urelas | 9f174ff451b88060789fe123b3ac78118c10ceb6c765e6b2e47dbb759b4ff4ab

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
Size

6.4MB
MD5

99b190ed6216121ae2891701a69dce80
SHA1

60f12632d15f201007941a3b785e236e0939ed22
SHA256

9f174ff451b88060789fe123b3ac78118c10ceb6c765e6b2e47dbb759b4ff4ab
SHA512

b528829f748b1b2bbb0e4b7cdfcbfe1676935211c9fb67a91f144cf06761bdca799c6f60576078781ab75651cb74ea92915ec5d5e0f255db35369565c76d2813
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSR:i0LrA2kHKQHNk3og9unipQyOaOR

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2620 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

mayfa.exeziijzy.exesufor.exe

pid process

2760 mayfa.exe
1572 ziijzy.exe
2456 sufor.exe

pid	process
2620	cmd.exe

pid	process
2760	mayfa.exe
1572	ziijzy.exe
2456	sufor.exe

Loads dropped DLL 5 IoCs

Processes:

99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exemayfa.exeziijzy.exe

pid	process
1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
2760	mayfa.exe
2760	mayfa.exe
1572	ziijzy.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\sufor.exe	upx
behavioral1/memory/2456-167-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2456-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exemayfa.exeziijzy.exesufor.exe

pid	process
1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
2760	mayfa.exe
1572	ziijzy.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe
2456	sufor.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exemayfa.exeziijzy.exe

description	pid	process	target process
PID 1960 wrote to memory of 2760	1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	mayfa.exe
PID 1960 wrote to memory of 2760	1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	mayfa.exe
PID 1960 wrote to memory of 2760	1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	mayfa.exe
PID 1960 wrote to memory of 2760	1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	mayfa.exe
PID 1960 wrote to memory of 2620	1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	cmd.exe
PID 1960 wrote to memory of 2620	1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	cmd.exe
PID 1960 wrote to memory of 2620	1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	cmd.exe
PID 1960 wrote to memory of 2620	1960	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	cmd.exe
PID 2760 wrote to memory of 1572	2760	mayfa.exe	ziijzy.exe
PID 2760 wrote to memory of 1572	2760	mayfa.exe	ziijzy.exe
PID 2760 wrote to memory of 1572	2760	mayfa.exe	ziijzy.exe
PID 2760 wrote to memory of 1572	2760	mayfa.exe	ziijzy.exe
PID 1572 wrote to memory of 2456	1572	ziijzy.exe	sufor.exe
PID 1572 wrote to memory of 2456	1572	ziijzy.exe	sufor.exe
PID 1572 wrote to memory of 2456	1572	ziijzy.exe	sufor.exe
PID 1572 wrote to memory of 2456	1572	ziijzy.exe	sufor.exe
PID 1572 wrote to memory of 1964	1572	ziijzy.exe	cmd.exe
PID 1572 wrote to memory of 1964	1572	ziijzy.exe	cmd.exe
PID 1572 wrote to memory of 1964	1572	ziijzy.exe	cmd.exe
PID 1572 wrote to memory of 1964	1572	ziijzy.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\mayfa.exe
"C:\Users\Admin\AppData\Local\Temp\mayfa.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\ziijzy.exe
"C:\Users\Admin\AppData\Local\Temp\ziijzy.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\sufor.exe
"C:\Users\Admin\AppData\Local\Temp\sufor.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
79fa52e824c4e577aa4eb10b05ff8fe5

SHA1
3e020b657ec3de872bd2f4a40f4dc404e95bd7d4

SHA256
b5c33fe469cf7b08e16880bc94250d040bf984d4ee7e35c996517df0f133745d

SHA512
0ad38b9722554b1a32fe5edd264fc9d017b1f8725c30404d951c7a981dce76c14fbfdc50c870cabe5df2ec32c4a31bf6418debe441bcd1f7856266eadd0aac00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
3ed6588c82e85611b665e78c61daf289

SHA1
a59f53e3868fa93c7400bcf63b6be93ef0b6ad24

SHA256
663bcb21898b10a56fcf642dbb12cea377d849a8f1a43cfe4c1fae62bbd6dd79

SHA512
2c2ab7658a8ec2325d48b7a130cd2b33aff3d29a3cf853f7b180608d152fda8fe7e281b319f068a9705f0e5ce008024657782f5de264e780e7b251bb5594a955

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
49722df3fdd7f6ab8abcfaba5097b418

SHA1
61753160c3c9486319265060321a908520588c0e

SHA256
44cf29f5115e9b906711554ecdc2f146575b434a35af6d3b76b49a5adeae1d9e

SHA512
d965350109a4f3cd2cc2b6fbac2abf349881397f5716d8f152a93870bb35e48b18b8536a76da4deed4e22091ffda1f8c8f40c9c239348ed7255cfc10a386bb8d

Download Submit
\Users\Admin\AppData\Local\Temp\mayfa.exe

Filesize
6.4MB

MD5
7757ba76b8cdf5416bfea28dcfc588e9

SHA1
ead949842790310f35c9d42b9fcac7bfe329fb92

SHA256
29a6c85b33b742fbe94c7c9317c95c2042dae987d2a52fdbd5cff9e214f5174a

SHA512
6dd08b79a7405f17cf5d41616f46810061dcc7f0119f70a8c7b81d62c2bb58c5c74afb77a218431f301d43f2ef77b730e4367c61fb5ab4696a6b04a78f679f57

Download Submit
\Users\Admin\AppData\Local\Temp\sufor.exe

Filesize
459KB

MD5
fac80553cbcff5c79d25ff0b4db0cebb

SHA1
e34a2180f2cc5122a2f48685dbb439c2f253e876

SHA256
afcd5edad9b4a0a423b0a523bc63efb7753f5dc98a15459b8d30fab098e4c936

SHA512
6de27c097c56c4fd8db2dfdb73429eb853f7a513b85786067dc3868852fd7290a35172ec745f1e86349bee644c191c8980da4b0710779b96ac20fdc8ec4e547e

Download Submit
memory/1572-169-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1572-159-0x0000000004850000-0x00000000049E9000-memory.dmp

Filesize
1.6MB

Download
memory/1960-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1960-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1960-35-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1960-33-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1960-30-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1960-28-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1960-25-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1960-23-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1960-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1960-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1960-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1960-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1960-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1960-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1960-60-0x0000000003FA0000-0x0000000004A8C000-memory.dmp

Filesize
10.9MB

Download
memory/1960-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1960-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1960-52-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1960-61-0x0000000003FA0000-0x0000000004A8C000-memory.dmp

Filesize
10.9MB

Download
memory/1960-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1960-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1960-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1960-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2456-167-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2456-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2760-79-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2760-82-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2760-84-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2760-111-0x0000000004560000-0x000000000504C000-memory.dmp

Filesize
10.9MB

Download
memory/2760-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2760-77-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2760-74-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2760-87-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2760-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2760-69-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2760-72-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2760-89-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download