urelas | 69c41fa6554d4d4d993b56db84fa0673e759ddd97004ec75ec7708513521d4da

General

Target

0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
Size

6.5MB
MD5

0caaf786c2cff4ddbb241e7f54d0e650
SHA1

4d53731555f3707dbfecdbe055b3c29b76842cf4
SHA256

69c41fa6554d4d4d993b56db84fa0673e759ddd97004ec75ec7708513521d4da
SHA512

c7d98f0cd3835a1538a1a324cef5ca27b08d4466351a298ea6e60e9be02973ffa7edf5a99ba5400f8a06f05d0bb04a4cb70d5899f4860635f88158252c40b1c6
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSu:i0LrA2kHKQHNk3og9unipQyOaOu

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2684 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

zeixt.exeqypuil.exepudue.exe

pid process

2648 zeixt.exe
2348 qypuil.exe
820 pudue.exe

pid	process
2684	cmd.exe

pid	process
2648	zeixt.exe
2348	qypuil.exe
820	pudue.exe

Loads dropped DLL 5 IoCs

Processes:

0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exezeixt.exeqypuil.exe

pid	process
1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
2648	zeixt.exe
2648	zeixt.exe
2348	qypuil.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\pudue.exe	upx
behavioral1/memory/820-170-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/820-176-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exezeixt.exeqypuil.exepudue.exe

pid	process
1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
2648	zeixt.exe
2348	qypuil.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe
820	pudue.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exezeixt.exeqypuil.exe

description	pid	process	target process
PID 1152 wrote to memory of 2648	1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	zeixt.exe
PID 1152 wrote to memory of 2648	1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	zeixt.exe
PID 1152 wrote to memory of 2648	1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	zeixt.exe
PID 1152 wrote to memory of 2648	1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	zeixt.exe
PID 1152 wrote to memory of 2684	1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	cmd.exe
PID 1152 wrote to memory of 2684	1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	cmd.exe
PID 1152 wrote to memory of 2684	1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	cmd.exe
PID 1152 wrote to memory of 2684	1152	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	cmd.exe
PID 2648 wrote to memory of 2348	2648	zeixt.exe	qypuil.exe
PID 2648 wrote to memory of 2348	2648	zeixt.exe	qypuil.exe
PID 2648 wrote to memory of 2348	2648	zeixt.exe	qypuil.exe
PID 2648 wrote to memory of 2348	2648	zeixt.exe	qypuil.exe
PID 2348 wrote to memory of 820	2348	qypuil.exe	pudue.exe
PID 2348 wrote to memory of 820	2348	qypuil.exe	pudue.exe
PID 2348 wrote to memory of 820	2348	qypuil.exe	pudue.exe
PID 2348 wrote to memory of 820	2348	qypuil.exe	pudue.exe
PID 2348 wrote to memory of 1980	2348	qypuil.exe	cmd.exe
PID 2348 wrote to memory of 1980	2348	qypuil.exe	cmd.exe
PID 2348 wrote to memory of 1980	2348	qypuil.exe	cmd.exe
PID 2348 wrote to memory of 1980	2348	qypuil.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\zeixt.exe
"C:\Users\Admin\AppData\Local\Temp\zeixt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\qypuil.exe
"C:\Users\Admin\AppData\Local\Temp\qypuil.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\pudue.exe
"C:\Users\Admin\AppData\Local\Temp\pudue.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6d2904ebf8676172de84b6212c2f021d

SHA1
e2292b462214ca56070e80078ab402d71310ff82

SHA256
d06e2d2bb8ac0c8fe8bdfa12af20ae015bc734d8d1631cade608cd9a64ed413a

SHA512
a2c68608e6bbfee3e9aa985c018727b3ea942f7588922476945b7d119d1639f192eebde9637ad7ae45525802767b44b6c0f217a869c2ae76804ad530d64eade8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
2fa21a148616606d04106e012d2cf4e2

SHA1
027a208c6dd5c90a76d5eb9fc56195c9ca4d4da1

SHA256
8abab40be09b7a428ef4d4d6349483b6665590ccf9554ae6f329509b877a5111

SHA512
25a395d1d9009da4160b7d7c5eb71ba522e210b143883e4fb8f26b0dfe2032c7df7f9bee4ab2baadb8ff2052ba20d609a3ca12e1d8c5ef05a397514d1b83dde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fa29acff572e4da4ce6fde2bdb9389df

SHA1
3b6b516e23b597ebf12052b1031ffba7cf15c572

SHA256
3c2d4082e58964c4154f42c21ed252d529c06a902a7ef31b221e88a9d456cba7

SHA512
159a38acf64265dce92d835be0bdae9e999194fd42c5ae9145e465a0192d9869c49354d3df9901e801ff8dbc52730f082b9175b5030fd09ea0d72b37eb3713ac

Download Submit
\Users\Admin\AppData\Local\Temp\pudue.exe

Filesize
459KB

MD5
9d87235caf6c8f85272fa82ee7de8b9c

SHA1
60e13d1cebb8edfd9977a96a0e8f372102ed87b6

SHA256
76e61ec5e48251dac6862e0c574e8598ed8fd16b523b77a1cb0dc7061c60fe1c

SHA512
0d50e2512ded9e48066ccc297e889ed696060c823cfea288d739adc75c81bbd2e2bdef7f6563fe1ade51bffa9954f1404d73ac81a3f3881ccceed2fd87b55d9e

Download Submit
\Users\Admin\AppData\Local\Temp\zeixt.exe

Filesize
6.5MB

MD5
d047d64d8318e7132e2f67a2e51f3bfe

SHA1
2cbc6c9db941e70dd7cbfe8bac3372140c37acba

SHA256
f6569d051c4e2e39b62ace939fe3f49bc1b1d274ba669372a6e6b065f0c4aaf6

SHA512
164f99d407422c1ddf5bc75e80b9e0345d2ec5a2106d99fe0537e1c5c83e04a30a615a3b8782b8b89a8b4848e17bf6553876281a7487e09d153aef321d3c9d1b

Download Submit
memory/820-176-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/820-170-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1152-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1152-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1152-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1152-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1152-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1152-36-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1152-34-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1152-31-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1152-29-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1152-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1152-25-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1152-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1152-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1152-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1152-53-0x0000000003C20000-0x000000000470C000-memory.dmp

Filesize
10.9MB

Download
memory/1152-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1152-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1152-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1152-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1152-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1152-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1152-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1152-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1152-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2348-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2348-169-0x0000000004370000-0x0000000004509000-memory.dmp

Filesize
1.6MB

Download
memory/2648-114-0x0000000003D00000-0x00000000047EC000-memory.dmp

Filesize
10.9MB

Download
memory/2648-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2648-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2648-87-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2648-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2648-89-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2648-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads