urelas | 192fa0e3ad0807e703ac4e6c768a459d8554c59c03e528beda6509c79b8e1730

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 00:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe
Size

483KB
MD5

31fd42c852a73767983ebfccc333c200
SHA1

40224f8005956adfff4817833e1c657bdb7d0787
SHA256

192fa0e3ad0807e703ac4e6c768a459d8554c59c03e528beda6509c79b8e1730
SHA512

7e0ad71f7649a953f97f97cc0242498134afa330f8ac062b700e958789ed8caa6675dc58ae2f323f9c1fb905a7bc13c0f22bf778fab22dc94838894863c008e6
SSDEEP

12288:yPd8fBT+RkEulOYyZCnWjXjJsj3C1WW8lTJU:yIp+RFuDyZCnUzJsG1WW8lFU

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	bohuf.exe

Executes dropped EXE 2 IoCs

pid	Process
4100	bohuf.exe
2724	tonux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe
2724	tonux.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 4100	920	31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe	87
PID 920 wrote to memory of 4100	920	31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe	87
PID 920 wrote to memory of 4100	920	31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe	87
PID 920 wrote to memory of 2408	920	31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe	88
PID 920 wrote to memory of 2408	920	31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe	88
PID 920 wrote to memory of 2408	920	31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe	88
PID 4100 wrote to memory of 2724	4100	bohuf.exe	93
PID 4100 wrote to memory of 2724	4100	bohuf.exe	93
PID 4100 wrote to memory of 2724	4100	bohuf.exe	93

C:\Users\Admin\AppData\Local\Temp\31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31fd42c852a73767983ebfccc333c200_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\bohuf.exe
  "C:\Users\Admin\AppData\Local\Temp\bohuf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\tonux.exe
    "C:\Users\Admin\AppData\Local\Temp\tonux.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
306B

MD5
53e319ad5b8036e546002326578089d2

SHA1
41e2bc51ec3aa0399089639de1c943d29276a242

SHA256
a5e4d53b79e67d3af1cd6c9b716b8a40d1cac4f5d62e2aca199c9a62731ad0b9

SHA512
3a19458c3b8f93aeeaae3815dae1f16eac9f5e956104fdb849027beb6c34f3cada8f1c743631db3b2fb3e4d3e0cf0421da6a061e186f6622f32f971dafbfe3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bohuf.exe

Filesize
483KB

MD5
e4c7a3910b44c95622b91429ffbc2cde

SHA1
a843ea810f7bec2bef7528f830b8cc5fb112a927

SHA256
73c3955b383847a2414ce5eccc2f14e7c18c0c3648eb58afbae51025a885ea17

SHA512
40e7961504b59be6c2db84797b74642495a0f37bf5a3bcd35b7f956e7baecdbf1d498928b072876249fddf4eb6a783187025142bea61dc27b9d3e3d278e12aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3cd6c79d0a5b9b47861a0043d75daa18

SHA1
384cb69665009021aca2d770dbd12d0f01d5cfc8

SHA256
54952ad2dbc0dcf40aa470db724c833208d08d8cf268d3f6408fe828e7c056eb

SHA512
d1ce3ea09788dc3bfa53adbdacc4d60a2e34452299b70ff015b66b33a9c3081d42113502b533a801f8997024e8a2bd06fa4ed6fc1ac5c96a4b750dfb5b57f78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tonux.exe

Filesize
190KB

MD5
1fd0419899c7b58e2e756d4faac73654

SHA1
0f59be2e3fe006e6795faeaf612901a3e47d36e3

SHA256
2c5bdd8288f85612fc8266e43d3afb4cf50624bad9a87d4d34c9880f78ff58f5

SHA512
1eedadd518a311bbc227c7692560ea44b304b7555c689d4f993eafc1b8148d624c19d405e4fa8b3f900103de6bc160e3c082d3c7404cc9d275611c648fb7a051

Download Submit
memory/920-0-0x0000000000B10000-0x0000000000B96000-memory.dmp

Filesize
536KB

Download
memory/920-1-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/920-17-0x0000000000B10000-0x0000000000B96000-memory.dmp

Filesize
536KB

Download
memory/2724-45-0x0000000000FE0000-0x00000000010AB000-memory.dmp

Filesize
812KB

Download
memory/2724-44-0x0000000000FE0000-0x00000000010AB000-memory.dmp

Filesize
812KB

Download
memory/2724-43-0x0000000000FE0000-0x00000000010AB000-memory.dmp

Filesize
812KB

Download
memory/2724-41-0x0000000000FE0000-0x00000000010AB000-memory.dmp

Filesize
812KB

Download
memory/2724-42-0x0000000000FE0000-0x00000000010AB000-memory.dmp

Filesize
812KB

Download
memory/2724-39-0x0000000000FE0000-0x00000000010AB000-memory.dmp

Filesize
812KB

Download
memory/4100-13-0x0000000000A00000-0x0000000000A86000-memory.dmp

Filesize
536KB

Download
memory/4100-38-0x0000000000A00000-0x0000000000A86000-memory.dmp

Filesize
536KB

Download
memory/4100-22-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4100-20-0x0000000000A00000-0x0000000000A86000-memory.dmp

Filesize
536KB

Download
memory/4100-14-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download