urelas | 9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe
Size

175KB
MD5

72ded024fc218db10618c03b85496ea0
SHA1

d56d18434d2ef859b6029d484462f031ad7584ee
SHA256

9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9
SHA512

245940b2798043495a389751751dfccd828d64e07a58e802fe03e822ba88a2f1465f270827c7019e221c6475236e55eba0c8ce700c317f6a06eadd6c08af8e01
SSDEEP

3072:s9AJRSvTvHN7xkKGsfPNGhoIPpcUqePvwP:s9AvSLvHNdkKGbHPpDqL

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2972 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

poldge.exe

pid process

1728 poldge.exe
Loads dropped DLL 1 IoCs

Processes:

9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe

pid process

1920 9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2972	cmd.exe

pid	process
1728	poldge.exe

pid	process
1920	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe

description	pid	process	target process
PID 1920 wrote to memory of 1728	1920	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	poldge.exe
PID 1920 wrote to memory of 1728	1920	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	poldge.exe
PID 1920 wrote to memory of 1728	1920	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	poldge.exe
PID 1920 wrote to memory of 1728	1920	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	poldge.exe
PID 1920 wrote to memory of 2972	1920	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	cmd.exe
PID 1920 wrote to memory of 2972	1920	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	cmd.exe
PID 1920 wrote to memory of 2972	1920	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	cmd.exe
PID 1920 wrote to memory of 2972	1920	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\poldge.exe
  "C:\Users\Admin\AppData\Local\Temp\poldge.exe"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3f372385bf24b44385f4b1251d3aca4d

SHA1
83546de6ba8f20bd08a15896d34f6242ed64352f

SHA256
b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27

SHA512
d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
368B

MD5
43b1e1a47289a39db8b5afc3a86dc1bd

SHA1
c954666c5339d4519ebb1e0f3f6248d00e3ca95a

SHA256
9ab488a5ac7d5e1c201d9cf3e000df6b73fecb0e96ef0ea065403333f5f3a975

SHA512
6f22f0c51dfb8e647f576159bb6582df351ab2585bd8d573435e51894585f595b155a87a0001f160582c7dc6eab11503318cade0730be550b81c83fb462ff430

Download Submit
\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
175KB

MD5
cf4d57f0691c5f41122f0672ce124e13

SHA1
3934cc8e9a20f86fcee6a1e836d1e760a067e832

SHA256
e10df82347777d565245929e13a2a0b82501a2f5fa6c622d1651726a768cedf7

SHA512
8b88ab5b131564244e85cec3cc01f26c97047147162877e40b87a1265aa4122f477989ab7706f2439e9fcf9a155512c68b675246f0995a2e629d938493aee518

Download Submit
memory/1728-20-0x00000000010F0000-0x000000000111E000-memory.dmp

Filesize
184KB

Download
memory/1920-0-0x0000000001090000-0x00000000010BE000-memory.dmp

Filesize
184KB

Download
memory/1920-5-0x00000000003A0000-0x00000000003CE000-memory.dmp

Filesize
184KB

Download
memory/1920-17-0x0000000001090000-0x00000000010BE000-memory.dmp

Filesize
184KB

Download