urelas | 0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f

Analysis

max time kernel
128s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe
Size

141KB
MD5

78b6a3a0e336856187f64585cf3ea0f0
SHA1

93b2adc86a79888b1089f79dae18183466d4b744
SHA256

0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f
SHA512

05b5fdc5c56578d574f19ec66d054b80ef95f8a79090756a0fb524b5703127a191af17da65471e890027fc39eacf4c68bbf1efe31b50ea9f55c7773577852df7
SSDEEP

3072:7D8wMT6/JO6SaqLRuNw8niD0LdkD85eL/K:vMT6o6xO8ioGw5eL/K

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2604 huter.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2604	huter.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe

description	pid	process	target process
PID 1556 wrote to memory of 2604	1556	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	huter.exe
PID 1556 wrote to memory of 2604	1556	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	huter.exe
PID 1556 wrote to memory of 2604	1556	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	huter.exe
PID 1556 wrote to memory of 2416	1556	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	cmd.exe
PID 1556 wrote to memory of 2416	1556	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	cmd.exe
PID 1556 wrote to memory of 2416	1556	0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0473b524e21ea497c7be4c40af6b380092443bd647dc336817095a5f504c0b0f_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cb8b3268a58e3e3ea046135a31630bbe

SHA1
9b24e0f46375148ebc245cd6641773e876513ca3

SHA256
fea32526c29951c22eccfc3f837610c29e2843334ef0734f9b68495c14859d0b

SHA512
49ffead156c03719527f8459892e29ec2d7f9842042e885775644ae622d6d4a2746e64c903e8979590631c397f65ba9e59861f89fbd9c3cd2e775c7c933cb746

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
141KB

MD5
62537163e588cbb9d3a7db81d2800278

SHA1
ced24060c21028e93c2354d97ca3f522cfd96a8a

SHA256
5d0bb0b6021ce09a8c8c6bf094c84176f6d4cb64583ac38efc61bfea7c116003

SHA512
39989e0e396a4cec2e61d5e52ad9aae0d2d90326ee2332d9332f7b8c16fb11827c7272b0580127f09c0265497288591e73047c5dde55864f1ce453947ff9cc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
368B

MD5
87c08bc48c21598ccdf555a06ee76e56

SHA1
e1cda0f01b53753bd0c891a66ca20e18ef84507f

SHA256
41b6d97d011e1776e7f96c64c697eb1afb412bf87a7c3e444bbb416b3b7b132d

SHA512
7125fcb9ecdfb961120146f4c64852b2662f9ebeb2b7f8e2616f4f29e2df31aa5fc7025702c9a4138a7918b70f6d2606b9136dc1ffa2ce0ea4185b8139c7f0df

Download Submit
memory/1556-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1556-14-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2604-17-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2604-19-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2604-25-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download