urelas | ec07ff3c01ca725389072c1d765f219513ad0f7fa85fd7beb0c2810ed0eee083

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe
Size

209KB
MD5

85b9ad6a9b9bd6f1561ca0a286022b30
SHA1

cbc836629721a507d63e0c38128a4a3ccf788cca
SHA256

ec07ff3c01ca725389072c1d765f219513ad0f7fa85fd7beb0c2810ed0eee083
SHA512

7a8d467fb39facf37f53d65907424e5c660e214b46053c706df8074a90127932018f59b85b5975dcfb8e1b7437fbc6cf710587708f2c5f41fa5bb10600a428f5
SSDEEP

1536:1q1utPdWHdPEzoT2/VhWbnoZSKLfiGGPgq3ePAH8PNqWxCxrR/x9sqB:1fPdWqV0CvL6GGCPNqWUxrR/x9sqB

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 5032	228	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	88
PID 228 wrote to memory of 5032	228	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	88
PID 228 wrote to memory of 5032	228	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	88
PID 228 wrote to memory of 976	228	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	89
PID 228 wrote to memory of 976	228	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	89
PID 228 wrote to memory of 976	228	85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\85b9ad6a9b9bd6f1561ca0a286022b30_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8c69e006046149f40585fb3e1bfafb4

SHA1
97073fb1d116248dbecd009e4bf873ab45c6c2da

SHA256
df1edebe6911c5127449117bdcec2878b0ecaff3e930a37e13aefe54363be228

SHA512
b8f5c75fbbddbb185a82395b59f75802cf800dac792c7256261998f3b4a965f180a901f4bd4e873b1cec0ac7acb77e09ec793c8b19ac2d1fdf115e57c42626b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
209KB

MD5
e60fc2ed2e10d630b259c16fcbcce086

SHA1
d8c884155134c74603453c5da3422d877143d139

SHA256
74f9a9f353e5f5e2172b7179a008fa85324084f68204f4a6e28de9244a94f3e6

SHA512
7905696e1195af06cb83b22a3696fa51a5b05af86c3a2ba78682473c9752c88e99b5d5825512eccf269182e796ac745073018248b5a25ed2916439b1636a0ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
ae0a404a878ba4c503211e863562429a

SHA1
007bce5fb9e7d979e51b08585c5e82d0223a198e

SHA256
fa7b7750bf28bb6163b1852410f9bb561661318d36069db9993e8150146ad8fa

SHA512
40bbb73fba41f777cbbf6f2927468443598bb82c61b7c7eda6beec39e07abf491e131269f5745aa4021401a5d254458ed9d71fbb529a6e98e0191bfa3cb9c9eb

Download Submit
memory/228-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/228-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5032-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5032-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5032-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download