urelas | 878c9fcd11c1ec56288af066948c2d239a9d5ffe5ed131d3322a53cd90cf5690

General

Target

29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe
Size

794KB
MD5

29ef1a257725b109e0cccd9b2795ff40
SHA1

d7f04cf7b04dcd95e10a67d12d856bf8a03096fa
SHA256

878c9fcd11c1ec56288af066948c2d239a9d5ffe5ed131d3322a53cd90cf5690
SHA512

a5add0f8f7c46e2c9205de11bbec197847c6c46100b539d203d29f8386e27f2f34b9787489d244bde956be4dd0d5efd6ac013241f9aee975e99f2c1adbcb9c29
SSDEEP

24576:snPfQpzyD8ZTn8kZvAkI094vOkSCLMgC2:kfQt/Tn8AvAt0GvwC9

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2492 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

linoc.execumov.exe

pid process

2332 linoc.exe
2872 cumov.exe
Loads dropped DLL 2 IoCs

Processes:

29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exelinoc.exe

pid process

2364 29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe
2332 linoc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2492	cmd.exe

pid	process
2332	linoc.exe
2872	cumov.exe

pid	process
2364	29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe
2332	linoc.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cumov.exe

pid	process
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe
2872	cumov.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exelinoc.exe

description	pid	process	target process
PID 2364 wrote to memory of 2332	2364	29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe	linoc.exe
PID 2364 wrote to memory of 2332	2364	29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe	linoc.exe
PID 2364 wrote to memory of 2332	2364	29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe	linoc.exe
PID 2364 wrote to memory of 2332	2364	29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe	linoc.exe
PID 2364 wrote to memory of 2492	2364	29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe	cmd.exe
PID 2364 wrote to memory of 2492	2364	29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe	cmd.exe
PID 2364 wrote to memory of 2492	2364	29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe	cmd.exe
PID 2364 wrote to memory of 2492	2364	29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe	cmd.exe
PID 2332 wrote to memory of 2872	2332	linoc.exe	cumov.exe
PID 2332 wrote to memory of 2872	2332	linoc.exe	cumov.exe
PID 2332 wrote to memory of 2872	2332	linoc.exe	cumov.exe
PID 2332 wrote to memory of 2872	2332	linoc.exe	cumov.exe

C:\Users\Admin\AppData\Local\Temp\29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\29ef1a257725b109e0cccd9b2795ff40_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\linoc.exe
"C:\Users\Admin\AppData\Local\Temp\linoc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\cumov.exe
"C:\Users\Admin\AppData\Local\Temp\cumov.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
754a8d0dde0d3a67bc20ca2fe80a9731

SHA1
515301bc900413dcf4191e8c5a3bfb40d91031ec

SHA256
b01967b21baa88e0f6733d7f94cdf33b1455d8cb5ef167979ae75746250abb01

SHA512
ee410e4a56554568495ca05133acf53fad4e6769ccc0a6d5600036c2093ffaa9e79123ce46d457e5cb4556cdfdff34a02224b910907a3230b80fe4cdfb91540e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
05c71f1b098ffd02d22c5da21e9568af

SHA1
753729bd572a79f810eace29bc2fe7c531a4effd

SHA256
33b0d4677bed432ddb764298634d9a77b40d3fd6ace16bae63a7bdfd51e9bcf5

SHA512
a08752d577b2f309b6109b5ca51203ffaaeebcb1b1dbbfee966fc30fa9017fa330078398284fbfbfd83a0625082ec9d7cf88f5fe43ca9982fb656d760c6ac5a6

Download Submit
\Users\Admin\AppData\Local\Temp\cumov.exe
Filesize
176KB

MD5
00210de2fd2b9ed27a35aa493f91b7f8

SHA1
b994a8dcbe08386d1110b3af5ff941e5e13b89e9

SHA256
1e785281b75914c8523ede59b6fea596d9c681f0ed881a180ea56761e89173fc

SHA512
bd5a77d684d5700a4d1305477fd86da6f727dae74ad1c9b6967846de846d4a819a2a86d152b9bc553ef8a819a313adbb44592d14bb7ba581e6d9cd81ab4abc5f

Download Submit
\Users\Admin\AppData\Local\Temp\linoc.exe
Filesize
795KB

MD5
99b796821b29e178d2e7bf1a92ecc115

SHA1
0fee5dfd668f3bb1e569a4f7b463c0db9e01030f

SHA256
c7e7d24ae4ebe50bc7d0b76440242dedf3ae4b68363344a6cf8fcdc8283e20ba

SHA512
4c6bd86bcac9966e0c96dec4c8ff00254acf1bd81c2883bb7fe10676b33cf839fc1c34da695f787a6afb810321c7a6995e818995a246c1e0b343d6aee88fba50

Download Submit
memory/2332-28-0x0000000000370000-0x000000000043F000-memory.dmp

Filesize
828KB

Download
memory/2332-21-0x0000000000370000-0x000000000043F000-memory.dmp

Filesize
828KB

Download
memory/2332-10-0x0000000000370000-0x000000000043F000-memory.dmp

Filesize
828KB

Download
memory/2364-6-0x0000000002D30000-0x0000000002DFF000-memory.dmp

Filesize
828KB

Download
memory/2364-18-0x00000000002B0000-0x000000000037F000-memory.dmp

Filesize
828KB

Download
memory/2364-0-0x00000000002B0000-0x000000000037F000-memory.dmp

Filesize
828KB

Download
memory/2872-29-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2872-31-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2872-32-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2872-33-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2872-34-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2872-35-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing