urelas | ec07ff3c01ca725389072c1d765f219513ad0f7fa85fd7beb0c2810ed0eee083

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe
Size

209KB
MD5

85b9ad6a9b9bd6f1561ca0a286022b30
SHA1

cbc836629721a507d63e0c38128a4a3ccf788cca
SHA256

ec07ff3c01ca725389072c1d765f219513ad0f7fa85fd7beb0c2810ed0eee083
SHA512

7a8d467fb39facf37f53d65907424e5c660e214b46053c706df8074a90127932018f59b85b5975dcfb8e1b7437fbc6cf710587708f2c5f41fa5bb10600a428f5
SSDEEP

1536:1q1utPdWHdPEzoT2/VhWbnoZSKLfiGGPgq3ePAH8PNqWxCxrR/x9sqB:1fPdWqV0CvL6GGCPNqWUxrR/x9sqB

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2192	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2192	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2192	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2192	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2192	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2192	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2192	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2820	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	29
PID 2188 wrote to memory of 2820	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	29
PID 2188 wrote to memory of 2820	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	29
PID 2188 wrote to memory of 2820	2188	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8c69e006046149f40585fb3e1bfafb4

SHA1
97073fb1d116248dbecd009e4bf873ab45c6c2da

SHA256
df1edebe6911c5127449117bdcec2878b0ecaff3e930a37e13aefe54363be228

SHA512
b8f5c75fbbddbb185a82395b59f75802cf800dac792c7256261998f3b4a965f180a901f4bd4e873b1cec0ac7acb77e09ec793c8b19ac2d1fdf115e57c42626b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
ae0a404a878ba4c503211e863562429a

SHA1
007bce5fb9e7d979e51b08585c5e82d0223a198e

SHA256
fa7b7750bf28bb6163b1852410f9bb561661318d36069db9993e8150146ad8fa

SHA512
40bbb73fba41f777cbbf6f2927468443598bb82c61b7c7eda6beec39e07abf491e131269f5745aa4021401a5d254458ed9d71fbb529a6e98e0191bfa3cb9c9eb

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
209KB

MD5
55b646207b8d90f2b4da8f6257e2a7ed

SHA1
49c9ad16d1aca3b8c35de6f74746410eb0121c2c

SHA256
52b6b099818666bdcfd68759eb15711294a67f7164a4f03be432cdfc9bdf7b4a

SHA512
55c9123a83d3a2ddb8d91866ee59ac8ab918eff4f7f3633c84c05a417c9262e1be7996fcfb3de4c0af65f1ee71269c95b95701ba92d66e2582be7860cb7982bc

Download Submit
memory/2188-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2188-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download