urelas | ede94fec20c3b624c31f51bf658e8f38610c9be9aa39053d8512900d87e23079

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe
Size

217KB
MD5

1de46b558483439bd916a14c4a30f4a0
SHA1

80bed97efc1ab671acc2451eaa560cca62e2e7bc
SHA256

ede94fec20c3b624c31f51bf658e8f38610c9be9aa39053d8512900d87e23079
SHA512

85fc2642672c3eb0ab2df450e4fb475735ea32139a3e38d797ec14049092c5b6890d43f54ab3489eb76e01354cb6a34d3c4948a037983ffd34f5b7cac87bd31c
SSDEEP

3072:MlSjjvv9GvowY6VNN1cqpr6aiKakTakIztxq83+kK:prcvlTjPFNukuk+q8uv

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2412 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

xoypv.exe

pid process

2504 xoypv.exe
Loads dropped DLL 2 IoCs

Processes:

1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe

pid process

2240 1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe
2240 1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2412	cmd.exe

pid	process
2504	xoypv.exe

pid	process
2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe
2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe

description	pid	process	target process
PID 2240 wrote to memory of 2504	2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	xoypv.exe
PID 2240 wrote to memory of 2504	2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	xoypv.exe
PID 2240 wrote to memory of 2504	2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	xoypv.exe
PID 2240 wrote to memory of 2504	2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	xoypv.exe
PID 2240 wrote to memory of 2412	2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	cmd.exe
PID 2240 wrote to memory of 2412	2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	cmd.exe
PID 2240 wrote to memory of 2412	2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	cmd.exe
PID 2240 wrote to memory of 2412	2240	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\xoypv.exe
"C:\Users\Admin\AppData\Local\Temp\xoypv.exe"
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
d8d5031dd47fd447aefcf532d732f836

SHA1
0cbdaea218d333afc65682ddbbe5d7fe677160bd

SHA256
4c4b143ee527e15f3161533bd1d70b46f462caad37e7c4c255651b2976d19202

SHA512
a85d09c9c16b84a80fdceb18b4d089e8e4a05e12850d579900461b4de2fb1312641b1820ad1ae2eb1e1021a4604bd39f01ea914155be6ed867ec6f04a68205db

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
e0fb3179df923f93e5a4be71b4d56f2d

SHA1
0d6b9cf386addce9e3456546123331c3ccb63517

SHA256
704022b88bdfdc9cc0bc8f62175df8497a26c216c3eb22e3a53b2474087a60a2

SHA512
03b86c60aad9df7372e0463b6cbf780a5b427ebad16e0e3dee62abce8ee8aec8c19c0434b21eb5ed0e059bd410f8f0d24d73f7fc5cee578654b1d11c0c86e015

Download Submit
\Users\Admin\AppData\Local\Temp\xoypv.exe
Filesize
217KB

MD5
c53ba59564fc81857e2b38d0de7074b8

SHA1
653842bac3a5d7f8526c817abab987785d4f354e

SHA256
aa88edf39be6b1b44e2c6fbe4e515a43364c506d087ae65d855d0fffc9d8e127

SHA512
d28b50c599b76e74f600d8c01f89cd377bfc6f8b6ba39a186f4ceb95e37015a267a4c14a6745e575e5d8ae4d7e3ed87993e7186352c84e39ce8c4af6e359d351

Download Submit
memory/2240-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2240-4-0x0000000000401000-0x0000000000436000-memory.dmp

Filesize
212KB

Download
memory/2240-5-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2240-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2240-26-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2240-25-0x0000000000401000-0x0000000000436000-memory.dmp

Filesize
212KB

Download
memory/2240-2-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2240-1-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2504-28-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2504-29-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2504-32-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2504-34-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download