000-0x0000000002861000-memory.dmp

Filesize
516KB

Download
memory/2392-19-0x0000000000220000-0x00000000002A1000-memory.dmp

Filesize
516KB

Download
memory/2392-0-0x0000000000220000-0x00000000002A1000-memory.dmp

Filesize
516KB

Download
memory/2564-39-0x0000000000FB0000-0x0000000001045000-memory.dmp

Filesize
596KB

Download
memory/2564-41-0x0000000000FB0000-0x0000000001045000-memory.dmp

Filesize
596KB

Download
memory/2564-42-0x0000000000FB0000-0x0000000001045000-memory.dmp

Filesize
596KB

Download
memory/2564-43-0x0000000000FB0000-0x0000000001045000-memory.dmp

Filesize
596KB

Download
memory/2564-44-0x0000000000FB0000-0x0000000001045000-memory.dmp

Filesize
596KB

Download
memory/2564-45-0x0000000000FB0000-0x0000000001045000-memory.dmp

Filesize
596KB

Download