urelas | 0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84

General

Target

0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe
Size

94KB
MD5

a280524f30ac12ad562e725173baf950
SHA1

f0165011daa9c63386c45a319c5c86d85bb163f2
SHA256

0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84
SHA512

8882dca94cdf983068a7349b06296c32cc522ab09f95acad305049be7322783692a6c765debf7fa13fc8fb609e36e1001a8dd796e46b43f09c8ebac15e4b7ccf
SSDEEP

1536:OVNSf7hyk+I6412V6PMqAax80XAFSrRwP:SSf9yk+U2V63XAFSrRc

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2716 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2248 huter.exe
Loads dropped DLL 1 IoCs

Processes:

0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe

pid process

2368 0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2716	cmd.exe

pid	process
2248	huter.exe

pid	process
2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe

description	pid	process	target process
PID 2368 wrote to memory of 2248	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	huter.exe
PID 2368 wrote to memory of 2248	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	huter.exe
PID 2368 wrote to memory of 2248	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	huter.exe
PID 2368 wrote to memory of 2248	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	huter.exe
PID 2368 wrote to memory of 2248	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	huter.exe
PID 2368 wrote to memory of 2248	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	huter.exe
PID 2368 wrote to memory of 2248	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	huter.exe
PID 2368 wrote to memory of 2716	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	cmd.exe
PID 2368 wrote to memory of 2716	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	cmd.exe
PID 2368 wrote to memory of 2716	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	cmd.exe
PID 2368 wrote to memory of 2716	2368	0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0afe6966471116cfe136b7b639a7d6a29dd653be64b64f299d88e84322dc0a84_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8c69e006046149f40585fb3e1bfafb4

SHA1
97073fb1d116248dbecd009e4bf873ab45c6c2da

SHA256
df1edebe6911c5127449117bdcec2878b0ecaff3e930a37e13aefe54363be228

SHA512
b8f5c75fbbddbb185a82395b59f75802cf800dac792c7256261998f3b4a965f180a901f4bd4e873b1cec0ac7acb77e09ec793c8b19ac2d1fdf115e57c42626b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
368B

MD5
9dd5147d8e54a8a4adcf33b2457d97e6

SHA1
f4269e3df88a618e5444834ccb774f703ef8afa7

SHA256
cb1ecc44aaa77808605ba02ee4b84c9c8310d233e31017f3826419065f996a58

SHA512
82fcd1297407646f45783badd00cf8c906d3f4da887e92c6cfee632b553bf07d3809562a8e70939d0232025d01eb6e64887cd39e5c8449b84bc5634b3703b6df

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
94KB

MD5
bc02bf67dff1deb5b71f40b16a7d56b7

SHA1
9b31b15565cae0ef87ac7b615c31302f180a607d

SHA256
e0584963349f34e9f002ff2cea1bf1892bac5f93a708fa85a3efa08bd833ff56

SHA512
ae4ecf459d7ef99962dd78a351b0f53685ac8637e46b47bc46e25bedb59dfe5f339f494af2838c2acfde91d5b1ebc9a07a84c5c233dcfe2b40da2d8ad31a4f4e

Download Submit
memory/2248-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2248-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2248-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2248-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2368-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2368-16-0x0000000002910000-0x0000000002948000-memory.dmp

Filesize
224KB

Download
memory/2368-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing