urelas | 0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe
Size

58KB
MD5

879934d4df1f64c56bdb44928f18c900
SHA1

3558a0a9aaf0b20cf42edc450fb44f5b2c58ec43
SHA256

0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e
SHA512

f95c7d180c4ce9f85a21f1bf6f7e0433af56c9f413e6cb30928446a48dfc151769ef73627a1e8620a678dba6aeb52aa59d3a8cc871aac5253341f4a12b75e862
SSDEEP

1536:l7X2lykmUO2drIYfdQ3W8PTZEd4Ejf/kE/Q6mhnDxMmKy5:VXmykmU9If3h1O4Eb/eOE

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2796 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

3040 huter.exe
Loads dropped DLL 1 IoCs

Processes:

0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe

pid process

2548 0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2796	cmd.exe

pid	process
3040	huter.exe

pid	process
2548	0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe

description	pid	process	target process
PID 2548 wrote to memory of 3040	2548	0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe	huter.exe
PID 2548 wrote to memory of 3040	2548	0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe	huter.exe
PID 2548 wrote to memory of 3040	2548	0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe	huter.exe
PID 2548 wrote to memory of 3040	2548	0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe	huter.exe
PID 2548 wrote to memory of 2796	2548	0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe	cmd.exe
PID 2548 wrote to memory of 2796	2548	0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe	cmd.exe
PID 2548 wrote to memory of 2796	2548	0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe	cmd.exe
PID 2548 wrote to memory of 2796	2548	0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e57c2b5fe2fe6b66bece7fdc1211503a1cd8b0ccddbf211e558050b6f8f796e_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
14ab4579b6f3a97ff1099d4591f166c1

SHA1
9379aa65d3bfd4f819f06417b90dbc9ec7bc1354

SHA256
1bf9ad4eb9a6ec73fdd5bd94de5ffca1d94a48707f5a2818d5fcd68033cf1101

SHA512
a6342bf2172f65e4541230f91249c77e5ef2e558acaa91caec520fc4b2ca2f57a4f687c62227a7d20b0264b41bd88f6ad3d38d23bcf571165693b861232c4ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
368B

MD5
2eb9c578f9c05de73daaa7e84189cfa3

SHA1
988f07cd14dc62af9743a3d1d807c15050f8b74f

SHA256
14edfefedd266ad06fe2f7428eea4369aeb515e840c18763cebdc9433e672014

SHA512
ff8c5fadf3abc0755751cf5c9b58dd9b69ad5f522f6cd656d54c382bc9ab0b1792656babbfe4c7c94fc8b46cfe93321272c8f4ebc9a320d4aafaee6da10dae90

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe
Filesize
58KB

MD5
611a1236412972b8f12e469fa7bfbddb

SHA1
204d7fa6c3b3e451bb7e58f85d0471a9b0ee152e

SHA256
dac69cb744b3b123b871a532f33ae023e673abbf6ccd8a6e8679c2d230d5c5ca

SHA512
5cff8788e595c38ac9bc5c226670e6a347f27ea36dce5f33f31b6a5ff2fb033628527629287ca05bbb3cc2f011b18c573b53e5d5c274b4cca826030580ceb3b7

Download Submit
memory/2548-0-0x0000000000840000-0x0000000000877000-memory.dmp

Filesize
220KB

Download
memory/2548-6-0x00000000023A0000-0x00000000023D7000-memory.dmp

Filesize
220KB

Download
memory/2548-19-0x0000000000840000-0x0000000000877000-memory.dmp

Filesize
220KB

Download
memory/3040-11-0x0000000000B10000-0x0000000000B47000-memory.dmp

Filesize
220KB

Download
memory/3040-22-0x0000000000B10000-0x0000000000B47000-memory.dmp

Filesize
220KB

Download
memory/3040-24-0x0000000000B10000-0x0000000000B47000-memory.dmp

Filesize
220KB

Download
memory/3040-31-0x0000000000B10000-0x0000000000B47000-memory.dmp

Filesize
220KB

Download