urelas | 1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe
Size

63KB
MD5

7d0a40fe50894a8d68e6c6a58ff61d80
SHA1

47b5d41a4f4cd69315fd2fa2dbfd5ea82abf737d
SHA256

1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64
SHA512

672e6125f926c305f8b177a3fb04c73828d79995d4ebf97a2200498d7f8469bfdbccbeddb20f34b680a3793c1e244be5cb1bfad17beaf367dec1e58e177f4f07
SSDEEP

1536:6bQx5oPsr2vFxDPhAvzgAQzFZ77MzeTmUDG+:6bQRSHpAvzyf7MzeThDG+

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2648 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2944 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe

pid process

1700 1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2648	cmd.exe

pid	process
2944	biudfw.exe

pid	process
1700	1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe

description	pid	process	target process
PID 1700 wrote to memory of 2944	1700	1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe	biudfw.exe
PID 1700 wrote to memory of 2944	1700	1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe	biudfw.exe
PID 1700 wrote to memory of 2944	1700	1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe	biudfw.exe
PID 1700 wrote to memory of 2944	1700	1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe	biudfw.exe
PID 1700 wrote to memory of 2648	1700	1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe	cmd.exe
PID 1700 wrote to memory of 2648	1700	1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe	cmd.exe
PID 1700 wrote to memory of 2648	1700	1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe	cmd.exe
PID 1700 wrote to memory of 2648	1700	1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1c6e3ab91a32a0936e8754bcb7448a969946435ff5a30e416ea2a42875b23d64_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
efd90b3ac908d5482af367de3a82184a

SHA1
de9f01d2ed0247b7b347e55c5a09721a60147fb9

SHA256
44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d

SHA512
6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
368B

MD5
f648aa0aa40198be11bd5667016ab19b

SHA1
6498801f406a5c71f8cdb7e524f54bbefda90681

SHA256
0a47c039d1e4a1fabc259754d615b0eb4b53e13d0001d4636e73db9b4d1c356e

SHA512
af97dd94b880b76fafa0387bb2ea80e15fc424ce923071bb84ecfeb75f60157d3b72e89f9202618bcef806ae7fb9be840f9c3d6e47967d91f6f1f1bf29a42456

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe
Filesize
63KB

MD5
ef50c48b9d004894dd1b57269795bbdf

SHA1
7ee4b6150e4cea93a8f14d88a48f343298618c2f

SHA256
e4f150d4a166ba82c6639f4c4b2c5bf0f9d0ff4dbf171709c8a833dbecb4bdde

SHA512
42b35b001eeeb82b6861c252462a7c7629593fb48803cb994c7e8d2265d939cf5cf1da898b0c1eddf9b1137df1a6a00bfb505b8e7da66b421b49a66d70d08fdb

Download Submit
memory/1700-0-0x0000000000B20000-0x0000000000B45000-memory.dmp

Filesize
148KB

Download
memory/1700-7-0x00000000009F0000-0x0000000000A15000-memory.dmp

Filesize
148KB

Download
memory/1700-18-0x0000000000B20000-0x0000000000B45000-memory.dmp

Filesize
148KB

Download
memory/2944-10-0x0000000000E90000-0x0000000000EB5000-memory.dmp

Filesize
148KB

Download
memory/2944-21-0x0000000000E90000-0x0000000000EB5000-memory.dmp

Filesize
148KB

Download
memory/2944-23-0x0000000000E90000-0x0000000000EB5000-memory.dmp

Filesize
148KB

Download
memory/2944-30-0x0000000000E90000-0x0000000000EB5000-memory.dmp

Filesize
148KB

Download