urelas | 3b95f54b589a817188eca40c48ad2ab73cb32ed3a53b15bdaf8cc0a97324a16f

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe
Size

179KB
MD5

0d0036f5fbb6f047875af4a3f85dab90
SHA1

4df9fb0b4faadfab7fc0cb8bbf13f74256795a3b
SHA256

3b95f54b589a817188eca40c48ad2ab73cb32ed3a53b15bdaf8cc0a97324a16f
SHA512

27a8386b812f64e4a2abd5828c3a4440ebccb1630571198e9ef090917084de49c5ba1af903dac178ce866d7429ad84ca7441c4780951623df5c7049731d3f289
SSDEEP

1536:2PjGahAlK9zJfjvarrcSZUKmDTijh+r8FcUKg2X3RGimoU9gNYcizbR9Xwzz:2PjGUVuJQGjYr0CX3RG/oU9QUPvw3

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2652 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

honds.exe

pid process

2016 honds.exe
Loads dropped DLL 1 IoCs

Processes:

0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe

pid process

2580 0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2652	cmd.exe

pid	process
2016	honds.exe

pid	process
2580	0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe

description	pid	process	target process
PID 2580 wrote to memory of 2016	2580	0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe	honds.exe
PID 2580 wrote to memory of 2016	2580	0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe	honds.exe
PID 2580 wrote to memory of 2016	2580	0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe	honds.exe
PID 2580 wrote to memory of 2016	2580	0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe	honds.exe
PID 2580 wrote to memory of 2652	2580	0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe	cmd.exe
PID 2580 wrote to memory of 2652	2580	0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe	cmd.exe
PID 2580 wrote to memory of 2652	2580	0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe	cmd.exe
PID 2580 wrote to memory of 2652	2580	0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0d0036f5fbb6f047875af4a3f85dab90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\honds.exe
  "C:\Users\Admin\AppData\Local\Temp\honds.exe"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0b2c69c5a12b94eda023c4ec17438ae2

SHA1
713a76d959512ff1bde22135ead94158f73675b7

SHA256
7b54b42f6f2c3be4a471e1c8d396e585262def376e90d09ba38ad83b868d5e88

SHA512
b87da2abfee322ec1519936505d9f474907423c9a8c1546bff03ebb2d2033648c0b33c030e7a2f1ea4e25b90554589785a57aaef644b7373c10c513e6373c943

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
304B

MD5
c80b9439108b84ae4667d455657621bb

SHA1
0fd65f49fb491314d33e0208a017f135ab94a848

SHA256
7c844f1a7570719dd050d826a89df928d7789eaef97c7ced8f38a748b65a88b3

SHA512
bc9fd53dae136d13e554fed449a6f2b680e8a9b0f25039fa54a4953893bdd370bad7250c90deaed68dc145c981509c99025c8cbe733314e48d72fe02e0f6f7db

Download Submit
\Users\Admin\AppData\Local\Temp\honds.exe

Filesize
179KB

MD5
946db9a04e0f5543991c3c9c7d3490a7

SHA1
718dca2f611768f4d141049878b4945ac544d3b0

SHA256
7d109e443dedf0c25d6844609f8675b96c922366b963d641fbe09d584d5f4486

SHA512
dc8a789293f8b4e5b2a57254cda5e7793738b6733c76d8a08d64b4d4d996a813ef983f94d3e8880c6681bbca51c398ee34119d8e2b1901ca0dd1866cc3c0380f

Download Submit
memory/2016-10-0x0000000001120000-0x000000000114E000-memory.dmp

Filesize
184KB

Download
memory/2016-21-0x0000000001120000-0x000000000114E000-memory.dmp

Filesize
184KB

Download
memory/2580-0-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2580-9-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/2580-18-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download