urelas | 08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe
Size

94KB
MD5

843ff0e703de3acac701c779d7f52710
SHA1

51ff0cdd821dc46e419ae70287e1b1af3f7a4a3e
SHA256

08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9
SHA512

862cd9d9552f0f25a42faa22bce721486d05bfb008a501c0416b6a90bdcc26d8717cefe302a3140500597adabf30c8162a30f5c063519854e028b533bfd6755e
SSDEEP

1536:yzPr/365lm9HM3RgIHYBv1osX1XCDN/on9FWa:yzTS5lm9aRgCkgR/on/Wa

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

dmlo.exe

pid process

448 dmlo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
448	dmlo.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe

description	pid	process	target process
PID 4420 wrote to memory of 448	4420	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	dmlo.exe
PID 4420 wrote to memory of 448	4420	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	dmlo.exe
PID 4420 wrote to memory of 448	4420	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	dmlo.exe
PID 4420 wrote to memory of 4912	4420	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	cmd.exe
PID 4420 wrote to memory of 4912	4420	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	cmd.exe
PID 4420 wrote to memory of 4912	4420	08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08552f4759a1c693789268d72375c4d6b4ceb89a05d1df7abf5ac5af6a6ecdb9_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Local\Temp\dmlo.exe
"C:\Users\Admin\AppData\Local\Temp\dmlo.exe"
2⤵
- Executes dropped EXE
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:4912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dmlo.exe
Filesize
94KB

MD5
502d382013e4d61564c5dddbe5d9c8f1

SHA1
8c6348246f104feb6333b7814e9622cef3bbecda

SHA256
3b29f557aaeb0ef977af07b2b69f90d2b40adea837a05f5760c5e8f6b1820391

SHA512
cde523a4b30b193df10f3c81397e4b6fbc7fe5f05d6d05edcc2b22cc2b5e9a2b6f75571750dbb382077a492bd8ad360fce7996e5abee869a11c92ae84be59644

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
f9b91597d16270517e69ba48147acd02

SHA1
732efa0a97793262ec3ed0ce2360f33e4c90a566

SHA256
652a7f277252d4a28de3aea16175ad0a247540ace3f64bf77f91861a3325c6ea

SHA512
6c0ef0f7c0f49bfc65f96c6b766e49270bf19b5266b3135b88fbf59e1831d48b5a5be7eecf126e9b165d55191fb2d633e7544a27b60bf28918f874d75270b5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
368B

MD5
f3436f96bbac73c68c156c6bf73c2225

SHA1
dbb3b944721e042df8f9f9222b347b080481dcac

SHA256
c2fb2d4b87833dd7dd13020ac5054eff2008c9e3ddd19a6d900e7ccfad7c78fa

SHA512
0c7f5ee0b02fde34f2f12789688df609fd97d9c2cbc80b2747685d6ed687e61b65bb4a31f0b7e8f7cf2a53c119686d127e582fa59da68d833085d1eba231b9be

Download Submit
memory/448-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/448-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/448-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4420-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4420-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download