urelas | a4d64a25831dd6e81d68c5440a8fc4f90dc36ee25f09edfbdaf48ca2f769f22d

General

Target

49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
Size

6.4MB
MD5

49a9bdb4c48e07556808db66f8a48020
SHA1

294cb0633320606d818ac0297145ed5098fb1bb5
SHA256

a4d64a25831dd6e81d68c5440a8fc4f90dc36ee25f09edfbdaf48ca2f769f22d
SHA512

9d8d30ec8b0edeea82e529469cb10efee3587528b6b65e182711a75d35fde72328cc486edc6d57aa94732162ca2771bc0091c80aaedab999cf322365a5fc8d5d
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVST:i0LrA2kHKQHNk3og9unipQyOaOT

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exeicubj.exefizemo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	icubj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fizemo.exe

Executes dropped EXE 3 IoCs

Processes:

icubj.exefizemo.execyuhu.exe

pid process

4552 icubj.exe
396 fizemo.exe
900 cyuhu.exe

pid	process
4552	icubj.exe
396	fizemo.exe
900	cyuhu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cyuhu.exe	upx
behavioral2/memory/900-71-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/900-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exeicubj.exefizemo.execyuhu.exe

pid	process
4936	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
4936	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
4552	icubj.exe
4552	icubj.exe
396	fizemo.exe
396	fizemo.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe
900	cyuhu.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exeicubj.exefizemo.exe

description	pid	process	target process
PID 4936 wrote to memory of 4552	4936	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	icubj.exe
PID 4936 wrote to memory of 4552	4936	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	icubj.exe
PID 4936 wrote to memory of 4552	4936	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	icubj.exe
PID 4936 wrote to memory of 3768	4936	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	cmd.exe
PID 4936 wrote to memory of 3768	4936	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	cmd.exe
PID 4936 wrote to memory of 3768	4936	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	cmd.exe
PID 4552 wrote to memory of 396	4552	icubj.exe	fizemo.exe
PID 4552 wrote to memory of 396	4552	icubj.exe	fizemo.exe
PID 4552 wrote to memory of 396	4552	icubj.exe	fizemo.exe
PID 396 wrote to memory of 900	396	fizemo.exe	cyuhu.exe
PID 396 wrote to memory of 900	396	fizemo.exe	cyuhu.exe
PID 396 wrote to memory of 900	396	fizemo.exe	cyuhu.exe
PID 396 wrote to memory of 4832	396	fizemo.exe	cmd.exe
PID 396 wrote to memory of 4832	396	fizemo.exe	cmd.exe
PID 396 wrote to memory of 4832	396	fizemo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\icubj.exe
  "C:\Users\Admin\AppData\Local\Temp\icubj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\fizemo.exe
    "C:\Users\Admin\AppData\Local\Temp\fizemo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\cyuhu.exe
      "C:\Users\Admin\AppData\Local\Temp\cyuhu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
026d0eab2c0ce12a4771f90694fe2d9b

SHA1
6609caa2c92d91f71b9218ac21c65e9bd221d3ba

SHA256
e8aa3a727423132bffe02c29cd7e1d6dac352a04660ca3c0ea098fe541386b33

SHA512
75ddb3b8bf0cf270a892cdb66309803523bb9fad028d0fdc64c333012831f884da67bf2abdf4282ffe6605810fdba5ba1871125d65f08c4792c61568c617baaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7e2aa13f11c0f1f188672874781bf82f

SHA1
421bc8a2d42cbdb7f2e17cf90dd0b8b68b549ccc

SHA256
b76f435657d21e719770169966f5c54533a235303677d8f56b5ececb38f074f8

SHA512
b5a8ab402a8a6c5399e56263543ea6bf95b656d10632abf7bd853fe4cb94d7895754fba92ad439f40c38c5f605af620290afbf1616a635a6d63c0a2d1f99e4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyuhu.exe

Filesize
459KB

MD5
844f6220e4202613d3986b323105859a

SHA1
88cb3ed25376afa9be90e97616ee3829abe6ee84

SHA256
c8ef7e5ae2eee02265b5cd5e818da382024ef34c1bd5f9e7992ea779ec57635b

SHA512
b45cfabcc2a4f757a26547e24a670aeb0e608a64639588aaa4a43e645805e73bb526c4e3f57fd5dd84d6290bb905e9da5eaada6d3f79b3489810f678b4015818

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9b56d5cf360cfd0e486efe3dd714cf9f

SHA1
876182bb415db5c895a19fb477a0c68e46f6eb83

SHA256
7454b95a5ef79a3422f77101a85a81285648f212252f0f514550e956277c6b42

SHA512
fdd13e9a92839c77bcd70ed3885f45a2c7f1adc2d5c68355276293333cde852b24da133c8d929b03505890278c750249a16e6ac3574941ea429d4c59a74ada12

Download Submit
C:\Users\Admin\AppData\Local\Temp\icubj.exe

Filesize
6.4MB

MD5
115cdf2ce80b870a43bebd222482ed24

SHA1
f130b53dd0963355853706b3c9bbbff149352c59

SHA256
f08fbc5aab9f17388fb3cf6a7347c344a9c5496995a0de4a86b7b4243fa7bf12

SHA512
7613ff6b1644db9b9b97a5587b2eb0d093236da770bdf973b427e113c0282e37121676103c99ab1522b9017d1406d73cf1f5cc07471411f4f3e093e35e927a2a

Download Submit
memory/396-50-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/396-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/396-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/396-51-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/396-52-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/396-53-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/396-54-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/396-55-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/396-56-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/396-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/900-71-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/900-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4552-32-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/4552-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4552-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4552-31-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4552-30-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4552-29-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4552-28-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4552-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4552-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4936-1-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4936-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4936-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4936-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4936-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4936-4-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/4936-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4936-5-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/4936-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4936-7-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/4936-6-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/4936-10-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4936-3-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/4936-2-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads