urelas | 0560165d29ab62a1a6a66386bf33a57395e2efa2f94b3273a07b77252b1ea634

General

Target

82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
Size

6.4MB
MD5

82cb56183bb6d08e62662fb5a5ab0800
SHA1

5340393b4887d9f594c5f48e0070e9d60b4e062d
SHA256

0560165d29ab62a1a6a66386bf33a57395e2efa2f94b3273a07b77252b1ea634
SHA512

a6f9f7b1a0f9a8af7b0e173983eba5507762bdffb6fae29c67848911c92bab448b969cf8757c4405d7020a85ac8c33f434135a32b16b39dc57e220098c2a8b17
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSM:i0LrA2kHKQHNk3og9unipQyOaOM

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xuryke.exe82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exeripoi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	xuryke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ripoi.exe

Executes dropped EXE 3 IoCs

Processes:

ripoi.exexuryke.exeyqjow.exe

pid process

4368 ripoi.exe
1288 xuryke.exe
2424 yqjow.exe

pid	process
4368	ripoi.exe
1288	xuryke.exe
2424	yqjow.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\yqjow.exe	upx
behavioral2/memory/2424-67-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2424-73-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exeripoi.exexuryke.exeyqjow.exe

pid	process
1512	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
1512	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
4368	ripoi.exe
4368	ripoi.exe
1288	xuryke.exe
1288	xuryke.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe
2424	yqjow.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exeripoi.exexuryke.exe

description	pid	process	target process
PID 1512 wrote to memory of 4368	1512	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	ripoi.exe
PID 1512 wrote to memory of 4368	1512	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	ripoi.exe
PID 1512 wrote to memory of 4368	1512	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	ripoi.exe
PID 1512 wrote to memory of 1224	1512	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	cmd.exe
PID 1512 wrote to memory of 1224	1512	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	cmd.exe
PID 1512 wrote to memory of 1224	1512	82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe	cmd.exe
PID 4368 wrote to memory of 1288	4368	ripoi.exe	xuryke.exe
PID 4368 wrote to memory of 1288	4368	ripoi.exe	xuryke.exe
PID 4368 wrote to memory of 1288	4368	ripoi.exe	xuryke.exe
PID 1288 wrote to memory of 2424	1288	xuryke.exe	yqjow.exe
PID 1288 wrote to memory of 2424	1288	xuryke.exe	yqjow.exe
PID 1288 wrote to memory of 2424	1288	xuryke.exe	yqjow.exe
PID 1288 wrote to memory of 3420	1288	xuryke.exe	cmd.exe
PID 1288 wrote to memory of 3420	1288	xuryke.exe	cmd.exe
PID 1288 wrote to memory of 3420	1288	xuryke.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\82cb56183bb6d08e62662fb5a5ab0800_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\ripoi.exe
"C:\Users\Admin\AppData\Local\Temp\ripoi.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\xuryke.exe
"C:\Users\Admin\AppData\Local\Temp\xuryke.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\yqjow.exe
"C:\Users\Admin\AppData\Local\Temp\yqjow.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
30661fa101e77991863fa0ff6bb398ff

SHA1
cde0cb7b50e497395300b3a0c4c2a97a891fa8f7

SHA256
661d5bfa8238490a18bdd9f6fe5a220afa76b5f8f082ed4a59234a0693a583b8

SHA512
cd140544553f07401bf2c330c96c8c239a108527c7aa73f22fb3e3f73c73a9ae0f89fbd6ba8a3a75694bc36495494a971da356b048f96b8197afb3f7700c1d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
6328e325790d284de4a8744145403e87

SHA1
b5675e03e648338dc066b1a02f1f60e8296414f8

SHA256
7c16945f83a5e8e62f68d32e6cb33437ef00d27d5ce22ab9517163476a169e58

SHA512
fbf04f7c8e6162ddda71951586187d37b14e27b6368db85163d271ae80d5f45e5d40904ef5ac530cbdc9d3c4fc9730c071f1a7fe683b4d4016c03f57902023e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
e41be393d9a19695d0e3d1303e9e253f

SHA1
73a92119baa956ebc1f701f442e9c1491a413be7

SHA256
f64fcbe3425c03b1a314f78854163dfd65b47b40c482dd495ca0b12a9350a8de

SHA512
9a79f54ae1f52b06d033e2a024301c1cd4fde8273c652ffcdaceaedb210a7fb22deef43f347058d02cf0b9c95af75358df6b659bb2247c796464a9119afdd918

Download Submit
C:\Users\Admin\AppData\Local\Temp\ripoi.exe
Filesize
6.4MB

MD5
bc41509c90934ed0f6abb94f4b451ce7

SHA1
371f15617ef3eaf0b43a9cbc344575b3a3ec84c0

SHA256
74289823a7b4973f44fefb402cc8eeab9906735481501692cb3f12c50efa2cc1

SHA512
eaa7cba0f24a93aa12c0c53023038a11e8dc9562642c96bae89afbf62e808537d333b96ae4580b2c4f879dccef2a1e2403b1f747287b4aeffa4c21901c94db38

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqjow.exe
Filesize
459KB

MD5
810ae66bfd31bb48b8362455a0435a40

SHA1
8321d330a453bb0f161e480e253e44084544b09b

SHA256
40c5ce1e57dc186a4e8fa5c34c1f5a913ff0fc30cf807084aba11704889b906a

SHA512
dbb5b21c7aa8e4e7fbf5ecedfdf2c98faf02d89a871090aae56240adbfa56b1b453ba714611402803d5966571c0022beec5955ca661ca80fc987784afde1cf8e

Download Submit
memory/1288-70-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1288-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1288-52-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1288-48-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1288-50-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1512-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1512-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1512-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1512-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1512-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1512-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1512-2-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1512-3-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1512-1-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1512-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/1512-10-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1512-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/1512-7-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1512-6-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/2424-67-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2424-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4368-34-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4368-46-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4368-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4368-28-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/4368-29-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/4368-30-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4368-31-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/4368-33-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/4368-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads