urelas | 9f174ff451b88060789fe123b3ac78118c10ceb6c765e6b2e47dbb759b4ff4ab

General

Target

99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
Size

6.4MB
MD5

99b190ed6216121ae2891701a69dce80
SHA1

60f12632d15f201007941a3b785e236e0939ed22
SHA256

9f174ff451b88060789fe123b3ac78118c10ceb6c765e6b2e47dbb759b4ff4ab
SHA512

b528829f748b1b2bbb0e4b7cdfcbfe1676935211c9fb67a91f144cf06761bdca799c6f60576078781ab75651cb74ea92915ec5d5e0f255db35369565c76d2813
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSR:i0LrA2kHKQHNk3og9unipQyOaOR

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exeveaqu.exeapornu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	veaqu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	apornu.exe

Executes dropped EXE 3 IoCs

Processes:

veaqu.exeapornu.exegopap.exe

pid process

1528 veaqu.exe
4580 apornu.exe
968 gopap.exe

pid	process
1528	veaqu.exe
4580	apornu.exe
968	gopap.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gopap.exe	upx
behavioral2/memory/968-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/968-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/968-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exeveaqu.exeapornu.exegopap.exe

pid	process
4888	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
4888	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
1528	veaqu.exe
1528	veaqu.exe
4580	apornu.exe
4580	apornu.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe
968	gopap.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exeveaqu.exeapornu.exe

description	pid	process	target process
PID 4888 wrote to memory of 1528	4888	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	veaqu.exe
PID 4888 wrote to memory of 1528	4888	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	veaqu.exe
PID 4888 wrote to memory of 1528	4888	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	veaqu.exe
PID 4888 wrote to memory of 4424	4888	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	cmd.exe
PID 4888 wrote to memory of 4424	4888	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	cmd.exe
PID 4888 wrote to memory of 4424	4888	99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe	cmd.exe
PID 1528 wrote to memory of 4580	1528	veaqu.exe	apornu.exe
PID 1528 wrote to memory of 4580	1528	veaqu.exe	apornu.exe
PID 1528 wrote to memory of 4580	1528	veaqu.exe	apornu.exe
PID 4580 wrote to memory of 968	4580	apornu.exe	gopap.exe
PID 4580 wrote to memory of 968	4580	apornu.exe	gopap.exe
PID 4580 wrote to memory of 968	4580	apornu.exe	gopap.exe
PID 4580 wrote to memory of 3976	4580	apornu.exe	cmd.exe
PID 4580 wrote to memory of 3976	4580	apornu.exe	cmd.exe
PID 4580 wrote to memory of 3976	4580	apornu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\99b190ed6216121ae2891701a69dce80_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\veaqu.exe
"C:\Users\Admin\AppData\Local\Temp\veaqu.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\apornu.exe
"C:\Users\Admin\AppData\Local\Temp\apornu.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\gopap.exe
"C:\Users\Admin\AppData\Local\Temp\gopap.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
aad05f379c24ecb408552aeda26851f9

SHA1
f436ce40fbe6fc798a263a1e1ec91cdcb2626b97

SHA256
f0f5948d49e67266b4aa324d9db59be334c8fc6a5556659a9983110c12eb0190

SHA512
6757f0e03dd4a0ff50e8c15fe49c3e6186343dc05102394cfcb211849c38c44a5639d04a380dee34a6ad855682a8693251de3ea2b8a3d064456695c87d73f365

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
3ed6588c82e85611b665e78c61daf289

SHA1
a59f53e3868fa93c7400bcf63b6be93ef0b6ad24

SHA256
663bcb21898b10a56fcf642dbb12cea377d849a8f1a43cfe4c1fae62bbd6dd79

SHA512
2c2ab7658a8ec2325d48b7a130cd2b33aff3d29a3cf853f7b180608d152fda8fe7e281b319f068a9705f0e5ce008024657782f5de264e780e7b251bb5594a955

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
173d8b49560ebb7679f6b0eb85d9bb8e

SHA1
428b9c624385973113746768e78512268b2212e8

SHA256
feb56cebbaea498d6e2856ce572c7248152c61e28debe48b1f6ba7f10c1ba26d

SHA512
0a15d2c527a865434b60cc8f8bd124d2e9f2d5dc7e248cf6b5dc4e08c244b7a09ba452b1c94274f18d275a37bc13d9bb6dd4ecac2effdbb3dcda99d18a545a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gopap.exe

Filesize
459KB

MD5
bddbc67e0cf1fd40a6c3506ba95b5f21

SHA1
2a9119bdc918865c726d60498de8db581be17f02

SHA256
599cde30c6b27e8a1d7915144cdf255e2f27384fb5f1a83c886f08555393de0f

SHA512
e1824b22817b8e9bf1d08dedabf7c33c3568afa0b3de5c2181ea644eead6af0ed75b5cb6a5f6c35d4b700e983dd96cddfe6914e6c008da541bc37a40d22eddfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\veaqu.exe

Filesize
6.4MB

MD5
2f07fe3ccb14ad876f5f56a4fbf4323b

SHA1
62abf893b5d518cc08b7b11de20b7ff4b669da12

SHA256
e639d360d894755ee59e45febdab17d3566fa53eb993c7f11b607bc23cf2d57b

SHA512
604a6a1a5ebf027b7b8f2c4adcd5bb4a211b021068aa2e5ee570084159ab4a660a81cf6361bfb5c75e2642a36ca6735662e1eb79d22fdf9cbce752474067b44e

Download Submit
memory/968-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/968-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/968-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1528-31-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1528-35-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/1528-32-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1528-30-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1528-33-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1528-34-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/1528-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1528-29-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1528-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1528-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1528-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4580-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4580-53-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/4580-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4580-49-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/4580-50-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/4580-52-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/4580-54-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/4580-55-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/4580-51-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/4888-2-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4888-5-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4888-4-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/4888-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4888-1-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4888-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4888-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4888-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4888-6-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/4888-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4888-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4888-11-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4888-7-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/4888-3-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads