urelas | e7c54961d58e2bc9c6da716cec5cb4d8336437c9cc15901ee8e3f7a23666f744

General

Target

069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe
Size

468KB
MD5

069aa0e3df9c8016e4f601aa09dad6c0
SHA1

e96a79c1d02a145afaf0be07561907ddc191ca0d
SHA256

e7c54961d58e2bc9c6da716cec5cb4d8336437c9cc15901ee8e3f7a23666f744
SHA512

0b262ed6b5138ff0abbab16b6af274b2ff8c0955fa45baf641f72ba43d4144b008720caf14e144e6345e70f88f112a421c5b16df47abdfe11c0dcbb86f70739b
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhVOpdFRdmY:LMpASIcWYx2U6hAJVG

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	jybop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	qeemqy.exe

Executes dropped EXE 3 IoCs

pid	Process
832	jybop.exe
3284	qeemqy.exe
3292	qibod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	3292	WerFault.exe	105

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 832	4476	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	83
PID 4476 wrote to memory of 832	4476	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	83
PID 4476 wrote to memory of 832	4476	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	83
PID 4476 wrote to memory of 3076	4476	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	84
PID 4476 wrote to memory of 3076	4476	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	84
PID 4476 wrote to memory of 3076	4476	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	84
PID 832 wrote to memory of 3284	832	jybop.exe	86
PID 832 wrote to memory of 3284	832	jybop.exe	86
PID 832 wrote to memory of 3284	832	jybop.exe	86
PID 3284 wrote to memory of 3292	3284	qeemqy.exe	105
PID 3284 wrote to memory of 3292	3284	qeemqy.exe	105
PID 3284 wrote to memory of 3292	3284	qeemqy.exe	105
PID 3284 wrote to memory of 3508	3284	qeemqy.exe	106
PID 3284 wrote to memory of 3508	3284	qeemqy.exe	106
PID 3284 wrote to memory of 3508	3284	qeemqy.exe	106

C:\Users\Admin\AppData\Local\Temp\069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\jybop.exe
  "C:\Users\Admin\AppData\Local\Temp\jybop.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\qeemqy.exe
    "C:\Users\Admin\AppData\Local\Temp\qeemqy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\qibod.exe
      "C:\Users\Admin\AppData\Local\Temp\qibod.exe"
      4⤵
      Executes dropped EXE
      PID:3292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 216
        5⤵
        Program crash
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:3508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3292 -ip 3292
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
8ba3166fb8b69f6644c37169f55958bb

SHA1
7afe8de6d7702104d0c9d3743e894fba9a4f8f52

SHA256
bbe0b08203e11525117366559418099f6d9b289f5c9413c7f1b0b59fb5b39472

SHA512
c3c43d1f88bcedd793bc3fdf8400441180aa6296c82396898dd130317327379e6ec84a3bf7e17e53ee7db56715e2d4162604c42725063bb25440267899dd4262

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
99155891bfff15820697af0a46187d20

SHA1
464a0db058cf4937aa29696d6a602e800dd9b298

SHA256
d4859a79a0007de7c44e62b562715b890697a582b450a9e4647fe443f997eea1

SHA512
c11ec8fd733fab03a8fb4254790b084908e78d35659837630edd6993149675b47c8de38031c2b82491ffe3522d21503b6d31c356b748ac2ad226f441fc65f1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9f0509e21ef0c9ba9470d2e210a2b383

SHA1
3eb206473f8ec5e9e450d90b9ce134b27a4462bb

SHA256
0e1d2d91084aedfbb0c14af1e42bdd5c7ce988ee62bd0f090626fa8e148e23fb

SHA512
bf00845251d901e2223424cff3d94354ff809aece961a9b4e66d3610843a01760efa5784008083d03ceb6c1b71e79e33a45776cd5d53940f17e30111fe5d7d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\jybop.exe

Filesize
468KB

MD5
175ac8b6d6f1e8913a665ec7cf5762de

SHA1
8a42906bad382ed06a810a33038b797d14c70e0b

SHA256
839c5c87ba7881ab142aa13fe3a7546462b0f34bb6181682db84831f1234fb8d

SHA512
a535e94b1f6cdfd365cb33cd64bdaad570551f9ffbf7ccc052e85b7bdee3c6d57d5917ff2df9d40bdeaf1f0706d9c99c0130ecc794fbaddb3771cb6bd5c0db72

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeemqy.exe

Filesize
468KB

MD5
9dbb25877b5a0ec0ef41e5f79d57d79f

SHA1
2339c71df8ca4d3522df4c27330ddcf03e82c3c2

SHA256
ceb0e7ed83d07be80225a44e45b117124af3f9f9bbec4c2fde8a6dd17f61f3f5

SHA512
91f3a4c3fa52369e66e0a03ad1d22a5d4fc5232e12adcfaba55a7d7fc0a3102c7bcaa8149e42ad1c3af46a8d009c886c013ac06f78fa8ed18ae945c824d1c6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qibod.exe

Filesize
223KB

MD5
7d16bca0cc8876ca21fe81ce04003814

SHA1
ea0abc4fed4b5747d433b108d25fd33feb540276

SHA256
160b8ab84183e8730c9cc92dcd4ca586ea26073c72b50e4a99aa563db9ec488a

SHA512
982b572978578c643a06665723f738f46c3fa5e73c7966784e5b17bae0e4065f4ace4ccb789d8bff4efcd129e11af94d666db549fdb7834cd7452720021e78b4

Download Submit
memory/832-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3284-37-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3292-35-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4476-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4476-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing