urelas | 14152d01b686c518ee44af7a29c8db8737139e932b454a3779982c0047543210

General

Target

73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe
Size

6.4MB
MD5

73703a76038fe2122ee90b1f6d129480
SHA1

63b06bd4186b57760ce4928ab3d949b7455ae0b9
SHA256

14152d01b686c518ee44af7a29c8db8737139e932b454a3779982c0047543210
SHA512

1204f9ebde8673e081ea069a9f4e56c2c53d7a3525dbd5a51e12b29b8c106383ce9a53f5c3135fa48b82906a1e0229cca55adfe8c9acd6346e858646d54a72aa
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exebatod.exedorylo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	batod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dorylo.exe

Executes dropped EXE 3 IoCs

Processes:

batod.exedorylo.exeowsei.exe

pid process

2476 batod.exe
5060 dorylo.exe
3428 owsei.exe

pid	process
2476	batod.exe
5060	dorylo.exe
3428	owsei.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\owsei.exe	upx
behavioral2/memory/3428-69-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/3428-73-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exebatod.exedorylo.exeowsei.exe

pid	process
3160	73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe
3160	73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe
2476	batod.exe
2476	batod.exe
5060	dorylo.exe
5060	dorylo.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe
3428	owsei.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exebatod.exedorylo.exe

description	pid	process	target process
PID 3160 wrote to memory of 2476	3160	73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe	batod.exe
PID 3160 wrote to memory of 2476	3160	73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe	batod.exe
PID 3160 wrote to memory of 2476	3160	73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe	batod.exe
PID 3160 wrote to memory of 3244	3160	73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe	cmd.exe
PID 3160 wrote to memory of 3244	3160	73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe	cmd.exe
PID 3160 wrote to memory of 3244	3160	73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe	cmd.exe
PID 2476 wrote to memory of 5060	2476	batod.exe	dorylo.exe
PID 2476 wrote to memory of 5060	2476	batod.exe	dorylo.exe
PID 2476 wrote to memory of 5060	2476	batod.exe	dorylo.exe
PID 5060 wrote to memory of 3428	5060	dorylo.exe	owsei.exe
PID 5060 wrote to memory of 3428	5060	dorylo.exe	owsei.exe
PID 5060 wrote to memory of 3428	5060	dorylo.exe	owsei.exe
PID 5060 wrote to memory of 3276	5060	dorylo.exe	cmd.exe
PID 5060 wrote to memory of 3276	5060	dorylo.exe	cmd.exe
PID 5060 wrote to memory of 3276	5060	dorylo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\73703a76038fe2122ee90b1f6d129480_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\Temp\batod.exe
  "C:\Users\Admin\AppData\Local\Temp\batod.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\dorylo.exe
    "C:\Users\Admin\AppData\Local\Temp\dorylo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\owsei.exe
      "C:\Users\Admin\AppData\Local\Temp\owsei.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c578f6fd049d4db8587c3b6bb5b1721f

SHA1
21db1e5d2c68731cb51c4d86c08d9516bfe0fd36

SHA256
59d851c9065b250a0f79f8fdad61b40b7befd2152c3642aad424191c9d132bfe

SHA512
1f42ee9b3f16213256443be7ecdfa8d51344896663f8780d92357bc8c4be1e41579beb98cbf4f1bda0960bee6054b16ab02c70a3b10f18dd23d01b338b47bd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
1baaa061ff356a7b895835a6ab6c73dc

SHA1
e842cc08e9a3af67e66b4f02940812c7da0b4c69

SHA256
f507bc818680114064c3331696c0eb9313fc3445381091fb431af25d6b3cb046

SHA512
3e8cb2c8889ace586c3a70a973579f17c561dafaaa26aabfd415ef1dc23d1995493479a5cb96f7e1a77d2d1e9b46e61890a650d8d0fa9a8d6b7068f94e619014

Download Submit
C:\Users\Admin\AppData\Local\Temp\batod.exe

Filesize
6.4MB

MD5
f2883c8c0372401cbd020fdacdca76cd

SHA1
1510547707c555a9b705506311553673e2600f7b

SHA256
9aba1d3a69bfc4630420d6c530c54ce61eb4c51b1ca0ce074fad66ca54072861

SHA512
fd428d6d7bd4be49c871c7c4f3e7cb2395b58ea29c38588f66156179ec3b606b77bf8f946fc393a2598f5c7b4494f22f5e5b791add683c7f612da36d185c32f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a8f1a03704e34170a926e181d34b25c4

SHA1
5a0cb4b73d96135c3506a7ab3b2e42bd019a6895

SHA256
32b0bb647d6d0e3252ac18f657a9ff89182c74f52ec1a9aaa8d082d01dd311cc

SHA512
c1ef96062923b23ebf6b5c2422afdc8ec4bc61ab52e8fc2085e10e149166c99b3b8f1fdf5416025849d8721132473115ba24c03eafd4918c79327b5ef47e75e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\owsei.exe

Filesize
459KB

MD5
cf82b957995c84c40e2484421878d68d

SHA1
55f88f7dc154dc7af9a2d1806ddf3d873e945a65

SHA256
c1c078f4fa8387cbd13fa3424a54112c748a720f992f3014199050cd474a33b6

SHA512
68d5b6c0d2a26f7df51319551e760362b5f7bb2c2b1430d98117b466519b0a7d61019e3f6a1ff9305738499d724e8b2a7dc9c80a84fe4f18cb00181112cbb1f0

Download Submit
memory/2476-28-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/2476-29-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2476-31-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2476-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2476-32-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2476-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2476-33-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2476-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3160-4-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3160-7-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3160-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3160-16-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3160-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3160-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3160-5-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3160-1-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3160-10-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3160-6-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3160-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3160-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3160-2-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3160-3-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/3428-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3428-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/5060-51-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/5060-48-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/5060-49-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/5060-70-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5060-50-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/5060-54-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/5060-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads