urelas | 8a4909edd9fc35b36e7ae79908cb83dbd4d81629691f2a00667a81f03c8d54a4

Analysis

max time kernel
131s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe
Size

80KB
MD5

a8e80107d8d1e64b2e2a1aa7683f3e70
SHA1

cf73995377c48a5e8a22a70d1ec04fa0e25e9891
SHA256

8a4909edd9fc35b36e7ae79908cb83dbd4d81629691f2a00667a81f03c8d54a4
SHA512

dc5069c8da735c2675fc83a725663ad8f7e9865e7703c6277de39a19888addecd0da02fc6670752d593ccc3cc2fa4b6e395abc6595bc0540b050a2ce8bf037d7
SSDEEP

1536:jIr3YriYiUi+H++o1eVlXd+8c0GXmvJJNHjLwl50fP5jy:jyYti0pXd+8c0GWvJ3Hvwl52W

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1464	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1464	2552	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	93
PID 2552 wrote to memory of 1464	2552	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	93
PID 2552 wrote to memory of 1464	2552	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	93
PID 2552 wrote to memory of 3628	2552	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	94
PID 2552 wrote to memory of 3628	2552	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	94
PID 2552 wrote to memory of 3628	2552	a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1032 /prefetch:8
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
93c65a2d29a3f6fc7c703df149637d7f

SHA1
a4a27b2eec41990a52a2920818cf940e80fa358d

SHA256
75921ea4058e7f9781fed2c5fe0263052d5eb3b192cf5f9fc0e314487d41d5db

SHA512
7a22bbda614ee62db2b90a970b6ce67f54fbd7fe6babd77977c0c712d65544db698e7390f97b533912b660ac8f92b05d21d60d07e014a1e1810d25faa24ab176

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
80KB

MD5
712a5ec3a78dd3f777ca1e3cd1550c57

SHA1
624fa61ea503a0fff9548d98f45b867b995940d6

SHA256
47da154907e3facc12c7e4176cd2131845dc35dc0f4af6a355dc55a8ccc3e0ab

SHA512
ca15e4af3967b7e1338d8daefa7d6d5bbaa3040e0dbef40840a1b32f36bbcdfb12cef84a64f959cfaa6f0bec413368bc8c2f55e68d36c8146b92fd20f795e8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
2bc3da99a958a57083dd07a7b0823eef

SHA1
bfcec9488ec7484aec54d5c20e4971d22d580f0d

SHA256
d93e25fb931692d94b7ddf7f0c5fea39e02b8740c5a596b85a296b008f228f7c

SHA512
28ea1bf949d2ed603ce02dd3e7dafe3b99b08c8ecab13696023398458ca8d8aea1257322d735c0213df1515e3d6c2ab3eb82e1e016e93674e84a83ef76889a94

Download Submit
memory/1464-11-0x0000000000120000-0x000000000015D000-memory.dmp

Filesize
244KB

Download
memory/1464-18-0x0000000000120000-0x000000000015D000-memory.dmp

Filesize
244KB

Download
memory/1464-20-0x0000000000120000-0x000000000015D000-memory.dmp

Filesize
244KB

Download
memory/1464-26-0x0000000000120000-0x000000000015D000-memory.dmp

Filesize
244KB

Download
memory/2552-0-0x00000000007D0000-0x000000000080D000-memory.dmp

Filesize
244KB

Download
memory/2552-15-0x00000000007D0000-0x000000000080D000-memory.dmp

Filesize
244KB

Download