urelas | 23adac46f21fead61f59ecee0cab70991e57eb67426a1847315c38f75b4fee22

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe
Size

425KB
MD5

a3efc6992afd4ebe8be1ce13ff61e440
SHA1

e88db1a86e748901451663fc4fcaca721621b68a
SHA256

23adac46f21fead61f59ecee0cab70991e57eb67426a1847315c38f75b4fee22
SHA512

6f6b06a5cef64d108fdb151d70c69f434c7a03086ad77eda8c343b3889e5ff7db89417030c66b6e263944b8e75f888c70a0af1bc3028595173a6bae27c7a0edb
SSDEEP

6144:hGOMmhsKI2ir5crKFHLZx2LpLDXeZOXgS/6zbR:hGOIB5crKFHLZx2LpPeZOk

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

F121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2100	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	opert.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-0-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/files/0x0038000000014ca5-4.dat	upx
behavioral1/memory/2036-6-0x0000000002CB0000-0x0000000002D1A000-memory.dmp	upx
behavioral1/memory/2036-17-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1220-20-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1220-21-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1220	2036	a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 1220	2036	a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 1220	2036	a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 1220	2036	a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2100	2036	a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2100	2036	a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2100	2036	a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2100	2036	a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a3efc6992afd4ebe8be1ce13ff61e440_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\opert.exe
  "C:\Users\Admin\AppData\Local\Temp\opert.exe"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
148afafb753f7bfaff11ca52af05579e

SHA1
c9c282c60a331e8fc817820bebbe4e8828de2e33

SHA256
a9b0968de865b7d71a7bf355fd54fc36fdec6ad8ea540ed1e4764bfe4a951149

SHA512
63dbdb7932bb91ac2376cc6a30f6b7205a4b5059753836640a99ef3c86ffefd2190420a4df95c31da4b06c77966f45544df72e0e38c88d7f5f9f056c9b570b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
f3d6b1722d21c0f1a9f0468386430e3f

SHA1
0c2d71b262f3cd002443063b30077c8d95b9a4eb

SHA256
502ece9b6473055c27b84e0efef3f697d9759adb6bc80e36431072393b8be2cb

SHA512
7b08379116158a92f8872be22a313a3fda76d0f6deb3c24f3550d37fec9d8247d2248e9166459109b87eba504d7d0223fac3eff21d0c740ed65a9e2bb52d9a78

Download Submit
\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
425KB

MD5
0d23001ceda040daf413e909f2eef405

SHA1
c36d8be7aebd48e2ace151db1d8542d7114e58f4

SHA256
54ae835add5a0b84d87f287b64d46b242d9467e98f33aa165ef7ebf52dc0d27d

SHA512
817766838099e3bf062fb82cf7be8d157c08832f005fa1732f00ec698b51dba89682083de10fe2d816a114aa428016fc0ea61ce09608b66d3b0b2ec8ee7babae

Download Submit
memory/1220-20-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1220-21-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2036-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2036-6-0x0000000002CB0000-0x0000000002D1A000-memory.dmp

Filesize
424KB

Download
memory/2036-17-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download