urelas | c6bbd277210057f12b0d9700407c1573251dc91e1c01ee438f21b5a8c529391c

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e7da504948327887438dd940b242f90_NeikiAnalytics.exe
Size

6.5MB
MD5

9e7da504948327887438dd940b242f90
SHA1

fc170a26f94589859fbf610b95a21b6ed50d390e
SHA256

c6bbd277210057f12b0d9700407c1573251dc91e1c01ee438f21b5a8c529391c
SHA512

211883a8009a2055ca3bf1042b2c97b2d88d465c853a107dfe4020f3486af3b74432a037fb25999f84351fae47afbac15b6233213904b72e34fa4f9b0489a862
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSU:i0LrA2kHKQHNk3og9unipQyOaOU

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2656 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

ekutg.exetohila.exedylag.exe

pid process

2696 ekutg.exe
2724 tohila.exe
1140 dylag.exe

pid	process
2656	cmd.exe

pid	process
2696	ekutg.exe
2724	tohila.exe
1140	dylag.exe

Loads dropped DLL 5 IoCs

Processes:

9e7da504948327887438dd940b242f90_NeikiAnalytics.exeekutg.exetohila.exe

pid	process
1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe
1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe
2696	ekutg.exe
2696	ekutg.exe
2724	tohila.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\dylag.exe	upx
behavioral1/memory/1140-169-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1140-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

9e7da504948327887438dd940b242f90_NeikiAnalytics.exeekutg.exetohila.exedylag.exe

pid	process
1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe
2696	ekutg.exe
2724	tohila.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe
1140	dylag.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9e7da504948327887438dd940b242f90_NeikiAnalytics.exeekutg.exetohila.exe

description	pid	process	target process
PID 1728 wrote to memory of 2696	1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe	ekutg.exe
PID 1728 wrote to memory of 2696	1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe	ekutg.exe
PID 1728 wrote to memory of 2696	1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe	ekutg.exe
PID 1728 wrote to memory of 2696	1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe	ekutg.exe
PID 1728 wrote to memory of 2656	1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe	cmd.exe
PID 1728 wrote to memory of 2656	1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe	cmd.exe
PID 1728 wrote to memory of 2656	1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe	cmd.exe
PID 1728 wrote to memory of 2656	1728	9e7da504948327887438dd940b242f90_NeikiAnalytics.exe	cmd.exe
PID 2696 wrote to memory of 2724	2696	ekutg.exe	tohila.exe
PID 2696 wrote to memory of 2724	2696	ekutg.exe	tohila.exe
PID 2696 wrote to memory of 2724	2696	ekutg.exe	tohila.exe
PID 2696 wrote to memory of 2724	2696	ekutg.exe	tohila.exe
PID 2724 wrote to memory of 1140	2724	tohila.exe	dylag.exe
PID 2724 wrote to memory of 1140	2724	tohila.exe	dylag.exe
PID 2724 wrote to memory of 1140	2724	tohila.exe	dylag.exe
PID 2724 wrote to memory of 1140	2724	tohila.exe	dylag.exe
PID 2724 wrote to memory of 448	2724	tohila.exe	cmd.exe
PID 2724 wrote to memory of 448	2724	tohila.exe	cmd.exe
PID 2724 wrote to memory of 448	2724	tohila.exe	cmd.exe
PID 2724 wrote to memory of 448	2724	tohila.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9e7da504948327887438dd940b242f90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e7da504948327887438dd940b242f90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\ekutg.exe
"C:\Users\Admin\AppData\Local\Temp\ekutg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\tohila.exe
"C:\Users\Admin\AppData\Local\Temp\tohila.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\dylag.exe
"C:\Users\Admin\AppData\Local\Temp\dylag.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
ffea2efd18a29653e48b1acb95e2a070

SHA1
1009c78a68efaa34cf206535ea578f53383a4e13

SHA256
69f3fd72a72b3b0fcb33eb54a6ba94f90cc1b65e030c249c67fb4eb6f0f95c9c

SHA512
add99884372055ca52a3a8c607f7b62783f8bfbf99a21ac48382bad1611576079cb5bba6711f7f670754dd1b13242f26f76c610e88a409f0f6687280851bff42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a6b30500fb174ccfc632f67210cec8e2

SHA1
b8b9e2126592d3cc1d84b55f243646d9e236afd1

SHA256
419b28765f51d96e6fc7024a750aebfa33361cbc13a635db623150b2c1fcd1bf

SHA512
42e1fe10173d262834a2d3c00949640a840e4b17fc38d4d63a90eb5b129a6172ee1cdfd99be0fcb5d3db4316bd915223233f866f1c593e357121bd703d86e8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
01971f24b6d1b83d1a8447bb539499c9

SHA1
515573dc7d757e3cbdfa51f7ff7d8a3f04d29be0

SHA256
749496a6b63f0c4e143ca1a3fc20997cf5f354b4cb940875d225e49beaf2e015

SHA512
4c801d62064acce3e18d47f136f73a4c9d725f8bef6acaa2389a01681a1c7e738dff77dad0cb788904b06249dde959dc1fe089ba197455828e6787c1e3c72737

Download Submit
\Users\Admin\AppData\Local\Temp\dylag.exe

Filesize
459KB

MD5
ee10ee1f9fc840586e119c41b5ae6938

SHA1
b681ff647662d60206772fc5909991600e223ce8

SHA256
13747b02ffe1c05942abb65593494acfb5219b351b43c7a6193bc365e7064c9d

SHA512
072ac3b13ea0d593e359ffdf04225b8650a03986307cc700a58cdbc8eb7af5709e3560908f1ba163f6457ae09c2a85a4c81d54d04a9f9ab972a7056254406032

Download Submit
\Users\Admin\AppData\Local\Temp\ekutg.exe

Filesize
6.5MB

MD5
e458b4aae590dd6393eee64954997206

SHA1
6a5f566e0fbd6c49b4de295a45a1d08ece7eaa4c

SHA256
76e99ec7138d49fcbb2164786e30c23c826a9494cb9869824945b2a8c30edfcf

SHA512
9b789d064fe97fd1bfcb7283aebd68b6166e09ffe0f2b7ce8304e504c9b6be396f2ec6b06375435d31d379ff663fb9a672d8a436092b39e21d38329e07161665

Download Submit
memory/1140-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1140-169-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1728-64-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1728-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1728-23-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1728-20-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1728-18-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1728-15-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1728-13-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1728-11-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1728-28-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1728-10-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1728-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1728-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1728-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1728-30-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1728-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1728-60-0x00000000040E0000-0x0000000004BCC000-memory.dmp

Filesize
10.9MB

Download
memory/1728-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1728-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1728-61-0x00000000040E0000-0x0000000004BCC000-memory.dmp

Filesize
10.9MB

Download
memory/1728-25-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1728-35-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1728-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1728-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1728-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1728-33-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2696-68-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2696-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2696-78-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2696-75-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2696-73-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2696-70-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2696-80-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2696-83-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-88-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2696-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2696-85-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2696-90-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2724-168-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2724-159-0x00000000046D0000-0x0000000004869000-memory.dmp

Filesize
1.6MB

Download