Overview

overview

10

Static

static

10

6497276021...cs.exe

windows7-x64

10

6497276021...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe

  • Size

    365KB

  • MD5

    6497276021f583f26c60188ca0e18930

  • SHA1

    e8b38782979babaeb5dad7c8894e0b35fae25941

  • SHA256

    efbfdb4e4673402686c4cefa55e1f34eee026615b70b06b9bad40f07cbcd0fad

  • SHA512

    af61d6a94ad332acf139a1a5da5917c5fc0c92308c3c8b2215c65743e705a1105e56e3548e23740224f4b0cc66f5e4065b09674e2b06fe1b786335475ca8002d

  • SSDEEP

    6144:OuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62p+:OzGL2C2aZ2/F1WHHUaveOHjTC

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Local\Temp\budix.exe
      "C:\Users\Admin\AppData\Local\Temp\budix.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Users\Admin\AppData\Local\Temp\deunt.exe
        "C:\Users\Admin\AppData\Local\Temp\deunt.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4296
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:2900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      306B

      MD5

      66de5e3c497ffc05f778d6f9cdb5046d

      SHA1

      7dc1b2ba3d7f04d3366b93d3a9ca3220a1120a67

      SHA256

      eb48fae57a89542c7c4db9a51c9c850181f44cac621ec4a8fa64808f50db03a9

      SHA512

      7ae2e80879a9b3e452b4d256dba366ddc15a2e2a9a0bca2ba3cede55454af084eac8399d879e9604c398d3310871b09e7a954f01a53a6a35e0b8deb49838e575

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\budix.exe
      Filesize

      365KB

      MD5

      6ccaee050452a4373974244d3157c8a3

      SHA1

      a048e5f7afa1196a9dca7dca84d18b8251d8918e

      SHA256

      02090343539e67b8ae3849a777dcc74d20348003499273efdffb72ab2eac5270

      SHA512

      80fa5f6b2409f0ef5e3013de58ba4a746394c3ce1a945c70b16186bedad0d2cfc6231bcaba807aff763cd323c57d9e4f4a1dce5f9fe5d4bbf6507892568f3ac7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\deunt.exe
      Filesize

      303KB

      MD5

      8cf116c393aa78bb58305e70178d863b

      SHA1

      312dfa74a8529d3f197f0756fc55272aab851138

      SHA256

      a3a87b304fc3195221063855fba34d455874cfb0740b29c5783412c5aded549d

      SHA512

      f7ba94203699296e30ed9bbb2e4f807b1c7ff9dc9f0e43d37188626798f15e006b130e7fdcf1a06ba894ad368d29c1e02f28860e00f1470c03cde7d7735cdb5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      54800be827fef6bfd11712d6502785db

      SHA1

      ea540016c3cfb4ab334c41fca4054ba7443981f7

      SHA256

      f09724576edc12d1a4d1bc1d1921aa332d56fc83ee61ecfe7c691ad44ccf3f7b

      SHA512

      63dd88fd16924619f7b2f0c5f688042f737e10b1a00cf525c65d3451603342753b95aed67c47f89bc64a37ab10206ba971abf962779b338ddf2283afb75aabe4

      Download Submit

    • memory/1300-12-0x0000000000580000-0x00000000005E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1300-25-0x0000000000580000-0x00000000005E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1736-0-0x0000000000780000-0x00000000007E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1736-14-0x0000000000780000-0x00000000007E2000-memory.dmp

      Filesize

      392KB

      Download