urelas | 1df5ed2104bb6bdb362f781210b94a99876195cdbf2671b4f9b995282e87e4fb

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 04:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe
Size

261KB
MD5

7aa4d9fedc916d6e1293ec087b37ec80
SHA1

2ec2b4cff60b9d2da86a458c951c24963cdf9546
SHA256

1df5ed2104bb6bdb362f781210b94a99876195cdbf2671b4f9b995282e87e4fb
SHA512

e77eb1385aacc610a14d445fadb9ca3f0f296db180e8d5ce790a4883d884dbaa7f8d08c0b220b3c989e97212d3d12c9f45eb08df0ab06cd4421c8c620e3e63ab
SSDEEP

6144:yaibWcgsrjz+JJ5yBNHVHpzifLI2Um7dsZ2hYVpl:yaIWRJ5yBNHVHpzif7UD

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.184

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4188	opert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4188	4196	7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe	85
PID 4196 wrote to memory of 4188	4196	7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe	85
PID 4196 wrote to memory of 4188	4196	7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe	85
PID 4196 wrote to memory of 2084	4196	7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe	86
PID 4196 wrote to memory of 2084	4196	7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe	86
PID 4196 wrote to memory of 2084	4196	7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7aa4d9fedc916d6e1293ec087b37ec80_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\opert.exe
  "C:\Users\Admin\AppData\Local\Temp\opert.exe"
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7fe7feac87ab26dfdd64f4294ff9a0fe

SHA1
291e3ea8c3e0fdf78c8dd5b7705197db5453f01b

SHA256
5473dc2db453bebd42c34b4920407525ff192e60193b26f59cce3de35db70d55

SHA512
096c1dc941584ef7d1d071738a8417575133a9dfecff3d271d142c714265e48ffc343d86e208792fc38e33887f1577ce1750681e004542623642e0d0e1ab86b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
261KB

MD5
d713482fdcde8b5405f3ef6a94e8384a

SHA1
f98b37726479f63c363ec9162b6b4b752f575cef

SHA256
9931c87830ec195b0ed89afbfd7b1b77d9c032def06c4ea07e4d37e587567026

SHA512
9a990f90b68050219627300064a4d78c584e9c83f79eedd8c7b75f07494cc2df2dd73a6e453ec31304fceb6296397a4337b49c133ca174fc399059c75ce155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
cb999196d00e167d5b92d7115bbfb4db

SHA1
e20efa378a11c7b8bf2cd88ee45509485102717c

SHA256
364f6b5c1b97e34a5f785ec2c31777d7791eac8dc0b78a2de819746a320ee784

SHA512
85a32a21157de58d5cf5aa7acc45acc6a5437ba7b7f5815d81a5872113257fc63a768c3410d982e378cd9dbdde638b230a2b3f85329e3a716f427f561bf92ab4

Download Submit
memory/4188-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4196-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download