urelas | 0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe
Size

141KB
MD5

78b6a3a0e336856187f64585cf3ea0f0
SHA1

93b2adc86a79888b1089f79dae18183466d4b744
SHA256

0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f
SHA512

05b5fdc5c56578d574f19ec66d054b80ef95f8a79090756a0fb524b5703127a191af17da65471e890027fc39eacf4c68bbf1efe31b50ea9f55c7773577852df7
SSDEEP

3072:7D8wMT6/JO6SaqLRuNw8niD0LdkD85eL/K:vMT6o6xO8ioGw5eL/K

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3012 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

1088 huter.exe
Loads dropped DLL 1 IoCs

Processes:

0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe

pid process

2436 0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3012	cmd.exe

pid	process
1088	huter.exe

pid	process
2436	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe

description	pid	process	target process
PID 2436 wrote to memory of 1088	2436	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	huter.exe
PID 2436 wrote to memory of 1088	2436	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	huter.exe
PID 2436 wrote to memory of 1088	2436	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	huter.exe
PID 2436 wrote to memory of 1088	2436	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	huter.exe
PID 2436 wrote to memory of 3012	2436	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	cmd.exe
PID 2436 wrote to memory of 3012	2436	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	cmd.exe
PID 2436 wrote to memory of 3012	2436	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	cmd.exe
PID 2436 wrote to memory of 3012	2436	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cb8b3268a58e3e3ea046135a31630bbe

SHA1
9b24e0f46375148ebc245cd6641773e876513ca3

SHA256
fea32526c29951c22eccfc3f837610c29e2843334ef0734f9b68495c14859d0b

SHA512
49ffead156c03719527f8459892e29ec2d7f9842042e885775644ae622d6d4a2746e64c903e8979590631c397f65ba9e59861f89fbd9c3cd2e775c7c933cb746

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
368B

MD5
87c08bc48c21598ccdf555a06ee76e56

SHA1
e1cda0f01b53753bd0c891a66ca20e18ef84507f

SHA256
41b6d97d011e1776e7f96c64c697eb1afb412bf87a7c3e444bbb416b3b7b132d

SHA512
7125fcb9ecdfb961120146f4c64852b2662f9ebeb2b7f8e2616f4f29e2df31aa5fc7025702c9a4138a7918b70f6d2606b9136dc1ffa2ce0ea4185b8139c7f0df

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
141KB

MD5
6abd1df5885f8db64c4a29389f5bedf0

SHA1
62c1ba8af3053c151a6e93a99c15a40a8cd6cbd0

SHA256
2d8087550d2980707d760937d0fe69a8d2b70995634c1b830621ee3963accc12

SHA512
9a4359b79c000cec7d754bb41a1b4f595b7ea86ebba1c4ebd8fc46c35db2c28f895d29aa4cbdbd8fa6604f5f1a0a3c28a33110626ac1f6358fd76f1c24c6a306

Download Submit
memory/1088-10-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1088-22-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1088-24-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1088-31-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2436-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2436-6-0x0000000002BF0000-0x0000000002C39000-memory.dmp

Filesize
292KB

Download
memory/2436-19-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download