urelas | 144113097b9b329d148501a7be994c4e4b2eb0c5f8aa197e5e58b99f7154293b

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe
Size

6.5MB
MD5

6b500846eacd59046fa9c79fce718770
SHA1

357713319a8d77551edb23c85a29fd881cf29339
SHA256

144113097b9b329d148501a7be994c4e4b2eb0c5f8aa197e5e58b99f7154293b
SHA512

3b3f2b33181c64be3976815fdf84396e037773c0b470482866496d5a08e576cbf3551c337bceca9d74e73e7bae79ba68d6ac274b2e59c04f1c8dddbb4560a3c7
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSv:i0LrA2kHKQHNk3og9unipQyOaOv

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2968	onwyx.exe
1436	lumatu.exe
3024	riduj.exe

Loads dropped DLL 5 IoCs

pid	Process
1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe
1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe
2968	onwyx.exe
2968	onwyx.exe
1436	lumatu.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015f54-155.dat	upx
behavioral1/memory/3024-168-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1436-159-0x0000000004C30000-0x0000000004DC9000-memory.dmp	upx
behavioral1/memory/3024-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe
2968	onwyx.exe
1436	lumatu.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe
3024	riduj.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2968	1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 2968	1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 2968	1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 2968	1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 2600	1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	29
PID 1932 wrote to memory of 2600	1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	29
PID 1932 wrote to memory of 2600	1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	29
PID 1932 wrote to memory of 2600	1932	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	29
PID 2968 wrote to memory of 1436	2968	onwyx.exe	31
PID 2968 wrote to memory of 1436	2968	onwyx.exe	31
PID 2968 wrote to memory of 1436	2968	onwyx.exe	31
PID 2968 wrote to memory of 1436	2968	onwyx.exe	31
PID 1436 wrote to memory of 3024	1436	lumatu.exe	34
PID 1436 wrote to memory of 3024	1436	lumatu.exe	34
PID 1436 wrote to memory of 3024	1436	lumatu.exe	34
PID 1436 wrote to memory of 3024	1436	lumatu.exe	34
PID 1436 wrote to memory of 2840	1436	lumatu.exe	35
PID 1436 wrote to memory of 2840	1436	lumatu.exe	35
PID 1436 wrote to memory of 2840	1436	lumatu.exe	35
PID 1436 wrote to memory of 2840	1436	lumatu.exe	35

C:\Users\Admin\AppData\Local\Temp\6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\onwyx.exe
  "C:\Users\Admin\AppData\Local\Temp\onwyx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\lumatu.exe
    "C:\Users\Admin\AppData\Local\Temp\lumatu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\riduj.exe
      "C:\Users\Admin\AppData\Local\Temp\riduj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
26f7ceb2e823c9354c157c00b7fa662b

SHA1
6ad9dfaedfcb228fef9dd7bcf137cd6b0c1fd8c1

SHA256
cdd2e73f8cb4dc224ec0d1253a4c21cd69bcab4f8e6a1524d76bc348f21b7622

SHA512
9f447c4b2a52feac280ab8fa4b4bc59e0b801c342b1345ede935f92dda95a272859b4b412c73fb5bab085ea2ee517400ef88bbdf59e437bef4a39f303dc1825a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
2193a22d168154bb12911bfa33c6bb83

SHA1
1ac62a4a250c99af18c692f423292f97c86e86f8

SHA256
026c08121b9fd2bc71f790cc9b49c2e50bb0522ccf3fc9d6c823fa50b5dff8d2

SHA512
f4953ec27a8ae2005d8bfd3f607e498a13b654672b369ddb46e87f4e2af423cf3a4f25e950c96ad5a1554fd130830c8ba40a8b105cb34d8570e675db1f626186

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6d3aabbf795f50e96dfb0d6eabe6a038

SHA1
f8c464211dbf4412ee3a5b4dd504eac1a4b2ee70

SHA256
10607f0acb791ab99ba1f0e5752bd9703f588cd9c20c7b36e26818c3c164d492

SHA512
187fb27934768bd80ba735eec7dc7e56d65f6b1ebeaf7dbc965373d8044bd5f90654c71e6fbbbde94348c33d0ff98297a89aa06a1c2d488fd637a075dde2de70

Download Submit
C:\Users\Admin\AppData\Local\Temp\onwyx.exe

Filesize
6.5MB

MD5
e9eb5ae44d6aa8a34c91a8bb5d3551e8

SHA1
64972bb42cdc7f775f58ea8d42be5aa64ac2c1b2

SHA256
0c102d3f62d85b7726967652ab1cc57b4a84867f447cf81900781eaac058dfff

SHA512
492c835e89ba0cc8a16b1f756e01fa90f3c3008e27699edad08e572d82fd14533aad868b723c647fe3a3e69de17b424cab0f087cee6ce0b505a089df781864f4

Download Submit
\Users\Admin\AppData\Local\Temp\riduj.exe

Filesize
459KB

MD5
3ee372e9696e4174716a6b304b6b783c

SHA1
122a202973a0fd6297378f769bab4c681d62f0e2

SHA256
cc1fed1a3494afaf70ddfc8bb9dbbedd1f19fc48b74b4796dcfed958dc32c665

SHA512
c93ac06a2fccd161d9a16212cab13af72f936a616b7d5a1a1c26ebffca765263334cd5fd547d59cdafef6b36a7305e39f5029a52b22c275fac4cfc9b37b1723d

Download Submit
memory/1436-170-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1436-159-0x0000000004C30000-0x0000000004DC9000-memory.dmp

Filesize
1.6MB

Download
memory/1932-53-0x0000000004270000-0x0000000004D5C000-memory.dmp

Filesize
10.9MB

Download
memory/1932-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1932-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1932-40-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1932-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1932-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1932-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1932-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1932-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1932-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1932-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1932-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1932-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1932-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1932-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1932-60-0x0000000004270000-0x0000000004D5C000-memory.dmp

Filesize
10.9MB

Download
memory/1932-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1932-62-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1932-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1932-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1932-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1932-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1932-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1932-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1932-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2968-102-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2968-78-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2968-76-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2968-73-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2968-71-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2968-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2968-81-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2968-83-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2968-86-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2968-88-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2968-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3024-168-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3024-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download