urelas | 69c41fa6554d4d4d993b56db84fa0673e759ddd97004ec75ec7708513521d4da

General

Target

0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
Size

6.5MB
MD5

0caaf786c2cff4ddbb241e7f54d0e650
SHA1

4d53731555f3707dbfecdbe055b3c29b76842cf4
SHA256

69c41fa6554d4d4d993b56db84fa0673e759ddd97004ec75ec7708513521d4da
SHA512

c7d98f0cd3835a1538a1a324cef5ca27b08d4466351a298ea6e60e9be02973ffa7edf5a99ba5400f8a06f05d0bb04a4cb70d5899f4860635f88158252c40b1c6
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSu:i0LrA2kHKQHNk3og9unipQyOaOu

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exerujia.exeifyvef.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	rujia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ifyvef.exe

Executes dropped EXE 3 IoCs

Processes:

rujia.exeifyvef.exerukyz.exe

pid process

3708 rujia.exe
1132 ifyvef.exe
4232 rukyz.exe

pid	process
3708	rujia.exe
1132	ifyvef.exe
4232	rukyz.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rukyz.exe	upx
behavioral2/memory/4232-68-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4232-73-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exerujia.exeifyvef.exerukyz.exe

pid	process
2520	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
2520	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
3708	rujia.exe
3708	rujia.exe
1132	ifyvef.exe
1132	ifyvef.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe
4232	rukyz.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exerujia.exeifyvef.exe

description	pid	process	target process
PID 2520 wrote to memory of 3708	2520	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	rujia.exe
PID 2520 wrote to memory of 3708	2520	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	rujia.exe
PID 2520 wrote to memory of 3708	2520	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	rujia.exe
PID 2520 wrote to memory of 2396	2520	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	cmd.exe
PID 2520 wrote to memory of 2396	2520	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	cmd.exe
PID 2520 wrote to memory of 2396	2520	0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe	cmd.exe
PID 3708 wrote to memory of 1132	3708	rujia.exe	ifyvef.exe
PID 3708 wrote to memory of 1132	3708	rujia.exe	ifyvef.exe
PID 3708 wrote to memory of 1132	3708	rujia.exe	ifyvef.exe
PID 1132 wrote to memory of 4232	1132	ifyvef.exe	rukyz.exe
PID 1132 wrote to memory of 4232	1132	ifyvef.exe	rukyz.exe
PID 1132 wrote to memory of 4232	1132	ifyvef.exe	rukyz.exe
PID 1132 wrote to memory of 1400	1132	ifyvef.exe	cmd.exe
PID 1132 wrote to memory of 1400	1132	ifyvef.exe	cmd.exe
PID 1132 wrote to memory of 1400	1132	ifyvef.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0caaf786c2cff4ddbb241e7f54d0e650_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\Temp\rujia.exe
"C:\Users\Admin\AppData\Local\Temp\rujia.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\ifyvef.exe
"C:\Users\Admin\AppData\Local\Temp\ifyvef.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\rukyz.exe
"C:\Users\Admin\AppData\Local\Temp\rukyz.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
713b4862f64ea0a94ff3f9156c5cc898

SHA1
ca0e5e0cc054c35de806c2398cbfd7d106fecbd5

SHA256
b82eeaa05024dce76e9cc10504633703c3503f70c3eab439278528e132aec801

SHA512
f8f66d389c62aaf97665f81cf976707d15b022b3db631554dc80e2be36f03dd5a4a2b60b085397cd40869aaf7aa38ccc51d9fb7c4ca6eab1c768a5744c98cce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
2fa21a148616606d04106e012d2cf4e2

SHA1
027a208c6dd5c90a76d5eb9fc56195c9ca4d4da1

SHA256
8abab40be09b7a428ef4d4d6349483b6665590ccf9554ae6f329509b877a5111

SHA512
25a395d1d9009da4160b7d7c5eb71ba522e210b143883e4fb8f26b0dfe2032c7df7f9bee4ab2baadb8ff2052ba20d609a3ca12e1d8c5ef05a397514d1b83dde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9d4fdf0d1ebfbe6ed5cdf2900da46dac

SHA1
9b47a9a3af03fe921defa110e04ebf447d841a99

SHA256
f40e9b957e88dd1b28ee231f6584cb4c2bba8467b4f1e28dff0e38a4f8e975bd

SHA512
26dcececbeaf6acb6a1d3b88b75073f868897ce666b57277ec06d6b610ae8746cc58b962ce9abcc4ff57652a0f811822361bd6e42c02c80561d66a88119ef367

Download Submit
C:\Users\Admin\AppData\Local\Temp\rujia.exe

Filesize
6.5MB

MD5
c9c024d1890d35cc44a6a1f4dfda4952

SHA1
ab9a3656f5a056c03e9de8c4152e5808bf650170

SHA256
314a4f9d93cff8b9608ee64352fd894784daa329dc5ea6d1a541d8f9ae415843

SHA512
8493614d9d304cd9275e45c560a92194df9d702020d66505d151fbcdbc4cec7e7716def5c626aa4f60b5d0678f96d79b4eeace4cbba903959b6c8db9ba421cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rukyz.exe

Filesize
459KB

MD5
9f5c23622f60dd87b1d74d5b3ef1c576

SHA1
38cab44118556225a220cabcdd0de527e6e8fe48

SHA256
0c413345eb1de5268c760765db98a7e57319ed980af22ea5d97eaf6fdec94e46

SHA512
ba77e60380dc8bfdb8a10f3f6e4361ebd563a4e8730ad41d3722d541837da5e82bcf41214e9964775c7426e7b14774c7bfc6111badc7230c1ef016b512cd8b4b

Download Submit
memory/1132-50-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1132-51-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1132-52-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1132-53-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1132-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1132-54-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1132-49-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1132-70-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2520-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2520-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2520-4-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2520-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2520-7-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2520-6-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2520-5-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2520-3-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2520-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2520-2-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2520-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2520-10-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2520-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3708-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3708-28-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3708-31-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/3708-32-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/3708-33-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3708-34-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/3708-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3708-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4232-68-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4232-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads