urelas | 292aaf26fd2fd5282bc16f145086d45a23335eee91fb31e5846e6297d44cb767

Analysis

max time kernel
125s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe
Size

112KB
MD5

53af414bd3858e38cffb022ad676f6a0
SHA1

f234506433f39d1de52c4c615debfd427c01e123
SHA256

292aaf26fd2fd5282bc16f145086d45a23335eee91fb31e5846e6297d44cb767
SHA512

009b9ad86f3eaf853ccabae90bfc0946b2083b233354a9ebc587740cd3c482f820b3d6aee2d6541feb2d061ebead4e64d9670dc8bc2d33efe90fb9a3f5056135
SSDEEP

1536:3JoHHwAnTtIBcNCk+syhonfC3GNKcK7+sWjcd8sWL64TGFju+t:4tCc+/h0fmSid81L64TGVu+t

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2032 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2032	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe

description	pid	process	target process
PID 4924 wrote to memory of 2032	4924	53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe	biudfw.exe
PID 4924 wrote to memory of 2032	4924	53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe	biudfw.exe
PID 4924 wrote to memory of 2032	4924	53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe	biudfw.exe
PID 4924 wrote to memory of 2956	4924	53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe	cmd.exe
PID 4924 wrote to memory of 2956	4924	53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe	cmd.exe
PID 4924 wrote to memory of 2956	4924	53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53af414bd3858e38cffb022ad676f6a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
Filesize
112KB

MD5
6771ab45ad6ef5597de5fa4783d85e61

SHA1
af9b229c1ba78d87e40067a5dcc8aaf82ce38167

SHA256
46dc913ca3f4a62fa43aa9f957d32541110b967b6e477e88e526c02351497d1b

SHA512
2f355323963739f87575d9516dc756b2cf509a78e829f6a2826ee980ba9d543c8ef5fb4a6be61932f7a02c0e6f6cd9a12f529e836e8eb1f73b78019276ceed68

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
429d29b7501cff75ffd4e7af0b24db41

SHA1
53808fde744d4d65aa2f4c48e8644a65f81be038

SHA256
8076fa1dc4b0ecf16960cc5c92abd9dc5c4542fb7ff92073e8b6a24ba1eea1c7

SHA512
83516d410586a6224af7cfc232b65d36a0e74e8c75264c737c20a9956aec011f1bd6343ad5b573219804cc8f76697a98b287d7117669e9375947fcfe49bd4e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
304B

MD5
c98f7c99bd74a89d08fc47a196bfbc7e

SHA1
2579e913318f36c950d0058bf6235a5cbefe01a8

SHA256
634e1301556c0c2e379663cad4856d7ef9d532f1dadbc3f78a2f6da6c90bd67f

SHA512
0d907308db2c098a34a6511bb723461e01e4dbbab9a8498e91c38d4c12a5f3a46a956666e25f5c8aafc954e850761abd7ad2c5f208c8eb6ea0ae78f03ccacdcb

Download Submit
memory/2032-11-0x0000000000E80000-0x0000000000EA4000-memory.dmp

Filesize
144KB

Download
memory/2032-17-0x0000000000E80000-0x0000000000EA4000-memory.dmp

Filesize
144KB

Download
memory/4924-0-0x00000000009A0000-0x00000000009C4000-memory.dmp

Filesize
144KB

Download
memory/4924-14-0x00000000009A0000-0x00000000009C4000-memory.dmp

Filesize
144KB

Download