urelas | b1dfc2ab3dabbf8b3a78875e8206223247ecb8e991894db3b89a20b39c9ea1de

General

Target

3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe
Size

508KB
MD5

3b89b875a62c15e2994e430f09410cf0
SHA1

f87dd85e1b114b3ddef9a5e7b29529940e10699e
SHA256

b1dfc2ab3dabbf8b3a78875e8206223247ecb8e991894db3b89a20b39c9ea1de
SHA512

c22c5f99782ef51025a249fd1883ee0fba7400bfc83d4b3d8993b3b1d3bb28db3bf5cab3b6f1c9159dfe4f88f7328c2c795866ccb83a398cee598ef61cc3b5da
SSDEEP

12288:kdBNKTCqqwXCcdgT89+MvA+BisqYpxHtSXL:kLjQC+fs0gXL

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2516 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

piuhv.exeroqye.exe

pid process

2572 piuhv.exe
1832 roqye.exe
Loads dropped DLL 2 IoCs

Processes:

3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exepiuhv.exe

pid process

1924 3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe
2572 piuhv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2516	cmd.exe

pid	process
2572	piuhv.exe
1832	roqye.exe

pid	process
1924	3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe
2572	piuhv.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

roqye.exe

pid	process
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe
1832	roqye.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exepiuhv.exe

description	pid	process	target process
PID 1924 wrote to memory of 2572	1924	3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe	piuhv.exe
PID 1924 wrote to memory of 2572	1924	3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe	piuhv.exe
PID 1924 wrote to memory of 2572	1924	3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe	piuhv.exe
PID 1924 wrote to memory of 2572	1924	3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe	piuhv.exe
PID 1924 wrote to memory of 2516	1924	3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe	cmd.exe
PID 1924 wrote to memory of 2516	1924	3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe	cmd.exe
PID 1924 wrote to memory of 2516	1924	3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe	cmd.exe
PID 1924 wrote to memory of 2516	1924	3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe	cmd.exe
PID 2572 wrote to memory of 1832	2572	piuhv.exe	roqye.exe
PID 2572 wrote to memory of 1832	2572	piuhv.exe	roqye.exe
PID 2572 wrote to memory of 1832	2572	piuhv.exe	roqye.exe
PID 2572 wrote to memory of 1832	2572	piuhv.exe	roqye.exe

C:\Users\Admin\AppData\Local\Temp\3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b89b875a62c15e2994e430f09410cf0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\piuhv.exe
"C:\Users\Admin\AppData\Local\Temp\piuhv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\roqye.exe
"C:\Users\Admin\AppData\Local\Temp\roqye.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
eea9a241134ad993b2f4fc5ba03fb769

SHA1
1a0703bd65952c617f50fe646058ac333af02ff3

SHA256
6da2fc8cc64c7761b4b8ff5456dfa9013f24e4e34c0ae0e9964f24a6aa2b3415

SHA512
8fddf748f55538d081cf355e788d1afc5da1e71dbb16bf71f982991acf0e549f92d58b66a8aa489b638104b253155c34437b0102f82adf89dfe017d63276c84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
33d5ec481793932f4b5b07be4b733b63

SHA1
e834910cf55b8711e217ad512976d4c0e9f1d2c7

SHA256
86657d9bf75ed3dc88df8d205c1f74618c206dce7f2f9e8ba9defce930250533

SHA512
d6519d7cf59d10211a23fc61073da8aa6eff5841ed78fc080c72cc2c1eca125cf1192de024510e6c8bdbea5294e3edf89db93cb6b8f94c6dde1738c688483369

Download Submit
\Users\Admin\AppData\Local\Temp\piuhv.exe
Filesize
508KB

MD5
0cb9f9df0eb88c6eff1d728b63874cf1

SHA1
7cbf6bd1b36314c7535f3a6dda78001582a65ebb

SHA256
10d7aef93439d21ef040d188f0e111bd1e3e452d75b5e601dbb4455ea073a90d

SHA512
418b88405d8348aaca152700ca4adb69349741855f20386942be14e800ceea2b6cd5e7d81b7c9995e7e2732adcffbc8ba0a21f3e17a411d74024c6a95a279c9c

Download Submit
\Users\Admin\AppData\Local\Temp\roqye.exe
Filesize
241KB

MD5
adbd1a53c230502a0d3920c724fad754

SHA1
cf9d6cff6b0840d49dd41d095cfe096895ec6712

SHA256
76f414c050cb3f81c61379de648d51d1c81e7e9b3e0ead714faa6fca2f35efe6

SHA512
790a464db512927f69a3bc34664cf4be1795d12bfa482e3bfed09a56fed2278a64ffe85a1838289af8d4469bd221d3134fc83ba35de12cd0e365590e5be5219b

Download Submit
memory/1832-25-0x0000000001350000-0x0000000001406000-memory.dmp

Filesize
728KB

Download
memory/1832-27-0x0000000001350000-0x0000000001406000-memory.dmp

Filesize
728KB

Download
memory/1832-28-0x0000000001350000-0x0000000001406000-memory.dmp

Filesize
728KB

Download
memory/1832-29-0x0000000001350000-0x0000000001406000-memory.dmp

Filesize
728KB

Download
memory/1832-30-0x0000000001350000-0x0000000001406000-memory.dmp

Filesize
728KB

Download
memory/1832-31-0x0000000001350000-0x0000000001406000-memory.dmp

Filesize
728KB

Download
memory/1924-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing