urelas | 0560165d29ab62a1a6a66386bf33a57395e2efa2f94b3273a07b77252b1ea634

General

Target

82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
Size

6.4MB
MD5

82cb56183bb6d08e62662fb5a5ab0800
SHA1

5340393b4887d9f594c5f48e0070e9d60b4e062d
SHA256

0560165d29ab62a1a6a66386bf33a57395e2efa2f94b3273a07b77252b1ea634
SHA512

a6f9f7b1a0f9a8af7b0e173983eba5507762bdffb6fae29c67848911c92bab448b969cf8757c4405d7020a85ac8c33f434135a32b16b39dc57e220098c2a8b17
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSM:i0LrA2kHKQHNk3og9unipQyOaOM

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2468 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

qiisz.exegezuyg.execoaqp.exe

pid process

2768 qiisz.exe
112 gezuyg.exe
832 coaqp.exe

pid	process
2468	cmd.exe

pid	process
2768	qiisz.exe
112	gezuyg.exe
832	coaqp.exe

Loads dropped DLL 5 IoCs

Processes:

82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exeqiisz.exegezuyg.exe

pid	process
1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
2768	qiisz.exe
2768	qiisz.exe
112	gezuyg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\coaqp.exe	upx
behavioral1/memory/832-168-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/832-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exeqiisz.exegezuyg.execoaqp.exe

pid	process
1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
2768	qiisz.exe
112	gezuyg.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe
832	coaqp.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exeqiisz.exegezuyg.exe

description	pid	process	target process
PID 1580 wrote to memory of 2768	1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	qiisz.exe
PID 1580 wrote to memory of 2768	1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	qiisz.exe
PID 1580 wrote to memory of 2768	1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	qiisz.exe
PID 1580 wrote to memory of 2768	1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	qiisz.exe
PID 1580 wrote to memory of 2468	1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	cmd.exe
PID 1580 wrote to memory of 2468	1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	cmd.exe
PID 1580 wrote to memory of 2468	1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	cmd.exe
PID 1580 wrote to memory of 2468	1580	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	cmd.exe
PID 2768 wrote to memory of 112	2768	qiisz.exe	gezuyg.exe
PID 2768 wrote to memory of 112	2768	qiisz.exe	gezuyg.exe
PID 2768 wrote to memory of 112	2768	qiisz.exe	gezuyg.exe
PID 2768 wrote to memory of 112	2768	qiisz.exe	gezuyg.exe
PID 112 wrote to memory of 832	112	gezuyg.exe	coaqp.exe
PID 112 wrote to memory of 832	112	gezuyg.exe	coaqp.exe
PID 112 wrote to memory of 832	112	gezuyg.exe	coaqp.exe
PID 112 wrote to memory of 832	112	gezuyg.exe	coaqp.exe
PID 112 wrote to memory of 668	112	gezuyg.exe	cmd.exe
PID 112 wrote to memory of 668	112	gezuyg.exe	cmd.exe
PID 112 wrote to memory of 668	112	gezuyg.exe	cmd.exe
PID 112 wrote to memory of 668	112	gezuyg.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\qiisz.exe
"C:\Users\Admin\AppData\Local\Temp\qiisz.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\gezuyg.exe
"C:\Users\Admin\AppData\Local\Temp\gezuyg.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Temp\coaqp.exe
"C:\Users\Admin\AppData\Local\Temp\coaqp.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
9f8c1f893599973dad883f7c0a7da44d

SHA1
1d40b10eb9afd609436242c96b18ac37212cd958

SHA256
4d69232997705aa6093cfaa6afc1aa058b243bdc8bc978f47f79dca4bd04ca98

SHA512
b716ac1b1ab21dcc89a676ee454e31586c0a00b60bc42bf48d2834f1ea7ead85aa099db58dd6149456df7b24811a10a2a2da3a679a43a1d3af13cb03ae777883

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
6328e325790d284de4a8744145403e87

SHA1
b5675e03e648338dc066b1a02f1f60e8296414f8

SHA256
7c16945f83a5e8e62f68d32e6cb33437ef00d27d5ce22ab9517163476a169e58

SHA512
fbf04f7c8e6162ddda71951586187d37b14e27b6368db85163d271ae80d5f45e5d40904ef5ac530cbdc9d3c4fc9730c071f1a7fe683b4d4016c03f57902023e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
4b8953540eb92f586a6cbae3ea14226f

SHA1
77c1f1e130578e3ce3726363b0cb4b7b61c5c035

SHA256
f49cac9189f2208fb22fb38c1c58c1c90e0777f4a8f1b7e19f19e8b9ebbd5b75

SHA512
140076b06f4fd974a4b36a787a5386ba06a271eb7b22193d1e42f26bd159629d52efeebb9afc40144f091668e4494c94a299cb4240de2e51da01343a16e50be0

Download Submit
\Users\Admin\AppData\Local\Temp\coaqp.exe
Filesize
459KB

MD5
62247672cd8bd182df8a9fbc0b826f78

SHA1
d440434eae16b6be4a6fedd9d8685d950a1052f7

SHA256
1880e54baa008e1949c2a5113184959e7a244af72d55894a81822fab204395e3

SHA512
80b5c54e9a831d25626b6bde4d91abc277fec009ff98729b6a8fa385867778c467c720a3a78d9bec79d17972e850bd9c58f00dc25e68d1c4079e90f16ea28e0b

Download Submit
\Users\Admin\AppData\Local\Temp\qiisz.exe
Filesize
6.4MB

MD5
d55ede58e5125a6a5749f7e13b5ac9b1

SHA1
9d9081f83d12695a07dfaf190044656e3ac5dec9

SHA256
dc19785d697a91b78cc0b9f45abe4fef8ab341c1b2e9136634d8ee2487493887

SHA512
f5b8ac90e0cc224854050d94cb715b52c5506fd7ffbd1ce1115631198fef16238eefcf2907f19e5132b9f53dd05bc55d5fbdaaeddc81cc8ab383be62f1008815

Download Submit
memory/112-170-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/112-159-0x0000000004800000-0x0000000004999000-memory.dmp

Filesize
1.6MB

Download
memory/832-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/832-168-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1580-59-0x0000000004250000-0x0000000004D3C000-memory.dmp

Filesize
10.9MB

Download
memory/1580-15-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1580-11-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1580-10-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1580-8-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1580-6-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1580-5-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1580-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1580-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1580-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1580-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1580-20-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1580-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1580-36-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1580-18-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1580-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1580-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1580-34-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1580-31-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1580-13-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1580-29-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1580-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1580-25-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1580-23-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2768-69-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2768-87-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2768-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2768-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2768-111-0x00000000043D0000-0x0000000004EBC000-memory.dmp

Filesize
10.9MB

Download
memory/2768-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2768-89-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2768-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2768-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2768-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2768-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2768-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2768-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads