urelas | 69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe
Size

142KB
MD5

472d138a83586cfad7ce44eb8434a4a0
SHA1

fcd7cd5e9252efd6a6a7ceda81750cfa43ea0e50
SHA256

69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897
SHA512

e9af7870b37f572b6e5d2752d275de3a2f3600b4654da653de9d071f1e1fe0966d228b62716ef3d31a59091962051d9a4613e6fbb0a7941707ac14efa97ccf24
SSDEEP

1536:XBmcOGZnuETb8yqYd6f/68OJBfWKy2CZ0K06RcVxUs0vUQg0Zm2okVpwP0O:XZOSuECf8ZCKK06QC5ZZdokVp20O

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2732 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

dofhir.exe

pid process

3028 dofhir.exe

pid	process
2732	cmd.exe

pid	process
3028	dofhir.exe

Loads dropped DLL 2 IoCs

Processes:

69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe

pid	process
2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe
2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe

description	pid	process	target process
PID 2852 wrote to memory of 3028	2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe	dofhir.exe
PID 2852 wrote to memory of 3028	2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe	dofhir.exe
PID 2852 wrote to memory of 3028	2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe	dofhir.exe
PID 2852 wrote to memory of 3028	2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe	dofhir.exe
PID 2852 wrote to memory of 2732	2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe	cmd.exe
PID 2852 wrote to memory of 2732	2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe	cmd.exe
PID 2852 wrote to memory of 2732	2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe	cmd.exe
PID 2852 wrote to memory of 2732	2852	69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69bece8ab134c9fcfb20071627cebe1d359a484782d5d0a4db6b9b25ac11a897_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\dofhir.exe
"C:\Users\Admin\AppData\Local\Temp\dofhir.exe"
2⤵
- Executes dropped EXE
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
1bda36d555a6a668c71a805d0fef7b43

SHA1
63ef5ec40ea61e0803c5f988c5f5b1fe5834eeab

SHA256
91fc9a1836c535aa1bfa3288c635d24a44b76f9837702d0540fa8c1b97551a4c

SHA512
5b01bfe55ff24db66250d5555b29fae4c24d988827b47301fc319dafcabd33ab2944789395c35a002919ebcf042da989d8cfa95349c3f7344d58b20b31b23ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
368B

MD5
f6542d604dc9250502d27af8e729dfba

SHA1
6ff4040ed9c0a836be1eac34631f5832f95c5f68

SHA256
9d2498afbe9840ebc3bba2d8f63ea377b38edaf017f60ca6f3de9effdbd859b8

SHA512
0967b898b5ad342bbfa857a6373c9f77dfada9951df3dce84689adc2d8c6deed9b8fe704e78d9a7724fab5411c9027594ae58038b8d9a0de9540293cf8fc9ab5

Download Submit
\Users\Admin\AppData\Local\Temp\dofhir.exe
Filesize
142KB

MD5
0553d1e3575108aa05f8f569ec7757ae

SHA1
d6ba5c17dd363131ce22391e09938df7c473d748

SHA256
f64021de21e1a43dd79115a11f92ddf58e686f19e3419a0140e4eb3e9440d10f

SHA512
c7e9605a80d2eed58d73cd1ea89cf8f2261119839f31c9aef0d2cd1414b9c78c2ffc744cdc96adda126e57686ac16bd3cfcc36d1b061cf7356bd61e035226d69

Download Submit
memory/2852-0-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/2852-6-0x0000000000520000-0x000000000054A000-memory.dmp

Filesize
168KB

Download
memory/2852-13-0x0000000000520000-0x000000000054A000-memory.dmp

Filesize
168KB

Download
memory/2852-22-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/3028-14-0x0000000001110000-0x000000000113A000-memory.dmp

Filesize
168KB

Download
memory/3028-25-0x0000000001110000-0x000000000113A000-memory.dmp

Filesize
168KB

Download