urelas | 8a4909edd9fc35b36e7ae79908cb83dbd4d81629691f2a00667a81f03c8d54a4

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe
Size

80KB
MD5

a8e80107d8d1e64b2e2a1aa7683f3e70
SHA1

cf73995377c48a5e8a22a70d1ec04fa0e25e9891
SHA256

8a4909edd9fc35b36e7ae79908cb83dbd4d81629691f2a00667a81f03c8d54a4
SHA512

dc5069c8da735c2675fc83a725663ad8f7e9865e7703c6277de39a19888addecd0da02fc6670752d593ccc3cc2fa4b6e395abc6595bc0540b050a2ce8bf037d7
SSDEEP

1536:jIr3YriYiUi+H++o1eVlXd+8c0GXmvJJNHjLwl50fP5jy:jyYti0pXd+8c0GWvJ3Hvwl52W

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2092	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2996	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2996	2392	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 2996	2392	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 2996	2392	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 2996	2392	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 2092	2392	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	29
PID 2392 wrote to memory of 2092	2392	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	29
PID 2392 wrote to memory of 2092	2392	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	29
PID 2392 wrote to memory of 2092	2392	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
93c65a2d29a3f6fc7c703df149637d7f

SHA1
a4a27b2eec41990a52a2920818cf940e80fa358d

SHA256
75921ea4058e7f9781fed2c5fe0263052d5eb3b192cf5f9fc0e314487d41d5db

SHA512
7a22bbda614ee62db2b90a970b6ce67f54fbd7fe6babd77977c0c712d65544db698e7390f97b533912b660ac8f92b05d21d60d07e014a1e1810d25faa24ab176

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
2bc3da99a958a57083dd07a7b0823eef

SHA1
bfcec9488ec7484aec54d5c20e4971d22d580f0d

SHA256
d93e25fb931692d94b7ddf7f0c5fea39e02b8740c5a596b85a296b008f228f7c

SHA512
28ea1bf949d2ed603ce02dd3e7dafe3b99b08c8ecab13696023398458ca8d8aea1257322d735c0213df1515e3d6c2ab3eb82e1e016e93674e84a83ef76889a94

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
80KB

MD5
30999a489aa79dab7a003db4cdcab5e9

SHA1
b2ffc2365782b4d2721754bc8d98d9eba31d1f68

SHA256
b8ad2bc3f72dbc2a1124a706aa4a163eff38e8b3dbe8f42d4cf36a91e53a4695

SHA512
002f36cb58a607daca690002e849027bc27f7cf8166d7ed8fbf4fcb7a683222d3458b4360f0c56b4bf3faefbafb9d09f070bc2536de8e93611df5946162ff7be

Download Submit
memory/2392-0-0x0000000000CE0000-0x0000000000D1D000-memory.dmp

Filesize
244KB

Download
memory/2392-6-0x0000000000AB0000-0x0000000000AED000-memory.dmp

Filesize
244KB

Download
memory/2392-19-0x0000000000CE0000-0x0000000000D1D000-memory.dmp

Filesize
244KB

Download
memory/2996-11-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/2996-22-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/2996-24-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/2996-31-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download