urelas | a30922df99e9ccdad5da7ae843f0177ba29a075338128937da4982aac777bd45

General

Target

970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
Size

6.5MB
MD5

970ab7302a9b5b9ee4634396988cff50
SHA1

f7c34ca04b3e3620e92d8d9e375b738b0d102b73
SHA256

a30922df99e9ccdad5da7ae843f0177ba29a075338128937da4982aac777bd45
SHA512

763e05a2eabbdeb24e873a388eb4f0ac7f99c295fe4344b5bfc09f90eda6786888ddfc03cab133b5a563caccdfde83646d650886034bad5cd6c2e3a78944d9a1
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSc:i0LrA2kHKQHNk3og9unipQyOaOc

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exefapyo.exetygyto.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	fapyo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	tygyto.exe

Executes dropped EXE 3 IoCs

Processes:

fapyo.exetygyto.exedikuv.exe

pid process

2200 fapyo.exe
692 tygyto.exe
2356 dikuv.exe

pid	process
2200	fapyo.exe
692	tygyto.exe
2356	dikuv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dikuv.exe	upx
behavioral2/memory/2356-67-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2356-73-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exefapyo.exetygyto.exedikuv.exe

pid	process
1984	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
1984	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
2200	fapyo.exe
2200	fapyo.exe
692	tygyto.exe
692	tygyto.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe
2356	dikuv.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exefapyo.exetygyto.exe

description	pid	process	target process
PID 1984 wrote to memory of 2200	1984	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	fapyo.exe
PID 1984 wrote to memory of 2200	1984	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	fapyo.exe
PID 1984 wrote to memory of 2200	1984	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	fapyo.exe
PID 1984 wrote to memory of 3536	1984	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 3536	1984	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 3536	1984	970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe	cmd.exe
PID 2200 wrote to memory of 692	2200	fapyo.exe	tygyto.exe
PID 2200 wrote to memory of 692	2200	fapyo.exe	tygyto.exe
PID 2200 wrote to memory of 692	2200	fapyo.exe	tygyto.exe
PID 692 wrote to memory of 2356	692	tygyto.exe	dikuv.exe
PID 692 wrote to memory of 2356	692	tygyto.exe	dikuv.exe
PID 692 wrote to memory of 2356	692	tygyto.exe	dikuv.exe
PID 692 wrote to memory of 1360	692	tygyto.exe	cmd.exe
PID 692 wrote to memory of 1360	692	tygyto.exe	cmd.exe
PID 692 wrote to memory of 1360	692	tygyto.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\fapyo.exe
"C:\Users\Admin\AppData\Local\Temp\fapyo.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\tygyto.exe
"C:\Users\Admin\AppData\Local\Temp\tygyto.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\dikuv.exe
"C:\Users\Admin\AppData\Local\Temp\dikuv.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b3a68871ad9adac0a62e6f4a8aa634df

SHA1
8cf77bf93fade0269f0c3bc561df4f982d755071

SHA256
c5339d85d2a50b992300dc3b4a407399c5f8289c18be93d62c9743ce36b69624

SHA512
6ada8ba9930f98a26e2fbb2b14dc5a133b1a963a52a4a9d19eec2e94b704c324b5a2482340bbc9107040d0f1a3eef6c1a1773aea57a50a623a2800c653b231ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
fb27073afe344aa2e5faefe2801a8fb4

SHA1
32ac6bac56219ef31c4d6d19dc33fa1f2e0d240b

SHA256
c3160269d61468e1837ea6163cf237e903bd81161269a36684c8ccf3863586af

SHA512
e26d0931feeb1860401940b107d2a78fc3ad8106a5b5a83ae198c7dd1f033765fe297f84ffbfdb8ee3acdf3f81179ba5852de4913fb2e2e38a8317f84a9a0780

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikuv.exe

Filesize
459KB

MD5
62aceb0d684496e724e7831f227d7a05

SHA1
618972806a5fe92705fbc66a67cde781ebb05e90

SHA256
3022341e12e4a526204c53cabaa83c2689912a98738dd18e684d3fa901cd87bd

SHA512
acc2c90fe240897266bf8030072fc5435efd19cbe7875580984968144097355e3c55f219e58d4114057d3c5d9a17b025301e9ad4c4fa3ad1b2e9c47e1fb6465c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fapyo.exe

Filesize
6.5MB

MD5
7ddf68bf52798413a75b3ee8f40901b0

SHA1
930b690483cda200aa684b98a60093dd5847eb4e

SHA256
2241bf7c78386781d60a0b4accd89410ccd61d763f7375b1d5a3ab0525727eda

SHA512
d46b0074d92cce1867a49f7c1fd74cd94917399705434d34d5cd75787e5d8b0881a188309dc2a5894bdef18811004555eea4f0ca92701274c6023a2f81b35908

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
131b96d335a3e26263b46f248f0aacd9

SHA1
704bbf98746e679af8f7fc1f88a1c24ade7d3ac6

SHA256
40fba4e992b5367cf594e4289181f4b329df9607dc1105d4556c62b07cb55989

SHA512
347f4d161aff2c5ca2aa993853ab5c4e6e4c4e43d3c657dbfd1fca9e2b5993d6c4a7daef281194d98d8321b966a6a9c171b9805f0087cf7f11d5fa831851de31

Download Submit
memory/692-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/692-49-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/692-50-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/692-54-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/692-52-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/692-53-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/692-48-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/692-51-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/692-70-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1984-10-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1984-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/1984-3-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1984-7-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/1984-6-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1984-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1984-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/1984-2-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1984-1-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1984-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1984-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1984-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1984-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1984-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2200-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2200-28-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2200-29-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/2200-31-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2200-32-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2200-33-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2200-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2200-34-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2200-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2356-67-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2356-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads