urelas | 27387c160c754ba84f2dab3cfae5f0a5b1781647c535df297cee1ee3ad15e2bf

Analysis

max time kernel
122s
max time network
136s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe
Size

113KB
MD5

3e1590504d0b796d8edacd2ba4c552b0
SHA1

08bc8e65733be98b905c9d7ed998105c4e4c115a
SHA256

27387c160c754ba84f2dab3cfae5f0a5b1781647c535df297cee1ee3ad15e2bf
SHA512

1a2aab66595002f0f0d938e70c1cc7bc129fd94c3c727016d1ad879a6c8348f709640f818048eb7a343832d7e41f2b88440c69b31a33c1cec51288dafd288255
SSDEEP

1536:mCnrJLwAXDtIBcUyk+8CooNvy3GNbcq7+sWjcdgy64TNSeY:htpCP+/oGvWSldgy64TNSeY

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2668 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2396 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe

pid process

3048 3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2668	cmd.exe

pid	process
2396	biudfw.exe

pid	process
3048	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe

description	pid	process	target process
PID 3048 wrote to memory of 2396	3048	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	biudfw.exe
PID 3048 wrote to memory of 2396	3048	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	biudfw.exe
PID 3048 wrote to memory of 2396	3048	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	biudfw.exe
PID 3048 wrote to memory of 2396	3048	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	biudfw.exe
PID 3048 wrote to memory of 2668	3048	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	cmd.exe
PID 3048 wrote to memory of 2668	3048	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	cmd.exe
PID 3048 wrote to memory of 2668	3048	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	cmd.exe
PID 3048 wrote to memory of 2668	3048	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
113KB

MD5
fcc1794585a23be5a1d78473a2c405df

SHA1
2228f1c8eae281b7c8bde5761bbda2e303d4115d

SHA256
4aa4e5526fe7814621f87e962f1a4bdf069e8fe549c3a967d1c2d15b52963fcf

SHA512
3453c9c9e0725c7ccbe19c3858324eb984f904390843d3c2080bb90b23c6134a1b7410070ff86c4a7cd35e9d2eead4d271df80a7a10617bc593a78f97fb9a4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f0d42f2e44d35f66afa6c7a98d053021

SHA1
f874284acb7ed4b80e2733ed4f66656bd2c5447d

SHA256
d2060822260cd38f5fc68b1f3b9f9b787b250e1a9fa417be79cdc692ca066f8d

SHA512
d5b9a5e504276623574ba2c16e6d305c86b20ff3e6353dbe251e04287583c27d825fddfe4325530c249cc95ddd3e0674c86acdf2e7f4bd3c3404eab51c022a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
b5372fbaaf31b25910fd09fb664072a1

SHA1
6b99f4f7b00a47097d23bbb8dd4cc291c5032646

SHA256
52e23ccdebcf99a8cf63bd06cab7a5062b73dfde28aa3b84c78ca58fe45aca14

SHA512
4769bac8001172c59a0d8418ca75e9a36793b005fa6153cb739c01658f05db705821b2020a0ff4a53219de354f534ab094133bd243a5834073ba990e7c4c23e1

Download Submit
memory/2396-10-0x0000000000ED0000-0x0000000000EF7000-memory.dmp

Filesize
156KB

Download
memory/2396-21-0x0000000000ED0000-0x0000000000EF7000-memory.dmp

Filesize
156KB

Download
memory/3048-0-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/3048-18-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/3048-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download