Overview

overview

10

Static

static

10

29ef1a2577...cs.exe

windows7-x64

10

29ef1a2577...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe

  • Size

    794KB

  • MD5

    29ef1a257725b109e0cccd9b2795ff40

  • SHA1

    d7f04cf7b04dcd95e10a67d12d856bf8a03096fa

  • SHA256

    878c9fcd11c1ec56288af066948c2d239a9d5ffe5ed131d3322a53cd90cf5690

  • SHA512

    a5add0f8f7c46e2c9205de11bbec197847c6c46100b539d203d29f8386e27f2f34b9787489d244bde956be4dd0d5efd6ac013241f9aee975e99f2c1adbcb9c29

  • SSDEEP

    24576:snPfQpzyD8ZTn8kZvAkI094vOkSCLMgC2:kfQt/Tn8AvAt0GvwC9

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Users\Admin\AppData\Local\Temp\myrox.exe
      "C:\Users\Admin\AppData\Local\Temp\myrox.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Users\Admin\AppData\Local\Temp\yppyh.exe
        "C:\Users\Admin\AppData\Local\Temp\yppyh.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:624
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:4688

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      306B

      MD5

      754a8d0dde0d3a67bc20ca2fe80a9731

      SHA1

      515301bc900413dcf4191e8c5a3bfb40d91031ec

      SHA256

      b01967b21baa88e0f6733d7f94cdf33b1455d8cb5ef167979ae75746250abb01

      SHA512

      ee410e4a56554568495ca05133acf53fad4e6769ccc0a6d5600036c2093ffaa9e79123ce46d457e5cb4556cdfdff34a02224b910907a3230b80fe4cdfb91540e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      0dc660c967ec9f38a86d2edb79ff22d8

      SHA1

      7d9dd860a099d0494d0e4b9d68a4975658f2cced

      SHA256

      3bf71228367908acc721ccd9690030aa86349a9e0c70d66434fff85a354c3a15

      SHA512

      e5bb10718cc1cdea676984337e3e7bd6c8df4d722f354effa9462190dbe47057c3e78465d4c50115e85455a23a1ea70d478ae70b7d3201bdbdcadacd8184037a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\myrox.exe
      Filesize

      795KB

      MD5

      09d87636cad0d1950f0d1abb11250794

      SHA1

      3004767978aa51552e28821013f44188133b9cf1

      SHA256

      74a08040dfc61f7c0e801a58f262ce764a15189c371649b4cef5dd2c86536e66

      SHA512

      0a807d2c543ee635b13c65763118febf5be067cac9a3b01430fad682b4eec2a6e83f0178e6b65fe2dc5480d57077fb2192112d0c0953cb6a930c5075aa61f72d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\yppyh.exe
      Filesize

      176KB

      MD5

      b719260d2c271137759088ed83da6084

      SHA1

      8f2a2a6aa871ebcdf10597253c7005e7bc0fdf78

      SHA256

      0da48d1f83fcd27d92d096dfc394cba7a5cbf2a6795fcaed3570c5345b49dee0

      SHA512

      ca64970cbd7c6b0d299f859312d6bccb69c8981893e4c18fa273ab15b49b1c1f889c17b347b7f1bf3dda7b5be4be62db159c76ffa039d146a4b55eb21eca1a90

      Download Submit
    • memory/624-31-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/624-27-0x00000000004E0000-0x00000000004E2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/624-26-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/624-30-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/624-32-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/624-33-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/624-34-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1788-17-0x0000000000320000-0x00000000003EF000-memory.dmp
      Filesize

      828KB

      Download
    • memory/1788-10-0x0000000000320000-0x00000000003EF000-memory.dmp
      Filesize

      828KB

      Download
    • memory/1788-28-0x0000000000320000-0x00000000003EF000-memory.dmp
      Filesize

      828KB

      Download
    • memory/2596-14-0x0000000000B90000-0x0000000000C5F000-memory.dmp
      Filesize

      828KB

      Download
    • memory/2596-0-0x0000000000B90000-0x0000000000C5F000-memory.dmp
      Filesize

      828KB

      Download