urelas | 92c1e8cd4c189dd0f3670de1facbd3b10db0a1696fce4f7f328c2adc37961fc6

General

Target

5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
Size

6.4MB
MD5

5beb5c1df539fdefc47491e06b7c6510
SHA1

fe79e82fa0bc860454fd6c0721fc7c117b7cf23c
SHA256

92c1e8cd4c189dd0f3670de1facbd3b10db0a1696fce4f7f328c2adc37961fc6
SHA512

04edbfdd82b7ffcbd7471b7ac5c2da29c947a74848c7d87b6003576a5da43a84072aad72c2ec9d9b08f8c6004f7a6b8bbfb111611209d4b495a8150903cf30f3
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSc:i0LrA2kHKQHNk3og9unipQyOaOc

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exetafuo.execugeij.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	tafuo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	cugeij.exe

Executes dropped EXE 3 IoCs

Processes:

tafuo.execugeij.exeywtuz.exe

pid process

976 tafuo.exe
3048 cugeij.exe
836 ywtuz.exe

pid	process
976	tafuo.exe
3048	cugeij.exe
836	ywtuz.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ywtuz.exe	upx
behavioral2/memory/836-69-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/836-73-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/836-77-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exetafuo.execugeij.exeywtuz.exe

pid	process
1444	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
1444	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
976	tafuo.exe
976	tafuo.exe
3048	cugeij.exe
3048	cugeij.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe
836	ywtuz.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exetafuo.execugeij.exe

description	pid	process	target process
PID 1444 wrote to memory of 976	1444	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	tafuo.exe
PID 1444 wrote to memory of 976	1444	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	tafuo.exe
PID 1444 wrote to memory of 976	1444	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	tafuo.exe
PID 1444 wrote to memory of 5056	1444	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	cmd.exe
PID 1444 wrote to memory of 5056	1444	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	cmd.exe
PID 1444 wrote to memory of 5056	1444	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	cmd.exe
PID 976 wrote to memory of 3048	976	tafuo.exe	cugeij.exe
PID 976 wrote to memory of 3048	976	tafuo.exe	cugeij.exe
PID 976 wrote to memory of 3048	976	tafuo.exe	cugeij.exe
PID 3048 wrote to memory of 836	3048	cugeij.exe	ywtuz.exe
PID 3048 wrote to memory of 836	3048	cugeij.exe	ywtuz.exe
PID 3048 wrote to memory of 836	3048	cugeij.exe	ywtuz.exe
PID 3048 wrote to memory of 4556	3048	cugeij.exe	cmd.exe
PID 3048 wrote to memory of 4556	3048	cugeij.exe	cmd.exe
PID 3048 wrote to memory of 4556	3048	cugeij.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\tafuo.exe
"C:\Users\Admin\AppData\Local\Temp\tafuo.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\cugeij.exe
"C:\Users\Admin\AppData\Local\Temp\cugeij.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\ywtuz.exe
"C:\Users\Admin\AppData\Local\Temp\ywtuz.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:5056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
a8165f163d9ab545285de169675344b2

SHA1
db50944f989467d57346d14239d7831bc9b1937e

SHA256
571ed356a8cbd6ee680de68bc353b8991889386be6bb80467cb2a7d44873cc46

SHA512
9cd0b4fbd131a7dc3d46bef2ea813dec1663d0ea2a3ed27410ec17e6adaf1f175a037d940067d8469acdfc26f6a73ba5952d28839afdee9339f14ad491767e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
9ff05c79e3093a73515d3d3d74401080

SHA1
bfad4fd653abd32d6bfdaaf0050ec88ff6f429f0

SHA256
1b650111f3d6531024769061832a28101ffbe0b4b113a79437a63b74e1eac311

SHA512
45c17e144020c638e796ab243ee98649ba2d14695af47afba4171fb395a3b5e39214796cfd5c7afefefa8d18175539823df4a440f6becf526403fb1943bceef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
f58b9de5a02d58182475066fd9132bde

SHA1
968576c2df315d823b218f2bf5a2672b90744ac2

SHA256
ea8fab7cb692ff54691746b8998bcdd5eb0550a2f33d5da35dc9ed3e58c4e794

SHA512
9ed5d81acb54498e3e2a0d8ab46161d0848a14bbb61a0ff02a55892c56a2fe394c05f8fae39bc7fdb3146e26cf70cab9f0f755527ebd808a93c8fa8d3909837e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tafuo.exe
Filesize
6.4MB

MD5
951cf5294eb9426b80821690b85b4513

SHA1
e8656e8d3f801a7a4cbec34eac3e8db5a8c8cb4c

SHA256
45d41442de5f32479ecbfbde8497e5283cd105779c99ea9918e1eb6b49728024

SHA512
242a8fb1400e65885336377ae37e73e2d6dcc13968c251354d0f81d9069dee2d24e539938970b048052fb36a516fe93d5c1b6c475cfea49a9803ef9be2755b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywtuz.exe
Filesize
459KB

MD5
20b87a2a3dff99f9eee4879e74e96c35

SHA1
65420920085926a32407f17798244588febd1829

SHA256
2b8254e98294926d8d4f2cf4d84f79046dd8368e2b41ecc5c8cb068a93174162

SHA512
e334cfe5de96df551c69ce6e45afca72b0aa9d9863cc3aec2a1656ecfb5b8b8d5f1df1aabcb630cb909f4391dffbaf88f4a6c5244e3c5f0c5496570c82e82d8a

Download Submit
memory/836-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/836-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/836-77-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/976-28-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/976-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/976-29-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/976-27-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/976-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/976-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/976-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/976-33-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/976-32-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/976-31-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/976-30-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1444-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1444-6-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1444-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1444-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1444-1-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1444-2-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1444-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/1444-3-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1444-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1444-9-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1444-7-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/1444-25-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1444-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/3048-49-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3048-48-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/3048-50-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3048-51-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/3048-70-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3048-52-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3048-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3048-54-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3048-53-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads