urelas | 97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe
Size

804KB
MD5

415a452c00ba7ea416563c376caa9320
SHA1

d70b23db0c0252b671183d692ac6931651f037bd
SHA256

97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0
SHA512

bd8f6a338475f67940426f6fb80280a1e94c4ded56ca7c3cbb10f61d129b7c35e47e1ca26634944ab35d6ec77b87d3746557485a98633ea9d3ab1215c7ac0028
SSDEEP

12288:occNvdRExZGe+Q1nzPAlDqfJZKay4imoWkI094og2GgPZkiMgU:onPfQpzyD8ZKajiAkI094YLMgU

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

zehui.exe

pid process

4448 zehui.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4448	zehui.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe

description	pid	process	target process
PID 848 wrote to memory of 4448	848	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	zehui.exe
PID 848 wrote to memory of 4448	848	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	zehui.exe
PID 848 wrote to memory of 4448	848	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	zehui.exe
PID 848 wrote to memory of 2940	848	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	cmd.exe
PID 848 wrote to memory of 2940	848	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	cmd.exe
PID 848 wrote to memory of 2940	848	97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\97c1f4d0abd70bf4d1c4eee2e7d4febc6a7e2eb928541086faf99406c3f00ae0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\zehui.exe
  "C:\Users\Admin\AppData\Local\Temp\zehui.exe"
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
370B

MD5
8e5bde209aad9662dcd0b0af56538199

SHA1
670c7b6da33efda2f1cc5027e5102c68fca09ffd

SHA256
45d03f5f1a43f954b5c3057ba2bda7ea5c58ba424abd14e846d80e0bd2be3b67

SHA512
b823ba6c3b45be4588f0b13d8d918d73daaf00e91dad0dad853ca1df4ec5433d78628a2e0907396c890bdc07d09349b1b2fdd331e3dd9352791d21c15bb97236

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ff156869f945bd13228cc61ca0e1205d

SHA1
bdda0b15058e766f49d18e5aea4ab22b399a60f1

SHA256
88f26cfb030cfa6616f040a075fe1576b860c162475a2feea98e097b0faa5c04

SHA512
ecc086786d37e7b5935589539cc1af6aa6181b786515e67f423e01c989e4d1b38fba41e1ae592d24dd1c2a08a5f60bed514b4cf92ba438536aaa511745871a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zehui.exe

Filesize
804KB

MD5
52e3e67ace4b97a6917f1e10f22771b6

SHA1
6b411d54f875b40a43aa2f954b8aa3afc8148286

SHA256
74b46bf773276e05548073408fa3087e685715a46e076cb46bd07a5199770457

SHA512
cdfa59b46b08ad50a9ebbfad61f3555139755c222baff2a84437d474356116b9d494e80dea09034ea72bd43196ed7e4a9c5c5bb85f983e496cda57cf5944bdad

Download Submit
memory/848-0-0x0000000000920000-0x00000000009EF000-memory.dmp

Filesize
828KB

Download
memory/848-14-0x0000000000920000-0x00000000009EF000-memory.dmp

Filesize
828KB

Download
memory/4448-9-0x00000000002C0000-0x000000000038F000-memory.dmp

Filesize
828KB

Download
memory/4448-17-0x00000000002C0000-0x000000000038F000-memory.dmp

Filesize
828KB

Download