urelas | ede94fec20c3b624c31f51bf658e8f38610c9be9aa39053d8512900d87e23079

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe
Size

217KB
MD5

1de46b558483439bd916a14c4a30f4a0
SHA1

80bed97efc1ab671acc2451eaa560cca62e2e7bc
SHA256

ede94fec20c3b624c31f51bf658e8f38610c9be9aa39053d8512900d87e23079
SHA512

85fc2642672c3eb0ab2df450e4fb475735ea32139a3e38d797ec14049092c5b6890d43f54ab3489eb76e01354cb6a34d3c4948a037983ffd34f5b7cac87bd31c
SSDEEP

3072:MlSjjvv9GvowY6VNN1cqpr6aiKakTakIztxq83+kK:prcvlTjPFNukuk+q8uv

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

jesaa.exe

pid process

2284 jesaa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2284	jesaa.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe

description	pid	process	target process
PID 4712 wrote to memory of 2284	4712	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	jesaa.exe
PID 4712 wrote to memory of 2284	4712	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	jesaa.exe
PID 4712 wrote to memory of 2284	4712	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	jesaa.exe
PID 4712 wrote to memory of 4272	4712	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	cmd.exe
PID 4712 wrote to memory of 4272	4712	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	cmd.exe
PID 4712 wrote to memory of 4272	4712	1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1de46b558483439bd916a14c4a30f4a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Local\Temp\jesaa.exe
"C:\Users\Admin\AppData\Local\Temp\jesaa.exe"
2⤵
- Executes dropped EXE
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:4272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
d8d5031dd47fd447aefcf532d732f836

SHA1
0cbdaea218d333afc65682ddbbe5d7fe677160bd

SHA256
4c4b143ee527e15f3161533bd1d70b46f462caad37e7c4c255651b2976d19202

SHA512
a85d09c9c16b84a80fdceb18b4d089e8e4a05e12850d579900461b4de2fb1312641b1820ad1ae2eb1e1021a4604bd39f01ea914155be6ed867ec6f04a68205db

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
12368fb269e8aff5cf09c9572b6a7f92

SHA1
f90f6ebb04fd5dc2b2f1a2392da048a35d18a567

SHA256
b8bafdd0f2e3c1fa1cefb16e880fa2552e659c7cf157925d92adf2a4a0bd6279

SHA512
7e105593c08f98d118236ccf9b4fe8736f9b05c8369a235904e301f5a9e3b2a306e42f47e0f1ab2b59208b882fed404104e712ac95712ca7d685002f3a815bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jesaa.exe
Filesize
217KB

MD5
3ea47f6995826d457ae8f4c0852be146

SHA1
a45de377ac4b4827775e87a6319342850310b8fb

SHA256
29f2d6cffab39c5bc4ee67ef4be6e208982d66e681ee265a56339f25af17e1d3

SHA512
fc551ef839072fc48044523c306f7040d1660f83f990af42067a0787dbecd06379c4730c1a8a3bcdb42a2235ca4c54f7c80cc7793ab353fbce73273328d96f1a

Download Submit
memory/2284-22-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2284-23-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2284-25-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2284-27-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4712-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4712-4-0x0000000000401000-0x0000000000436000-memory.dmp

Filesize
212KB

Download
memory/4712-5-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4712-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4712-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4712-19-0x0000000000401000-0x0000000000436000-memory.dmp

Filesize
212KB

Download
memory/4712-2-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4712-1-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download