urelas | 8883fe5419b8e9a2c69f780814b186b7e95a54234d3ae3cdf1f520191c6a17a3

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764b2530d5d53eb19a16030f1acbc810_NEIKI.exe
Size

442KB
MD5

764b2530d5d53eb19a16030f1acbc810
SHA1

97b8e007ccde836487648b4f9ad0b031fd92e1d4
SHA256

8883fe5419b8e9a2c69f780814b186b7e95a54234d3ae3cdf1f520191c6a17a3
SHA512

27521a928b2e51aae18417896a976b9a0e41e2a98d6633ee3fa3f2ddf1436532b804d4971d5975fffd318f7a7313627ab0630db2aa3e92c461efc1c3306d8d33
SSDEEP

6144:r/o4H3gaDLFHlB7goSsj/ZQUWvYqDUbsbX6EdK77RXW7VGwrLO8O77v:rgA3gaDdAoSOWUWvXbX5g7pW7JM

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

121.88.5.182

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2344	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1740	sander.exe

Loads dropped DLL 1 IoCs

pid	Process
2204	764b2530d5d53eb19a16030f1acbc810_NEIKI.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000CF0000-0x0000000000D8E000-memory.dmp	upx
behavioral1/files/0x0031000000015cf5-4.dat	upx
behavioral1/memory/1740-18-0x00000000003C0000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/2204-16-0x0000000000CF0000-0x0000000000D8E000-memory.dmp	upx
behavioral1/memory/1740-21-0x00000000003C0000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/1740-22-0x00000000003C0000-0x000000000045E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1740	2204	764b2530d5d53eb19a16030f1acbc810_NEIKI.exe	28
PID 2204 wrote to memory of 1740	2204	764b2530d5d53eb19a16030f1acbc810_NEIKI.exe	28
PID 2204 wrote to memory of 1740	2204	764b2530d5d53eb19a16030f1acbc810_NEIKI.exe	28
PID 2204 wrote to memory of 1740	2204	764b2530d5d53eb19a16030f1acbc810_NEIKI.exe	28
PID 2204 wrote to memory of 2344	2204	764b2530d5d53eb19a16030f1acbc810_NEIKI.exe	29
PID 2204 wrote to memory of 2344	2204	764b2530d5d53eb19a16030f1acbc810_NEIKI.exe	29
PID 2204 wrote to memory of 2344	2204	764b2530d5d53eb19a16030f1acbc810_NEIKI.exe	29
PID 2204 wrote to memory of 2344	2204	764b2530d5d53eb19a16030f1acbc810_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\764b2530d5d53eb19a16030f1acbc810_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\764b2530d5d53eb19a16030f1acbc810_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
289B

MD5
b776fea7db8d2df9fbe3ce9dda27d189

SHA1
5eeb498091fc207fb7b8e1fc665e16a6ea794483

SHA256
da2dec127a84ad570195a94122be733cb26b9294a649ea2cfeac52af29443bcd

SHA512
340254ef283299a069c99b67699c27e0016d48e13b11e4072cc7467044ed34189e0f2e9474e6364ab10d811c59025724c0f894376b7608c043ad92eb74b12ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
478fec1df0aef79beb699928cb2787fa

SHA1
dfff00b9eceaebff908ca9681320d4c770f14814

SHA256
c186c06d9bed7785981b05d4c474afd33a83f9ef0e8f5a558505a44af519ec30

SHA512
9875eb579e6ab7d8595be86eb53bb8aec6b6d09af4f96742aea1dbcf21fda7e1b7bb561ad5bdbc560472d94e76eca975e33d8ca9ae6e30d1261b86dbb511cf6f

Download Submit
\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
442KB

MD5
314452be02910016656485e40ea700c3

SHA1
6ac664ed4d01eaedd02d451565f10b53466f82ec

SHA256
232e6f46509e3534fb47ee26796cc2374ec0c89bd308c0331b481149bc139f23

SHA512
27c400dd3289ba92383376e7f79751b6482ffc7643dc68c7ea5392f32496ee95bdfae7f091e302ac0170a2d5e07a7b48398820c56fe25f6d9cb9cb5fd8ee61da

Download Submit
memory/1740-18-0x00000000003C0000-0x000000000045E000-memory.dmp

Filesize
632KB

Download
memory/1740-21-0x00000000003C0000-0x000000000045E000-memory.dmp

Filesize
632KB

Download
memory/1740-22-0x00000000003C0000-0x000000000045E000-memory.dmp

Filesize
632KB

Download
memory/2204-0-0x0000000000CF0000-0x0000000000D8E000-memory.dmp

Filesize
632KB

Download
memory/2204-17-0x0000000000630000-0x00000000006CE000-memory.dmp

Filesize
632KB

Download
memory/2204-16-0x0000000000CF0000-0x0000000000D8E000-memory.dmp

Filesize
632KB

Download