urelas | 9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe
Size

175KB
MD5

72ded024fc218db10618c03b85496ea0
SHA1

d56d18434d2ef859b6029d484462f031ad7584ee
SHA256

9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9
SHA512

245940b2798043495a389751751dfccd828d64e07a58e802fe03e822ba88a2f1465f270827c7019e221c6475236e55eba0c8ce700c317f6a06eadd6c08af8e01
SSDEEP

3072:s9AJRSvTvHN7xkKGsfPNGhoIPpcUqePvwP:s9AvSLvHNdkKGbHPpDqL

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

poldge.exe

pid process

2020 poldge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2020	poldge.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe

description	pid	process	target process
PID 1924 wrote to memory of 2020	1924	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	poldge.exe
PID 1924 wrote to memory of 2020	1924	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	poldge.exe
PID 1924 wrote to memory of 2020	1924	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	poldge.exe
PID 1924 wrote to memory of 2996	1924	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	cmd.exe
PID 1924 wrote to memory of 2996	1924	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	cmd.exe
PID 1924 wrote to memory of 2996	1924	9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9627d76c8a9da2d83e0324c92f780a814084e3e34fc4c432cdc057fd2a6ee8c9_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\poldge.exe
"C:\Users\Admin\AppData\Local\Temp\poldge.exe"
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
3f372385bf24b44385f4b1251d3aca4d

SHA1
83546de6ba8f20bd08a15896d34f6242ed64352f

SHA256
b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27

SHA512
d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\poldge.exe
Filesize
175KB

MD5
752eec49515f7acae5d352448ea386d5

SHA1
a7c3bf256cac709dc97e3c7ce6a15b2b570874d8

SHA256
16276e662411cdce9013ea66421e011c0cf495afb51e5d27eba5a177ceaa974c

SHA512
fa33da4077c11147e59fc1f595d2fdb4b841defea39193cfe57f1b9c70448e5364fc19c5c0c53f85546176f26e902a7c13693a67ef7d566ff027354ccdbcca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
368B

MD5
43b1e1a47289a39db8b5afc3a86dc1bd

SHA1
c954666c5339d4519ebb1e0f3f6248d00e3ca95a

SHA256
9ab488a5ac7d5e1c201d9cf3e000df6b73fecb0e96ef0ea065403333f5f3a975

SHA512
6f22f0c51dfb8e647f576159bb6582df351ab2585bd8d573435e51894585f595b155a87a0001f160582c7dc6eab11503318cade0730be550b81c83fb462ff430

Download Submit
memory/1924-0-0x0000000000A80000-0x0000000000AAE000-memory.dmp

Filesize
184KB

Download
memory/1924-14-0x0000000000A80000-0x0000000000AAE000-memory.dmp

Filesize
184KB

Download
memory/2020-12-0x0000000000F10000-0x0000000000F3E000-memory.dmp

Filesize
184KB

Download
memory/2020-17-0x0000000000F10000-0x0000000000F3E000-memory.dmp

Filesize
184KB

Download