urelas | 08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe
Size

94KB
MD5

843ff0e703de3acac701c779d7f52710
SHA1

51ff0cdd821dc46e419ae70287e1b1af3f7a4a3e
SHA256

08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9
SHA512

862cd9d9552f0f25a42faa22bce721486d05bfb008a501c0416b6a90bdcc26d8717cefe302a3140500597adabf30c8162a30f5c063519854e028b533bfd6755e
SSDEEP

1536:yzPr/365lm9HM3RgIHYBv1osX1XCDN/on9FWa:yzTS5lm9aRgCkgR/on/Wa

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2580 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

opnf.exe

pid process

2812 opnf.exe
Loads dropped DLL 1 IoCs

Processes:

08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe

pid process

2176 08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2580	cmd.exe

pid	process
2812	opnf.exe

pid	process
2176	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe

description	pid	process	target process
PID 2176 wrote to memory of 2812	2176	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	opnf.exe
PID 2176 wrote to memory of 2812	2176	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	opnf.exe
PID 2176 wrote to memory of 2812	2176	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	opnf.exe
PID 2176 wrote to memory of 2812	2176	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	opnf.exe
PID 2176 wrote to memory of 2580	2176	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	cmd.exe
PID 2176 wrote to memory of 2580	2176	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	cmd.exe
PID 2176 wrote to memory of 2580	2176	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	cmd.exe
PID 2176 wrote to memory of 2580	2176	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\opnf.exe
"C:\Users\Admin\AppData\Local\Temp\opnf.exe"
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
ce26b2a5a01ad51de0c30c719f170fd2

SHA1
a6f4caf1669ac040e91111f132b390fe6d79ace8

SHA256
876a760256f517d708899f920d681c5f1c62e9bd9f4b78eea77d53c9838ac018

SHA512
95dc704d4b3c102258e28c0e88bc2d205784b9ec2e2534ec0e6d479dc8aa0e9ecbf5101807fe3aeb88aed162adbe67caa3441174171efe4697d4dc7da91ea23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
368B

MD5
f3436f96bbac73c68c156c6bf73c2225

SHA1
dbb3b944721e042df8f9f9222b347b080481dcac

SHA256
c2fb2d4b87833dd7dd13020ac5054eff2008c9e3ddd19a6d900e7ccfad7c78fa

SHA512
0c7f5ee0b02fde34f2f12789688df609fd97d9c2cbc80b2747685d6ed687e61b65bb4a31f0b7e8f7cf2a53c119686d127e582fa59da68d833085d1eba231b9be

Download Submit
\Users\Admin\AppData\Local\Temp\opnf.exe
Filesize
94KB

MD5
f5718e55ba52ff2b1a6cb4e813f4e3bf

SHA1
57f16480c4953e6312daaf9d8c37c5aee13cfecc

SHA256
7da6837cbc59dda8b916819467c6ae8408249fc59a4e9f3f71b038dd2347bc12

SHA512
6c84e6ce4462f696f3978870c9c73ff7e9d5a06189e1a1044be22fe4f48a68db1bd40b971f969d952d194298373f43c12570844b66f2d4123c6566e0ed9bbb53

Download Submit
memory/2176-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2176-9-0x0000000003130000-0x000000000316D000-memory.dmp

Filesize
244KB

Download
memory/2176-19-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-29-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download