urelas | dcb21d3e0e23d8cdb7c824ccecf63fb5f87e3167f5d23710505c7bf426a92487

General

Target

7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe
Size

472KB
MD5

7a3f80a5c9c84cab1175841033e19190
SHA1

d5d427998d02e70d72b65af6fba266fd890a7f15
SHA256

dcb21d3e0e23d8cdb7c824ccecf63fb5f87e3167f5d23710505c7bf426a92487
SHA512

be94e941147a008d2494ed107cb46f2e3c3ec4870f3a6102d3ebeff56581527cc052474add7e4be74e39453f6133311e7366d960f6f2d8e974b08773651aefd5
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6mwrxcvkzmSOphmYHI:PMpASIcWYx2U6kQnaHI

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	xosug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	fyenka.exe

Executes dropped EXE 3 IoCs

pid	Process
4620	xosug.exe
1948	fyenka.exe
2420	deekr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4824	2420	WerFault.exe	105
1892	2420	WerFault.exe	105

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4620	3192	7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe	85
PID 3192 wrote to memory of 4620	3192	7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe	85
PID 3192 wrote to memory of 4620	3192	7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe	85
PID 3192 wrote to memory of 3064	3192	7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe	86
PID 3192 wrote to memory of 3064	3192	7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe	86
PID 3192 wrote to memory of 3064	3192	7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe	86
PID 4620 wrote to memory of 1948	4620	xosug.exe	88
PID 4620 wrote to memory of 1948	4620	xosug.exe	88
PID 4620 wrote to memory of 1948	4620	xosug.exe	88
PID 1948 wrote to memory of 2420	1948	fyenka.exe	105
PID 1948 wrote to memory of 2420	1948	fyenka.exe	105
PID 1948 wrote to memory of 2420	1948	fyenka.exe	105
PID 1948 wrote to memory of 1052	1948	fyenka.exe	107
PID 1948 wrote to memory of 1052	1948	fyenka.exe	107
PID 1948 wrote to memory of 1052	1948	fyenka.exe	107

C:\Users\Admin\AppData\Local\Temp\7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a3f80a5c9c84cab1175841033e19190_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\xosug.exe
  "C:\Users\Admin\AppData\Local\Temp\xosug.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\fyenka.exe
    "C:\Users\Admin\AppData\Local\Temp\fyenka.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\deekr.exe
      "C:\Users\Admin\AppData\Local\Temp\deekr.exe"
      4⤵
      Executes dropped EXE
      PID:2420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 216
        5⤵
        Program crash
        
        PID:4824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 220
        5⤵
        Program crash
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2420 -ip 2420
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2420 -ip 2420
1⤵
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
e220b07893895f1356b7883a583950a9

SHA1
9883b53e3a26f048d09b7f827e9ac49b623f74b9

SHA256
74db344ed4f22d8ca0ebfc1d556ef3ccc9f0a705a2a873f2f9fe81a1c898d0da

SHA512
b59bc8f43e80aad876240d4befbb137d105877e7d491059af152105bf3ead0b98e2c7a4865e0c5f6d05011e517ff4d90da98df3cf7542c32c14dea7695ddae2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
931828ce04f067a060c63c1825e0b079

SHA1
fe60972ad12bf8072b36957b456a4081a476c6c7

SHA256
574854627026618a6a7f87a38481d7f0d9390ef2e28222cb952afe57636c19c7

SHA512
f4e0ec8c0407777f6c7778be310592f9c2b42207725af852107908de5841d9cacb92ae2ae6a0d8359bfce221d7882a2c0ae2256692494436d4dddd74297f223f

Download Submit
C:\Users\Admin\AppData\Local\Temp\deekr.exe

Filesize
223KB

MD5
c9534af48c6f2252532da02cf5cca887

SHA1
62b6bd3680e6df54004d097646e436c7e2fff7f7

SHA256
787996c7055db9b90e6ce5969289db2c3e34f2b85c4e8dbe84ccf43f7553fe2e

SHA512
afe2c0f096a9ad52d53cbd9e62f1a0840569ff6be9ecc236dd51218f1689511bb0b471b0e501907d402d4abba1bb31993f8119705af14b97a1f9d8901c29a676

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyenka.exe

Filesize
472KB

MD5
c9d13a00677a3c4fd6b2cce999984969

SHA1
65bff10531058a85978b03ed80aa0d9f3facd464

SHA256
6a4a569fee331c89dfd3135ca167726b5c13682c0cfa291b4d5876ff6847969d

SHA512
01747821c640efac9e6204b6a81ae64c60827b1c3f812e5f64ea335577d8f979bb97b881d020176adfec31c0543e6bf790cee2ebbe9c5fb02e5958252ca34503

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
31744f35d43b5553cd8bccbc778095fb

SHA1
1b96f31bcfd52c80e20adae668068db2f207952a

SHA256
ba90789c88fca92146c5a299f1c03073119712ec547d345a62c533cff42d7127

SHA512
dee9d9bd786bcf013bd31aecc463c78c3a6deb3efc2ace74e4c70d959319823868785452562187dd13604bf45574f473ede6e25c4b3e7eb65ad3b3cccb51d4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xosug.exe

Filesize
472KB

MD5
20343fc83689f9dbd70e5028bc7dadd0

SHA1
b9be8578eb7f8d58068e80b150085f6e85d41733

SHA256
9c48c25c11509e742a55bc1b207e53071bc73ac7bb7d4b9ca45e57e3b304cc8c

SHA512
8be665a05e01e49f8b14b81c98c87f6d984c064eca93b385d3c462543893cd7b1c8cfb21124a82836221f6a229b59aadde3da17d72ccdbafe73accc4b1d14ca8

Download Submit
memory/1948-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2420-36-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/3192-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3192-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4620-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing