urelas | 120dd0928f8dd9ca10cad3b8e80cced2fc2f5ae6aae635ba4219d04ee6e1b232

General

Target

c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe
Size

6.5MB
MD5

c6058a00cacae999a267a691fcef9440
SHA1

074272aa5d118405dba603e9e51af6ef6af065e7
SHA256

120dd0928f8dd9ca10cad3b8e80cced2fc2f5ae6aae635ba4219d04ee6e1b232
SHA512

f72c8e526e733e9da56b8d9c578e6337c2e30c493122ed8e927ebcec8f4735209f697e5667bc9f6f6a7f5fc80ceefeb459670bdde975dd25b8bef813a3a8bf53
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSd:i0LrA2kHKQHNk3og9unipQyOaOd

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	adfyg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	tucyys.exe

Executes dropped EXE 3 IoCs

pid	Process
792	adfyg.exe
4436	tucyys.exe
4348	hukov.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000002342f-64.dat	upx
behavioral2/memory/4348-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4348-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
804	c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe
804	c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe
792	adfyg.exe
792	adfyg.exe
4436	tucyys.exe
4436	tucyys.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe
4348	hukov.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 792	804	c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe	82
PID 804 wrote to memory of 792	804	c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe	82
PID 804 wrote to memory of 792	804	c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe	82
PID 804 wrote to memory of 3160	804	c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe	83
PID 804 wrote to memory of 3160	804	c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe	83
PID 804 wrote to memory of 3160	804	c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe	83
PID 792 wrote to memory of 4436	792	adfyg.exe	87
PID 792 wrote to memory of 4436	792	adfyg.exe	87
PID 792 wrote to memory of 4436	792	adfyg.exe	87
PID 4436 wrote to memory of 4348	4436	tucyys.exe	102
PID 4436 wrote to memory of 4348	4436	tucyys.exe	102
PID 4436 wrote to memory of 4348	4436	tucyys.exe	102
PID 4436 wrote to memory of 4456	4436	tucyys.exe	103
PID 4436 wrote to memory of 4456	4436	tucyys.exe	103
PID 4436 wrote to memory of 4456	4436	tucyys.exe	103

C:\Users\Admin\AppData\Local\Temp\c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c6058a00cacae999a267a691fcef9440_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\adfyg.exe
  "C:\Users\Admin\AppData\Local\Temp\adfyg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Users\Admin\AppData\Local\Temp\tucyys.exe
    "C:\Users\Admin\AppData\Local\Temp\tucyys.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\hukov.exe
      "C:\Users\Admin\AppData\Local\Temp\hukov.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9fa19097c0b3260ad4d43e9ee24c749e

SHA1
45b168f8e5d32b4e9ef3fee3f23d6f11d116f077

SHA256
769b7c1d0029b86ad1332738f1da369019e436e691e5bf0c5a1a2dffacc31601

SHA512
c7d3a5f54c8601ee755ee4c43c001080ce06718f8ac672a61474df494827fcc5885a0f130b8d83bd627d1df59b781853bb14340c8007fc1838b1d28eb021ff38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
373752cfed4c4a093273e28d5bd30f8c

SHA1
53e97af50369ac8940adb084d2de9d6851f8361e

SHA256
7c793fda2e374ca930cb7ff3f8fccff248680a4f627bce4a1242496d4a0cf3ae

SHA512
bd936fd71122007f3e22bfbc471364406fa2545da079f18769508c136af63846fdb18c40265c8beef15c59bf4e912a51a87b2b8ab005dc979577dd287d3ecea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\adfyg.exe

Filesize
6.5MB

MD5
95f7e322170251fca3543f8eb3a10b30

SHA1
7f023941b5354dc12160b4b2c3a3de3df41715e6

SHA256
4a10031a046aaf8d93bb60b6696113f16a58e3bd3634c4afbff66fafbabe9e66

SHA512
e531603116486b69533c15462756d0922c13e33a15c8a2b5f2aa699b99d067c28340c82d0e44aa16ed0f4d57caf9afce0782582cf042df3559e2057de4da70bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e4ee32682fd1b6307044ba97ac0b1848

SHA1
6b16ad8bf3ab91068fdf94002f427e3d3ed70542

SHA256
45e3d0a775e7540a9bfa5c5cb5fe08ab9b24ae33ffd1494920fcf8c43bb97211

SHA512
40461c55eeb46bdb68ec867391b761fb3395b9b58366bdb2af3d09567ad346470e0f645da39365628c86bbd785edd772c24249a7b5e5d3fa93de8c80ba70a648

Download Submit
C:\Users\Admin\AppData\Local\Temp\hukov.exe

Filesize
459KB

MD5
e37696f281d5402526bbd5cb595b131f

SHA1
1881d69ab675ea31f22a94dc2d1f3ac32e53e920

SHA256
7e745df81919e9381078a144ff2c2610b5819fbbdfc99646757c984d2df45354

SHA512
0817c1a5d758c6de107f47181686d4971f243d4069b22f9378a48bb0ba90af8f5cd638b9275cd9b6dcd02e872bc20fd84ae2361bb04092ae9dfcbefde89cab9e

Download Submit
memory/792-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/792-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/792-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/792-29-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/792-31-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/792-32-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/792-33-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/792-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/792-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/792-34-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/792-35-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/792-30-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/804-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/804-4-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/804-6-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/804-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/804-7-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/804-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/804-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/804-2-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/804-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/804-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/804-5-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/804-1-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/804-3-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/804-10-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4348-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4348-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4436-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-50-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4436-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-51-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/4436-52-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing