urelas | c11b1ccb8428e967efc34c32031d23e6c6960422d39377396db0bc9136a01e66

General

Target

5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe
Size

7.3MB
MD5

5ecc4b72ae29ba43b7a1dd52d1eb4510
SHA1

05b27558789248a7c82074b12ee737ccace352af
SHA256

c11b1ccb8428e967efc34c32031d23e6c6960422d39377396db0bc9136a01e66
SHA512

ccaec3173d699aaa1637115f7d86045fc943b28e5d035e5771d6a7b6e497baec37b15eaff40ab7d44af47eb05087eb7d55937e67beffe4894793bb0d7fbd5369
SSDEEP

196608:iMJpb81WbBl+svga7KKr2M1Vnggq4dBpEm1O:DQxsvV7KoT1VpImo

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exeucryu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ucryu.exe

Executes dropped EXE 2 IoCs

Processes:

ucryu.exetumyw.exe

pid process

732 ucryu.exe
4060 tumyw.exe

pid	process
732	ucryu.exe
4060	tumyw.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tumyw.exe	upx
behavioral2/memory/4060-51-0x0000000000310000-0x00000000003C7000-memory.dmp	upx
behavioral2/memory/4060-55-0x0000000000310000-0x00000000003C7000-memory.dmp	upx
behavioral2/memory/4060-56-0x0000000000310000-0x00000000003C7000-memory.dmp	upx
behavioral2/memory/4060-57-0x0000000000310000-0x00000000003C7000-memory.dmp	upx
behavioral2/memory/4060-58-0x0000000000310000-0x00000000003C7000-memory.dmp	upx
behavioral2/memory/4060-59-0x0000000000310000-0x00000000003C7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exeucryu.exetumyw.exe

pid	process
3808	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe
3808	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe
732	ucryu.exe
732	ucryu.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe
4060	tumyw.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exeucryu.exe

description	pid	process	target process
PID 3808 wrote to memory of 732	3808	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	ucryu.exe
PID 3808 wrote to memory of 732	3808	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	ucryu.exe
PID 3808 wrote to memory of 732	3808	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	ucryu.exe
PID 3808 wrote to memory of 5064	3808	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	cmd.exe
PID 3808 wrote to memory of 5064	3808	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	cmd.exe
PID 3808 wrote to memory of 5064	3808	5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe	cmd.exe
PID 732 wrote to memory of 4060	732	ucryu.exe	tumyw.exe
PID 732 wrote to memory of 4060	732	ucryu.exe	tumyw.exe
PID 732 wrote to memory of 4060	732	ucryu.exe	tumyw.exe

C:\Users\Admin\AppData\Local\Temp\5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5ecc4b72ae29ba43b7a1dd52d1eb4510_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\ucryu.exe
"C:\Users\Admin\AppData\Local\Temp\ucryu.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\tumyw.exe
"C:\Users\Admin\AppData\Local\Temp\tumyw.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:5064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
ba143e3cdd3287aec8c6fd7af43e785a

SHA1
5f3fa02b4da81e430f108b5052353f5156428427

SHA256
19271fe04b2fdc17c9885ae58db8dc1ade733f9aa030bd24613f10dfb0b16045

SHA512
6c2ca0132b36b0270fe0d49b61a0a3a06b23b8030e55336967b4d7d7d72e7afb2521bd7bc1dd0c8610346424d9b03cb1d8aa0d1e644e05448eb726acbeac96a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
25b70f89c041ea33515b9044120878d1

SHA1
62cd0035ea9b38fc4fd27848dd452a314dec4cca

SHA256
b9c7a41aa33ce2530adc23a5debb03c64d669653a286d8aab396f43670a8c669

SHA512
119f7e003d4bb2f2fccd188ffb0f8052bfa5c40ebb667b5a483b069b35778452400ff19ec7051caed3b1ba43eddde3e3fa012600031376d7cb1a7b61834c3e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tumyw.exe
Filesize
226KB

MD5
e9b881cfe8082d8fbbb9a17c51db801f

SHA1
0a98f1e2a7c8589b2974a678622b419f39f7bb90

SHA256
73578970df15f0c4e9c995f09c6ddd95fcf510a0cbe59fca074fc0a0776db84b

SHA512
e85f9b1eb49511a0306aee6edbac98cd64a07151ad0a4c32840b0699f5ab22b18410147eda90e7a905e9c073affe0d0f8563b6d87140f6c3e71e12a5d028bb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucryu.exe
Filesize
7.3MB

MD5
43a5882ea41c2432e578f2d093662416

SHA1
4f0b8e68a196f863cdf96f5a6e0911e0242b06c6

SHA256
c6c11e50f26ff125551e8c1a47fbe00974717b9474ed126c920382fc7dd1b78f

SHA512
fbcaa03c939df2401bd4ec3d69917a0d5730e06a22605c8845ac35885ea633e813f266b3603307b7d4895ad99d4254b16febd5942ccde668afb587c176b69273

Download Submit
memory/732-41-0x0000000000BF9000-0x0000000001008000-memory.dmp

Filesize
4.1MB

Download
memory/732-34-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/732-53-0x0000000000BF9000-0x0000000001008000-memory.dmp

Filesize
4.1MB

Download
memory/732-52-0x0000000000B70000-0x000000000174A000-memory.dmp

Filesize
11.9MB

Download
memory/732-42-0x0000000000B70000-0x000000000174A000-memory.dmp

Filesize
11.9MB

Download
memory/732-39-0x0000000000B70000-0x000000000174A000-memory.dmp

Filesize
11.9MB

Download
memory/732-29-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/732-30-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/732-23-0x0000000000B70000-0x000000000174A000-memory.dmp

Filesize
11.9MB

Download
memory/732-31-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/732-32-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/732-33-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/732-37-0x0000000000B70000-0x000000000174A000-memory.dmp

Filesize
11.9MB

Download
memory/732-36-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/732-35-0x0000000000BF9000-0x0000000001008000-memory.dmp

Filesize
4.1MB

Download
memory/3808-26-0x00000000002A0000-0x0000000000E7A000-memory.dmp

Filesize
11.9MB

Download
memory/3808-11-0x00000000002A0000-0x0000000000E7A000-memory.dmp

Filesize
11.9MB

Download
memory/3808-27-0x0000000000329000-0x0000000000738000-memory.dmp

Filesize
4.1MB

Download
memory/3808-5-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/3808-6-0x0000000001450000-0x0000000001451000-memory.dmp

Filesize
4KB

Download
memory/3808-12-0x00000000002A0000-0x0000000000E7A000-memory.dmp

Filesize
11.9MB

Download
memory/3808-4-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/3808-8-0x0000000001470000-0x0000000001471000-memory.dmp

Filesize
4KB

Download
memory/3808-0-0x00000000002A0000-0x0000000000E7A000-memory.dmp

Filesize
11.9MB

Download
memory/3808-7-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/3808-3-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/3808-2-0x0000000000329000-0x0000000000738000-memory.dmp

Filesize
4.1MB

Download
memory/3808-1-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/4060-51-0x0000000000310000-0x00000000003C7000-memory.dmp

Filesize
732KB

Download
memory/4060-55-0x0000000000310000-0x00000000003C7000-memory.dmp

Filesize
732KB

Download
memory/4060-56-0x0000000000310000-0x00000000003C7000-memory.dmp

Filesize
732KB

Download
memory/4060-57-0x0000000000310000-0x00000000003C7000-memory.dmp

Filesize
732KB

Download
memory/4060-58-0x0000000000310000-0x00000000003C7000-memory.dmp

Filesize
732KB

Download
memory/4060-59-0x0000000000310000-0x00000000003C7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads