urelas | c11b1ccb8428e967efc34c32031d23e6c6960422d39377396db0bc9136a01e66

General

Target

5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe
Size

7.3MB
MD5

5ecc4b72ae29ba43b7a1dd52d1eb4510
SHA1

05b27558789248a7c82074b12ee737ccace352af
SHA256

c11b1ccb8428e967efc34c32031d23e6c6960422d39377396db0bc9136a01e66
SHA512

ccaec3173d699aaa1637115f7d86045fc943b28e5d035e5771d6a7b6e497baec37b15eaff40ab7d44af47eb05087eb7d55937e67beffe4894793bb0d7fbd5369
SSDEEP

196608:iMJpb81WbBl+svga7KKr2M1Vnggq4dBpEm1O:DQxsvV7KoT1VpImo

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2052 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

nepos.exenyvih.exe

pid process

2540 nepos.exe
1312 nyvih.exe
Loads dropped DLL 2 IoCs

Processes:

5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exenepos.exe

pid process

1308 5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe
2540 nepos.exe

pid	process
2052	cmd.exe

pid	process
2540	nepos.exe
1312	nyvih.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nyvih.exe	upx
behavioral1/memory/1312-110-0x0000000001050000-0x0000000001107000-memory.dmp	upx
behavioral1/memory/1312-116-0x0000000001050000-0x0000000001107000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exenepos.exenyvih.exe

pid	process
1308	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe
2540	nepos.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe
1312	nyvih.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exenepos.exe

description	pid	process	target process
PID 1308 wrote to memory of 2540	1308	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	nepos.exe
PID 1308 wrote to memory of 2540	1308	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	nepos.exe
PID 1308 wrote to memory of 2540	1308	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	nepos.exe
PID 1308 wrote to memory of 2540	1308	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	nepos.exe
PID 1308 wrote to memory of 2052	1308	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	cmd.exe
PID 1308 wrote to memory of 2052	1308	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	cmd.exe
PID 1308 wrote to memory of 2052	1308	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	cmd.exe
PID 1308 wrote to memory of 2052	1308	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	cmd.exe
PID 2540 wrote to memory of 1312	2540	nepos.exe	nyvih.exe
PID 2540 wrote to memory of 1312	2540	nepos.exe	nyvih.exe
PID 2540 wrote to memory of 1312	2540	nepos.exe	nyvih.exe
PID 2540 wrote to memory of 1312	2540	nepos.exe	nyvih.exe

C:\Users\Admin\AppData\Local\Temp\5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\nepos.exe
"C:\Users\Admin\AppData\Local\Temp\nepos.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\nyvih.exe
"C:\Users\Admin\AppData\Local\Temp\nyvih.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
ba143e3cdd3287aec8c6fd7af43e785a

SHA1
5f3fa02b4da81e430f108b5052353f5156428427

SHA256
19271fe04b2fdc17c9885ae58db8dc1ade733f9aa030bd24613f10dfb0b16045

SHA512
6c2ca0132b36b0270fe0d49b61a0a3a06b23b8030e55336967b4d7d7d72e7afb2521bd7bc1dd0c8610346424d9b03cb1d8aa0d1e644e05448eb726acbeac96a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
fb9cbf2b9a199601e9cfafeb75cb39d7

SHA1
8e00e43e6bc20cc97b6ad46adbef150bf52fe948

SHA256
08d08fd1decc23c03b0b6c5eb3a92533cbce1affc3f6864bfd8396269a2bd906

SHA512
204aeb4cb8ec448dda229740d9f1f55808914c9f25aed24705faec127dd20fb91681359f15a68cba0d1489b1626c2b2379800ac1e3903cf51fb532ad723cfd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\nepos.exe
Filesize
7.3MB

MD5
a4a177ff3635311da0ae9d87de7482d5

SHA1
7c31516421f5407b0920d8a60ad60c0e618cc078

SHA256
a15dae406222d5b47c71304e30e493455ddb1082a165ca7a6ec9da7e2c67f8c2

SHA512
c5b8d3a6044b73425735f0124c65b635fbea4c6bd7502d0bd87864fef1b586a9ceef9e8ea9682405358b39ba04c39ff1e12f72fcac684028dea9ce690ac390e5

Download Submit
\Users\Admin\AppData\Local\Temp\nepos.exe
Filesize
7.3MB

MD5
b3375960eba6674e0f5925dafdcf4e12

SHA1
60162c5e343817eae50ad12ddf0224c7e171c191

SHA256
37e624c49fef9686bef8b8c0a1a8a85a03ab174bc111e3f83705c07a32ba5712

SHA512
3b23f3c2cb04a2b2dae8db146da4cfd24033391e353f6d467ecca1a809f890b8bbbf5cf458cd7e931dcb6d8baabf2956b91cb4c82303742c37df6c907b2f9cc1

Download Submit
\Users\Admin\AppData\Local\Temp\nyvih.exe
Filesize
226KB

MD5
5fa297dd1f9fa49054ff607756baf5c0

SHA1
0340ad4de77f5884e961128d8e8720293aec7e16

SHA256
cd9ba4254110db13b60b7629e20c77f8634d7328acc434da3e283859b719c148

SHA512
61eb7e5116ae34c2e93e4acb030e03baa607be80828d33de7bf3c1bd7388345e538e71b594ffbb4aa29cd25369a1e33e4af12e41c7904f09b8ba6022c77627c2

Download Submit
memory/1308-15-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1308-24-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1308-26-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1308-59-0x00000000003C0000-0x0000000000F9A000-memory.dmp

Filesize
11.9MB

Download
memory/1308-21-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1308-19-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1308-16-0x0000000000449000-0x0000000000858000-memory.dmp

Filesize
4.1MB

Download
memory/1308-0-0x00000000003C0000-0x0000000000F9A000-memory.dmp

Filesize
11.9MB

Download
memory/1308-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1308-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1308-10-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1308-8-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1308-5-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1308-3-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1308-1-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1308-36-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1308-31-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1308-49-0x0000000003F50000-0x0000000004B2A000-memory.dmp

Filesize
11.9MB

Download
memory/1308-34-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1308-39-0x00000000003C0000-0x0000000000F9A000-memory.dmp

Filesize
11.9MB

Download
memory/1308-6-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1308-29-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1308-40-0x00000000003C0000-0x0000000000F9A000-memory.dmp

Filesize
11.9MB

Download
memory/1308-100-0x0000000000449000-0x0000000000858000-memory.dmp

Filesize
4.1MB

Download
memory/1312-116-0x0000000001050000-0x0000000001107000-memory.dmp

Filesize
732KB

Download
memory/1312-110-0x0000000001050000-0x0000000001107000-memory.dmp

Filesize
732KB

Download
memory/2540-112-0x0000000000CB0000-0x000000000188A000-memory.dmp

Filesize
11.9MB

Download
memory/2540-102-0x0000000000CB0000-0x000000000188A000-memory.dmp

Filesize
11.9MB

Download
memory/2540-72-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2540-69-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2540-80-0x0000000000D39000-0x0000000001148000-memory.dmp

Filesize
4.1MB

Download
memory/2540-83-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2540-77-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2540-67-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2540-51-0x0000000000CB0000-0x000000000188A000-memory.dmp

Filesize
11.9MB

Download
memory/2540-74-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2540-85-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2540-108-0x0000000004780000-0x0000000004837000-memory.dmp

Filesize
732KB

Download
memory/2540-98-0x0000000000CB0000-0x000000000188A000-memory.dmp

Filesize
11.9MB

Download
memory/2540-111-0x0000000000D39000-0x0000000001148000-memory.dmp

Filesize
4.1MB

Download
memory/2540-62-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2540-79-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2540-64-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads