urelas | 97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe
Size

804KB
MD5

415a452c00ba7ea416563c376caa9320
SHA1

d70b23db0c0252b671183d692ac6931651f037bd
SHA256

97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0
SHA512

bd8f6a338475f67940426f6fb80280a1e94c4ded56ca7c3cbb10f61d129b7c35e47e1ca26634944ab35d6ec77b87d3746557485a98633ea9d3ab1215c7ac0028
SSDEEP

12288:occNvdRExZGe+Q1nzPAlDqfJZKay4imoWkI094og2GgPZkiMgU:onPfQpzyD8ZKajiAkI094YLMgU

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2584 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

ibutm.exe

pid process

2924 ibutm.exe
Loads dropped DLL 1 IoCs

Processes:

97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe

pid process

1844 97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2584	cmd.exe

pid	process
2924	ibutm.exe

pid	process
1844	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe

description	pid	process	target process
PID 1844 wrote to memory of 2924	1844	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	ibutm.exe
PID 1844 wrote to memory of 2924	1844	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	ibutm.exe
PID 1844 wrote to memory of 2924	1844	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	ibutm.exe
PID 1844 wrote to memory of 2924	1844	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	ibutm.exe
PID 1844 wrote to memory of 2584	1844	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	cmd.exe
PID 1844 wrote to memory of 2584	1844	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	cmd.exe
PID 1844 wrote to memory of 2584	1844	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	cmd.exe
PID 1844 wrote to memory of 2584	1844	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\ibutm.exe
  "C:\Users\Admin\AppData\Local\Temp\ibutm.exe"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
370B

MD5
8e5bde209aad9662dcd0b0af56538199

SHA1
670c7b6da33efda2f1cc5027e5102c68fca09ffd

SHA256
45d03f5f1a43f954b5c3057ba2bda7ea5c58ba424abd14e846d80e0bd2be3b67

SHA512
b823ba6c3b45be4588f0b13d8d918d73daaf00e91dad0dad853ca1df4ec5433d78628a2e0907396c890bdc07d09349b1b2fdd331e3dd9352791d21c15bb97236

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c82a52bcfb9773f1dfbd0de693a4dece

SHA1
e45aa1c42b36eac44ba72162351f6925e9033cf8

SHA256
a7bd305b442ed6533e81702dc3c08c1b3c52960da7faa29490c4a4a9963fe888

SHA512
7e75bed8d6b6ca9214c6a36b31b29ba8f27af9691c9a7b4ae2e5eaba669ee20a5a893a18ce3b9dc0cb89d7bfc56690f18597ced7e82294e65a760011c5d388e8

Download Submit
\Users\Admin\AppData\Local\Temp\ibutm.exe

Filesize
804KB

MD5
f9b972f3a362c41629db2a13cb6e1dd4

SHA1
c7264f137b562846b00777ed02ed070fd16a6192

SHA256
fc457651d88ed555fbb381b8c1dfdbac04edfca99c86027605df18d0aa1db85a

SHA512
3d5ac5e70d9aab8ce7bfec61d4c97f224042ce6fccb8f8520eb50e89a2a1be42e35fa736a17e268bea6dfc5c79b7bee3ab8e8c9c3af77377047234430e18c145

Download Submit
memory/1844-0-0x0000000000900000-0x00000000009CF000-memory.dmp

Filesize
828KB

Download
memory/1844-15-0x00000000020E0000-0x00000000021AF000-memory.dmp

Filesize
828KB

Download
memory/1844-18-0x0000000000900000-0x00000000009CF000-memory.dmp

Filesize
828KB

Download
memory/2924-17-0x0000000000F10000-0x0000000000FDF000-memory.dmp

Filesize
828KB

Download
memory/2924-21-0x0000000000F10000-0x0000000000FDF000-memory.dmp

Filesize
828KB

Download