Overview

overview

10

Static

static

7

0ba7cdd478...cs.exe

windows7-x64

10

0ba7cdd478...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe

  • Size

    323KB

  • MD5

    0ba7cdd478b3f411d9fdd36169a1a5a0

  • SHA1

    381e4fa18d8e2c4741afc0d961463a690cca9606

  • SHA256

    4a962624adb34f6e3f897a5397f351abe1bb08da2cd7f96ff10c7cde8d4068e6

  • SHA512

    2650399e35ed009370047720ffacd2fbd3f1f8e4c86b89e22e8a757c879a2eb624445e296f44e341317bf2d88ff2314a8ab3f0b5db28c2188f00d42a5e3150f8

  • SSDEEP

    6144:cEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSx0f:cEo/6YnZVB1rkAqcNAzQCed7J1oS8

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\gosur.exe
      "C:\Users\Admin\AppData\Local\Temp\gosur.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\AppData\Local\Temp\bitep.exe
        "C:\Users\Admin\AppData\Local\Temp\bitep.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2404
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:3648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      306B

      MD5

      6778423902e30899d74d9bb16997eb87

      SHA1

      addea5cb9ba9bb8eef34eb12f0c80a297d7a01e9

      SHA256

      1708d0d9935346d8c17ae7978608b3eb5593a5e34876aca808b69c18cbe4ff2f

      SHA512

      1bcbdf6a88df029c2cc28ecafbb8a31c7144c115b0219eeb599679c0c499fecd441b06ec52bc5d3fe96194ae90ed2ac700a5243ec615415f281ef0f1a4e23974

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bitep.exe
      Filesize

      241KB

      MD5

      5c26641b2711ff813f183391096d3381

      SHA1

      ebfdb8c85d2a02bb3b49d5228dece58a8cfc98c0

      SHA256

      291a0a87b1ccb3d530fa8f3f94c29d86b3c0180ca3e2176b717663fe89e4ab2d

      SHA512

      66d2cb007e6541672d8f76a3245098be2128ef6a78b7b12b632470fbe5c5cae17d464f50777c8dba51f3e1255fc57f9401d12962bf7ef277567069352c651d22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      a8204389b4d05c33cc11051270f7690d

      SHA1

      cd7a5776f6ccebccb0f09183d32cc6833dd1531b

      SHA256

      ed1243c97c7a13b64aaaa65cb7d32eefee8a8798d9f6fae12d46b6ad52bcc5ce

      SHA512

      bbf80b5113f47a614465d2e738172904b4c6c2798b34d713a4cb2cabc73a2fc90cded11428b40b9b8a90993028c89040d9fc3cb85ccb36491e41135f417981d4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gosur.exe
      Filesize

      323KB

      MD5

      39177bb968be906e3d3c35e2dfc29d62

      SHA1

      85dd853990bb0cc1b18c50d0bd3f46336cd1e0c8

      SHA256

      c408fdc1756248c07ada71dc704a67cc7d4e89c149de3f3d5151d1299ae4f798

      SHA512

      2555afb2d516e1c8e5fe97ada5dcac59e5cfc080e2a8270e0bf722758b0bc69554a8378d832efbb761fb280d72e811c080bfd40f8696aa15e93ff09d22721ba4

      Download Submit

    • memory/1240-0-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/1240-15-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2404-38-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2404-37-0x00000000006D0000-0x0000000000786000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2404-40-0x00000000006D0000-0x0000000000786000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2404-41-0x00000000006D0000-0x0000000000786000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2404-42-0x00000000006D0000-0x0000000000786000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2404-43-0x00000000006D0000-0x0000000000786000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2404-44-0x00000000006D0000-0x0000000000786000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2884-18-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2884-12-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2884-36-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download