urelas | 27387c160c754ba84f2dab3cfae5f0a5b1781647c535df297cee1ee3ad15e2bf

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe
Size

113KB
MD5

3e1590504d0b796d8edacd2ba4c552b0
SHA1

08bc8e65733be98b905c9d7ed998105c4e4c115a
SHA256

27387c160c754ba84f2dab3cfae5f0a5b1781647c535df297cee1ee3ad15e2bf
SHA512

1a2aab66595002f0f0d938e70c1cc7bc129fd94c3c727016d1ad879a6c8348f709640f818048eb7a343832d7e41f2b88440c69b31a33c1cec51288dafd288255
SSDEEP

1536:mCnrJLwAXDtIBcUyk+8CooNvy3GNbcq7+sWjcdgy64TNSeY:htpCP+/oGvWSldgy64TNSeY

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

4460 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4460	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe

description	pid	process	target process
PID 5068 wrote to memory of 4460	5068	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	biudfw.exe
PID 5068 wrote to memory of 4460	5068	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	biudfw.exe
PID 5068 wrote to memory of 4460	5068	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	biudfw.exe
PID 5068 wrote to memory of 2948	5068	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	cmd.exe
PID 5068 wrote to memory of 2948	5068	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	cmd.exe
PID 5068 wrote to memory of 2948	5068	3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e1590504d0b796d8edacd2ba4c552b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
Filesize
113KB

MD5
b5c1eaed093e2f447e7860128efbfabe

SHA1
d5be65e079d86d26112ab2420c72d2b53a78b2ea

SHA256
af8a7b1c8a773e53149b6f8a202a7e3de9be57afe8291fc3921cd33c8707f35a

SHA512
b8cebb43a4947c80b17ecea626706a043bb0915aa3c405f90e9aa2c115e589429770276a741213d46f10da7cbc00103cfa4c8a8aecece4aff77c6eebb29189ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
f0d42f2e44d35f66afa6c7a98d053021

SHA1
f874284acb7ed4b80e2733ed4f66656bd2c5447d

SHA256
d2060822260cd38f5fc68b1f3b9f9b787b250e1a9fa417be79cdc692ca066f8d

SHA512
d5b9a5e504276623574ba2c16e6d305c86b20ff3e6353dbe251e04287583c27d825fddfe4325530c249cc95ddd3e0674c86acdf2e7f4bd3c3404eab51c022a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
304B

MD5
b5372fbaaf31b25910fd09fb664072a1

SHA1
6b99f4f7b00a47097d23bbb8dd4cc291c5032646

SHA256
52e23ccdebcf99a8cf63bd06cab7a5062b73dfde28aa3b84c78ca58fe45aca14

SHA512
4769bac8001172c59a0d8418ca75e9a36793b005fa6153cb739c01658f05db705821b2020a0ff4a53219de354f534ab094133bd243a5834073ba990e7c4c23e1

Download Submit
memory/4460-15-0x0000000000CE0000-0x0000000000D07000-memory.dmp

Filesize
156KB

Download
memory/4460-20-0x0000000000CE0000-0x0000000000D07000-memory.dmp

Filesize
156KB

Download
memory/5068-0-0x0000000000840000-0x0000000000867000-memory.dmp

Filesize
156KB

Download
memory/5068-17-0x0000000000840000-0x0000000000867000-memory.dmp

Filesize
156KB

Download