urelas | 943cb65a7f7fa8fb3016f65056a7610eaaaf3d8eec7d3916e6a7b887bd0292c8

Analysis

max time kernel
91s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe
Size

54KB
MD5

6b48ed8f3626b6f56343450b50becea0
SHA1

6645c793c7b654cdac62b2b6037cf109d2b792a6
SHA256

943cb65a7f7fa8fb3016f65056a7610eaaaf3d8eec7d3916e6a7b887bd0292c8
SHA512

15ae89c84b9a13193ede3dbc498d56899456c608b01c43139047aef17727e6bb1ad992a01142f0e674cb832e294e87ac33ebe00d56a09d6d7be821aad0ba7499
SSDEEP

1536:vMcQYte55zs091Zw9FAGDdJYipvwGf9ogjrgHV:vMhAe5Zs091KI+JYixw49Xjrg

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3704	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3704	5012	6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe	85
PID 5012 wrote to memory of 3704	5012	6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe	85
PID 5012 wrote to memory of 3704	5012	6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe	85
PID 5012 wrote to memory of 2500	5012	6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe	86
PID 5012 wrote to memory of 2500	5012	6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe	86
PID 5012 wrote to memory of 2500	5012	6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b48ed8f3626b6f56343450b50becea0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
54KB

MD5
231f52de675fff666d39247ecf2055f0

SHA1
441f077011f6770e3bebc88c6bfb52930be4ecc3

SHA256
52e4c65934986313eb4bc35a51e0094d33af66a2b644afca29329d25a1e1567f

SHA512
13bf90b25dadf33ebf808598d16c2d8927660e2d6bbb1fe73f19c1d5fece865b36e181b7e5a452da6b29921243e09821d72209c6a9981e2c34ef1fd6a79500a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b4a86880004da8726288d7ec954885a8

SHA1
1bab1cfbdc2c540246210bc7852f8fe7e8357b31

SHA256
c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46

SHA512
22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
fa0823d5f58a9bc450ff2eb75d6d7ee6

SHA1
03e297bf2fc18ee426ee0d8cb470b2ebc5a90d83

SHA256
ec1d7d43057c619573f9d1ae868759173b050d89d8af27976b1a0a6bf8962e65

SHA512
0752aa681dc6b47f0ee4a9e43160bc333fe7a31e7c2bdaa10089a047a544508c8340e8b48855039ca298ff4ad49e43f82374ee2c52dbe3ea1f1fe666e9fca72b

Download Submit
memory/3704-12-0x0000000000A80000-0x0000000000AA6000-memory.dmp

Filesize
152KB

Download
memory/3704-17-0x0000000000A80000-0x0000000000AA6000-memory.dmp

Filesize
152KB

Download
memory/3704-19-0x0000000000A80000-0x0000000000AA6000-memory.dmp

Filesize
152KB

Download
memory/3704-25-0x0000000000A80000-0x0000000000AA6000-memory.dmp

Filesize
152KB

Download
memory/5012-0-0x00000000007D0000-0x00000000007F6000-memory.dmp

Filesize
152KB

Download
memory/5012-14-0x00000000007D0000-0x00000000007F6000-memory.dmp

Filesize
152KB

Download