urelas | ecc9c891bbb12e2b6b74e3a3c7c52e84e5813bff8e9dcd2c28e33b58a0218c2a

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 22:07

Target

72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe
Size

285KB
MD5

72bcd32fe8e2701bc5415b24c9084390
SHA1

49672200dc718711d0893def1481c41f696b5ff5
SHA256

ecc9c891bbb12e2b6b74e3a3c7c52e84e5813bff8e9dcd2c28e33b58a0218c2a
SHA512

5905218e46f5481520ef77d957315c48c521046beb725bf360063fdb8af9f5f9dbac0761c1f5bbded23d633211a4fc3f19abd26f00c61bcf90f4595af3d8cc94
SSDEEP

6144:2ZibQcmlVD+BgotLvTtehd1wLIE92FJ1wZycpaiTyn:20q+BgotLvTtehd1wd92FJ1yA

Score

10^/10

urelas trojan

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2124 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

3044 huter.exe
Loads dropped DLL 1 IoCs

Processes:

72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe

pid process

2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2124	cmd.exe

pid	process
3044	huter.exe

pid	process
2880	72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe

description	pid	process	target process
PID 2880 wrote to memory of 3044	2880	72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe	huter.exe
PID 2880 wrote to memory of 3044	2880	72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe	huter.exe
PID 2880 wrote to memory of 3044	2880	72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe	huter.exe
PID 2880 wrote to memory of 3044	2880	72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe	huter.exe
PID 2880 wrote to memory of 2124	2880	72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe	cmd.exe
PID 2880 wrote to memory of 2124	2880	72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe	cmd.exe
PID 2880 wrote to memory of 2124	2880	72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe	cmd.exe
PID 2880 wrote to memory of 2124	2880	72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2124

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
a2de452e45db47c817b5ada178bd2e83

SHA1
44b16b5c0e400a2af95299d0c08a6a4fda14bc4c

SHA256
516ba3f510ebfd821b47f63ac2c47faa15d5f2ba8732c79c0265fa8aa3ad8fd4

SHA512
8799d95d502764a4266c37c1c5fbb24fb9ab94983310962deafd5e246c5900993dffb2c2b06ab6709cc4141aab3346a9cf65b2a62744dbf11c7d381af654be85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
304B

MD5
6625746f392cfa6b042038f885dceeb3

SHA1
fce49078f95c7d1f67f4c5008d88a851911908a3

SHA256
82b0b98932151939bd82dcfcd46e192942e929c56c7d40ba6af3e01ec2a1e08c

SHA512
e2f41a7a4c97727abf7ba2d65af28a3feb5ff44b840e72bfc5bc4ea6a1274a43f47da349431a5d564a5a510b69d860eb0257f8b6a5e987427899a60c78f2430f

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe
Filesize
285KB

MD5
324ced6e9b242278f1c42925e23aea93

SHA1
5395770c61d95b99ab5e3c9362e4e52eb3b5de99

SHA256
f0c9153cc4837431b5aa157449c3faa48c624732240e1c32e6afb3581c0e36c2

SHA512
fbe5d34cf39a71a5d3a8b21c410531bed3c17234434e7c2eb2f26571a3b685742eb8bec8617460a3f8bc16ae59f92959d8a90fe3bc6d5100080315f83744f187

Download Submit