urelas | a30922df99e9ccdad5da7ae843f0177ba29a075338128937da4982aac777bd45

General

Target

970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
Size

6.5MB
MD5

970ab7302a9b5b9ee4634396988cff50
SHA1

f7c34ca04b3e3620e92d8d9e375b738b0d102b73
SHA256

a30922df99e9ccdad5da7ae843f0177ba29a075338128937da4982aac777bd45
SHA512

763e05a2eabbdeb24e873a388eb4f0ac7f99c295fe4344b5bfc09f90eda6786888ddfc03cab133b5a563caccdfde83646d650886034bad5cd6c2e3a78944d9a1
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSc:i0LrA2kHKQHNk3og9unipQyOaOc

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2620 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

peryh.exeyptadu.exesehom.exe

pid process

3048 peryh.exe
2872 yptadu.exe
1148 sehom.exe

pid	process
2620	cmd.exe

pid	process
3048	peryh.exe
2872	yptadu.exe
1148	sehom.exe

Loads dropped DLL 5 IoCs

Processes:

970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exeperyh.exeyptadu.exe

pid	process
2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
3048	peryh.exe
3048	peryh.exe
2872	yptadu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\sehom.exe	upx
behavioral1/memory/1148-168-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1148-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exeperyh.exeyptadu.exesehom.exe

pid	process
2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
3048	peryh.exe
2872	yptadu.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe
1148	sehom.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exeperyh.exeyptadu.exe

description	pid	process	target process
PID 2040 wrote to memory of 3048	2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	peryh.exe
PID 2040 wrote to memory of 3048	2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	peryh.exe
PID 2040 wrote to memory of 3048	2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	peryh.exe
PID 2040 wrote to memory of 3048	2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	peryh.exe
PID 2040 wrote to memory of 2620	2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	cmd.exe
PID 2040 wrote to memory of 2620	2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	cmd.exe
PID 2040 wrote to memory of 2620	2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	cmd.exe
PID 2040 wrote to memory of 2620	2040	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	cmd.exe
PID 3048 wrote to memory of 2872	3048	peryh.exe	yptadu.exe
PID 3048 wrote to memory of 2872	3048	peryh.exe	yptadu.exe
PID 3048 wrote to memory of 2872	3048	peryh.exe	yptadu.exe
PID 3048 wrote to memory of 2872	3048	peryh.exe	yptadu.exe
PID 2872 wrote to memory of 1148	2872	yptadu.exe	sehom.exe
PID 2872 wrote to memory of 1148	2872	yptadu.exe	sehom.exe
PID 2872 wrote to memory of 1148	2872	yptadu.exe	sehom.exe
PID 2872 wrote to memory of 1148	2872	yptadu.exe	sehom.exe
PID 2872 wrote to memory of 1764	2872	yptadu.exe	cmd.exe
PID 2872 wrote to memory of 1764	2872	yptadu.exe	cmd.exe
PID 2872 wrote to memory of 1764	2872	yptadu.exe	cmd.exe
PID 2872 wrote to memory of 1764	2872	yptadu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\peryh.exe
"C:\Users\Admin\AppData\Local\Temp\peryh.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\yptadu.exe
"C:\Users\Admin\AppData\Local\Temp\yptadu.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\sehom.exe
"C:\Users\Admin\AppData\Local\Temp\sehom.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
cbcdb54d77bac93d4da7b525e118d004

SHA1
ec28a0d05c1d7ea3615c50d53b38b50d8e00909d

SHA256
30e5277a8e17fd15cb346660cd87c8076cddf5e3721b0ca6e570ea4e0b22cf1c

SHA512
09f06dba1cb457b71573fd08ee970a2e711423581b2f65100658f62e07dc0f67649d4612c9ddf177f31c978359f1c58c04f82be111b9ae5931e96671793c60b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
fb27073afe344aa2e5faefe2801a8fb4

SHA1
32ac6bac56219ef31c4d6d19dc33fa1f2e0d240b

SHA256
c3160269d61468e1837ea6163cf237e903bd81161269a36684c8ccf3863586af

SHA512
e26d0931feeb1860401940b107d2a78fc3ad8106a5b5a83ae198c7dd1f033765fe297f84ffbfdb8ee3acdf3f81179ba5852de4913fb2e2e38a8317f84a9a0780

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
572f2d6fa961de2dae1754deaa857501

SHA1
521e6da14eae4c77b1f168b64f9dbf85cacc238f

SHA256
b3e18a4700da2bfe3da706e6dff14b523aff6be0bfd4ccaa8bb20303bda76017

SHA512
51ca0d629ba847c439dd17511f5ac3d505d691a087af7629afbb4a489a0942f50466199c08d101fbb8a1cdab899b5edb27c0998de6ef963d0d3626be462fc5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\peryh.exe
Filesize
6.5MB

MD5
68dd8214f64776668fb5c21852328149

SHA1
c411fd4721a26ee0dd4fab92f5136becd35cb579

SHA256
b6217bbc80eafaddb18b54a66ecb4510d6cdb4ab10d4210c7558444c595689cf

SHA512
6ed970cfc9142e96f19c47ea8c8ae4704134d201849e31336f41361b2947f4c6b2b2a7bd98c11805e68720537670e88ca94a887244fafc69de6176e2d39e993f

Download Submit
\Users\Admin\AppData\Local\Temp\sehom.exe
Filesize
459KB

MD5
c79b7a8876c9abdfe3b3f7c6cf79fd2f

SHA1
c209018197019129656a074aef38885defb66e36

SHA256
538159f8bb2fff751150075572efb96a69f5fa0e4d969e9976f29d4ae9cb0d9b

SHA512
b82f153c4b1bf1d8f353e227ac1a109c9534966e399e9a699ae35d9192eeca730c07d6168036d6327e30fb18944a3de6dc9dab250b5d81213300ba70cd39057d

Download Submit
memory/1148-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1148-168-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2040-10-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2040-18-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2040-13-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2040-11-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2040-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2040-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2040-6-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2040-5-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2040-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2040-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2040-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2040-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2040-25-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2040-60-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2040-59-0x0000000003F80000-0x0000000004A6C000-memory.dmp

Filesize
10.9MB

Download
memory/2040-20-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2040-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2040-23-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2040-15-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2040-35-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2040-33-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2040-28-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2040-30-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2872-169-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2872-159-0x00000000046E0000-0x0000000004879000-memory.dmp

Filesize
1.6MB

Download
memory/2872-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3048-87-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3048-65-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3048-112-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3048-111-0x0000000004540000-0x000000000502C000-memory.dmp

Filesize
10.9MB

Download
memory/3048-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3048-113-0x0000000004540000-0x000000000502C000-memory.dmp

Filesize
10.9MB

Download
memory/3048-70-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3048-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3048-75-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3048-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3048-80-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-85-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads