Overview

overview

10

Static

static

3

0ffc823229...cs.exe

windows7-x64

10

0ffc823229...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29-06-2024 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe

  • Size

    340KB

  • MD5

    27e2a351373cef3be74f6812949bb150

  • SHA1

    f51906959e491e1718a7ea0464a6f33d948ef183

  • SHA256

    0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce

  • SHA512

    ac39d7c64240f70f8deaad03191bdb841f749ddd624677fd562b867faa10adacd28b1469a7bdbbb57683fa421944f9adedb1156e22c22b06c56e66de54ac35ce

  • SSDEEP

    6144:b/qE9d70WIH9wFHf+MQYVA5TDT44zuQOIFlUMazNWHT7+Q:uGIWiiHWnesT/483Ociy3

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Users\Admin\AppData\Local\Temp\rolyh.exe
      "C:\Users\Admin\AppData\Local\Temp\rolyh.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Users\Admin\AppData\Local\Temp\mehod.exe
        "C:\Users\Admin\AppData\Local\Temp\mehod.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1384
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    370B

    MD5

    0d4e24699073c6b879285ed4a6b19f26

    SHA1

    01c46c56d3abd48bcdc5dbcf079efd3f48da1ba1

    SHA256

    53d7222adb221c7938e0edd103767d7c7d39a7746fae98ac174cc7b705c3c575

    SHA512

    61727d0fb46611c6615be94252b69ea00772b290d796847e0c741fe93c755d714cce9058a63623efe2cfbc64107eafd4dc647c53575b57a20f6af5bcfa9a156b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    86a0ae19319d37c8855fe7ad69a7605c

    SHA1

    ab2eef6c3dc16d32036fb73995d467762f72d0f4

    SHA256

    599306e64a3b1e1becbab482fef5cea74a03bf08d975a24cbaf425028cff9266

    SHA512

    80c09f3612269e78b511e670ebf19963a74d8cfa0f19cbd2cca858a5b1976bd969dfd4da3cc1eb77ea73cb1c5a3d40196c6f67e31c95e30e3586cadcf6c981a1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\mehod.exe
    Filesize

    226KB

    MD5

    8312f962846e00a3dce390c6030c9917

    SHA1

    b535bd74def22f8f501c85365b8d0f87ab11fa16

    SHA256

    0783f30ffe7b1b9012f85b7413be9b2d101a18e9c67dc5d302bf7ce02b8d39ac

    SHA512

    24fc39406273f617965b9bc7a5de73a25b34ffc595d82834b34afb49172f8d28b1fc70c9d183a7154d9420a2b94a0cc9f931b6dc766a2a3e3f3b7291fdfd836f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\rolyh.exe
    Filesize

    340KB

    MD5

    0e51528da7117d34cd12568fe5d2bcea

    SHA1

    f8bdca6c48e86320a8958c0464801723790883eb

    SHA256

    7343a0eb050e810c4ac9106f23098c7cd37631e6754dba9277a8e72d75bded95

    SHA512

    56692f2390b58d2a31a66fc997deab599a585b71c0ca67ec91c85030e99ba617de391895e97e5897ffe2d9c3f1de9c1d02b3994220b62c75a23f6497f3911cd4

    Download Submit
  • memory/1384-46-0x00000000002F0000-0x00000000003A7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/1384-45-0x00000000002F0000-0x00000000003A7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/1384-44-0x00000000002F0000-0x00000000003A7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/1384-43-0x00000000002F0000-0x00000000003A7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/1384-42-0x00000000002F0000-0x00000000003A7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/1544-16-0x0000000002AA0000-0x0000000002B28000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1544-20-0x00000000001F0000-0x0000000000278000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1544-0-0x00000000001F0000-0x0000000000278000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1544-1-0x0000000000180000-0x0000000000182000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3004-24-0x00000000010F0000-0x0000000001178000-memory.dmp
    Filesize

    544KB

    Download
  • memory/3004-40-0x00000000010F0000-0x0000000001178000-memory.dmp
    Filesize

    544KB

    Download
  • memory/3004-38-0x00000000031F0000-0x00000000032A7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/3004-21-0x0000000000140000-0x0000000000142000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3004-18-0x00000000010F0000-0x0000000001178000-memory.dmp
    Filesize

    544KB

    Download