urelas | d447f64c4aa1dadc7784a9b09d73b5240c6f0acda63b626de1850a93362daeb2

General

Target

40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe
Size

421KB
MD5

40f25f8a225b34817bef30699aac5470
SHA1

89d601340a802e868839dbc2cfcd60f96566194c
SHA256

d447f64c4aa1dadc7784a9b09d73b5240c6f0acda63b626de1850a93362daeb2
SHA512

d708174bca5cdd52fc4dcad69ddcc4825849837f0d9c61f4e83aa00f4d9c8af0e3abe0ede14f20b519b8543fc821308dda093d9402fc51d7454526a377c7ae14
SSDEEP

6144:SclgVrkccVxjfYNftqZe9+Hc0RLG0aOBAf70GbjUwMD9n/lR7e+XpMSJ:BeVoDVxjQ1gXHcuLHBS/MD9tR71j

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exenakuy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	nakuy.exe

Executes dropped EXE 2 IoCs

Processes:

nakuy.exeqyeww.exe

pid process

1584 nakuy.exe
552 qyeww.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1584	nakuy.exe
552	qyeww.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

qyeww.exe

pid	process
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe
552	qyeww.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exenakuy.exe

description	pid	process	target process
PID 4372 wrote to memory of 1584	4372	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	nakuy.exe
PID 4372 wrote to memory of 1584	4372	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	nakuy.exe
PID 4372 wrote to memory of 1584	4372	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	nakuy.exe
PID 4372 wrote to memory of 388	4372	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	cmd.exe
PID 4372 wrote to memory of 388	4372	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	cmd.exe
PID 4372 wrote to memory of 388	4372	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	cmd.exe
PID 1584 wrote to memory of 552	1584	nakuy.exe	qyeww.exe
PID 1584 wrote to memory of 552	1584	nakuy.exe	qyeww.exe
PID 1584 wrote to memory of 552	1584	nakuy.exe	qyeww.exe

C:\Users\Admin\AppData\Local\Temp\40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372

C:\Users\Admin\AppData\Local\Temp\nakuy.exe
"C:\Users\Admin\AppData\Local\Temp\nakuy.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\qyeww.exe
"C:\Users\Admin\AppData\Local\Temp\qyeww.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
9f5a871960caf6302d2910541feac4bc

SHA1
94b604aff860e61405ec1a84a9153530a28e4c65

SHA256
7e7f1c73858059edd975dde4f7387265bca2b2bc6682036ddf66a15100a1431c

SHA512
963ef95e3ecc7a9a86c15cfb270594a8f1c466f84bf0938bb27862fefdac16cf94442dc3b8e009fe6b29a18d8fa51f9d838a1784feee638f3f7102c8c8adaff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
5063965c90d4472f5588469e71ad7525

SHA1
e900e8af5c5b7013215cbcb968eccf1eba778a8a

SHA256
dab1c553be5591710fc441e30dec264f919c48426f688b0412b1ba7a6ca293b1

SHA512
e6318ffabe61386a3937d266f71eca888c7e01dd8b379e1632c096fe082badb4444553638e586381a2ec86322f853a09dcd138adbc5196aa63df431dc2cc9430

Download Submit
C:\Users\Admin\AppData\Local\Temp\nakuy.exe
Filesize
422KB

MD5
dfa07d056b5350931c8c5632a651e685

SHA1
90ed0b127b09be1910eb0b79276ef2e2aaa1e8c6

SHA256
ad55feddf9b99e189a8f37574e872e679a2a519f7baaded339b93a9cf1488f95

SHA512
ffc1da872c55b41a223477a0541411804e2659dd07f0d15f830e50c04342546c87bf5e90990dee348dd905846ec039b84f5c11cfcbb241d8de83ddbf488219a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyeww.exe
Filesize
227KB

MD5
0d7226f978cd33059f98b9a238edd656

SHA1
b6b18f101e93580a076035307e6b79a65d725dcd

SHA256
8486aa4a0433b8a57fe41bdc34eee6ee3f07e60bdb28743c105fb41c916dafe5

SHA512
2a21e8b7eca02b2b715e1ec680854146cac660faa3ff3abed7979146eff5ffc66c79824d6b92be3b6c675e545ba09a40a69b53e572c2e69cd2e630335a528428

Download Submit
memory/552-31-0x0000000000540000-0x00000000005E4000-memory.dmp

Filesize
656KB

Download
memory/552-28-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/552-27-0x0000000000540000-0x00000000005E4000-memory.dmp

Filesize
656KB

Download
memory/552-30-0x0000000000540000-0x00000000005E4000-memory.dmp

Filesize
656KB

Download
memory/552-32-0x0000000000540000-0x00000000005E4000-memory.dmp

Filesize
656KB

Download
memory/552-33-0x0000000000540000-0x00000000005E4000-memory.dmp

Filesize
656KB

Download
memory/552-34-0x0000000000540000-0x00000000005E4000-memory.dmp

Filesize
656KB

Download
memory/1584-17-0x0000000000210000-0x000000000027C000-memory.dmp

Filesize
432KB

Download
memory/1584-11-0x0000000000210000-0x000000000027C000-memory.dmp

Filesize
432KB

Download
memory/1584-25-0x0000000000210000-0x000000000027C000-memory.dmp

Filesize
432KB

Download
memory/4372-14-0x0000000000200000-0x000000000026C000-memory.dmp

Filesize
432KB

Download
memory/4372-0-0x0000000000200000-0x000000000026C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads