Overview

overview

10

Static

static

10

624efc1dbe...cs.exe

windows7-x64

10

624efc1dbe...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe

  • Size

    368KB

  • MD5

    624efc1dbe90125eddada90974fdace0

  • SHA1

    f7f33cdd1c1d1da5de95dec6affc70be0dfeb711

  • SHA256

    060925840131f267857344edc2c2c4ca8aa8e4d20b029f8e35baec4c92f8debc

  • SHA512

    bbae1bdb52932a1fd008cd03520f891da91cd4845d8fb00acaa112d0426474e33fa2a24d6915d08a4f78724382f9ad94affeb7cbb53debd4688ccbd7aed1c174

  • SSDEEP

    6144:OuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62psW:OzGL2C2aZ2/F1WHHUaveOHjTH

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Local\Temp\wetif.exe
      "C:\Users\Admin\AppData\Local\Temp\wetif.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Users\Admin\AppData\Local\Temp\tomit.exe
        "C:\Users\Admin\AppData\Local\Temp\tomit.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3156
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:2800
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
      1⤵
        PID:4940

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
        Filesize

        306B

        MD5

        78add4663005c31146bb2733aeb55be6

        SHA1

        2c221c8fc625dab5f62e0c9d091006d8e0038364

        SHA256

        24d8cec81bb75923aaebc8c866f88cda3cad285adc883682e09f6076714b2c1c

        SHA512

        d4a7bd6087a4ea90c568ee425ea9958e5aeb0c5b0097d2a76217bb1a7ab2a8aac0e475544807212bd83b59539900e24004c20523c47dc58f44c3f5922354935f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
        Filesize

        512B

        MD5

        ff3c5a31f69602739d7781d196c9dba6

        SHA1

        9e84709a164478f83d614c0316707cbe6967dd06

        SHA256

        a316f38c0a84e54734ecddbff784fdfbf2e9b511c0468d8129711dff7c019d10

        SHA512

        68e633e6a1b7e21e4547d11bad2aef2eb37b71252d6f6b555be845ee0d18876641c1188e8ad9b6b728dd17e3ba6df021bf748cde07930d06ba4d404765b86b3e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tomit.exe
        Filesize

        303KB

        MD5

        75e4e2327186afaedc43b3b83df9c74e

        SHA1

        0377a497d9658d1420ab09c34377b99047fdc9fb

        SHA256

        fa9206e6b5f23258ae293ab75669cd3e6e03d23b82f4e211bdd39a1601250d73

        SHA512

        5ce95e7cfceee0965eda903702f59b4e122985ea19d6a537a53c4e0dd0e81622e1b5e4fe8dcc9887de4391b767b4ec31b8491b69de2358bc115d5034c063fd9e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\wetif.exe
        Filesize

        368KB

        MD5

        73533e63c5580fc182193e23d46c229e

        SHA1

        20423b1c278ffa1bbac323a058358be68f0c4339

        SHA256

        ee01d0f8aa907800265beabafb2644bc2525ce32d7be88f27bc3a7c1979aac61

        SHA512

        c6262d00557b35bd1568a1ab941daf9c0115a8e75c897bf1c1eb50a9f9c59ba5dddefdcc098a5f4e6a2984eb582c71a5ba29f081b9d0b9bea9c16bc56ebbc5d1

        Download Submit
      • memory/2508-10-0x00000000002A0000-0x0000000000302000-memory.dmp
        Filesize

        392KB

        Download
      • memory/2508-25-0x00000000002A0000-0x0000000000302000-memory.dmp
        Filesize

        392KB

        Download
      • memory/4656-0-0x0000000000D10000-0x0000000000D72000-memory.dmp
        Filesize

        392KB

        Download
      • memory/4656-14-0x0000000000D10000-0x0000000000D72000-memory.dmp
        Filesize

        392KB

        Download