urelas | d9ca4bb93c3b8d1e662f0bbb62db56b1de422ba641a51affc7f6ec5ecf1b7f7a

General

Target

563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
Size

6.4MB
MD5

563ec7c004371e55dbcabdefe0a068a0
SHA1

f37214fbf7124578f0bfa4e5793cf79cb0e0a0b8
SHA256

d9ca4bb93c3b8d1e662f0bbb62db56b1de422ba641a51affc7f6ec5ecf1b7f7a
SHA512

6223244be3a7b48095b5264060bb1066c2d4a94ca6b103dd97aa8ae47aaf249b2f3f12da6684ceafe0cc7923661ef49e62814162171abdd23a79b0115647d6f0
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSX:i0LrA2kHKQHNk3og9unipQyOaOX

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2640 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

kopiv.exepuwyru.exeichef.exe

pid process

2576 kopiv.exe
2224 puwyru.exe
1908 ichef.exe

pid	process
2640	cmd.exe

pid	process
2576	kopiv.exe
2224	puwyru.exe
1908	ichef.exe

Loads dropped DLL 5 IoCs

Processes:

563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exekopiv.exepuwyru.exe

pid	process
1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
2576	kopiv.exe
2576	kopiv.exe
2224	puwyru.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ichef.exe	upx
behavioral1/memory/1908-164-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2224-162-0x0000000004410000-0x00000000045A9000-memory.dmp	upx
behavioral1/memory/1908-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exekopiv.exepuwyru.exeichef.exe

pid	process
1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
2576	kopiv.exe
2224	puwyru.exe
1908	ichef.exe
1908	ichef.exe
1908	ichef.exe
1908	ichef.exe
1908	ichef.exe
1908	ichef.exe
1908	ichef.exe
1908	ichef.exe
1908	ichef.exe
1908	ichef.exe
1908	ichef.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exekopiv.exepuwyru.exe

description	pid	process	target process
PID 1500 wrote to memory of 2576	1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	kopiv.exe
PID 1500 wrote to memory of 2576	1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	kopiv.exe
PID 1500 wrote to memory of 2576	1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	kopiv.exe
PID 1500 wrote to memory of 2576	1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	kopiv.exe
PID 1500 wrote to memory of 2640	1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	cmd.exe
PID 1500 wrote to memory of 2640	1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	cmd.exe
PID 1500 wrote to memory of 2640	1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	cmd.exe
PID 1500 wrote to memory of 2640	1500	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	cmd.exe
PID 2576 wrote to memory of 2224	2576	kopiv.exe	puwyru.exe
PID 2576 wrote to memory of 2224	2576	kopiv.exe	puwyru.exe
PID 2576 wrote to memory of 2224	2576	kopiv.exe	puwyru.exe
PID 2576 wrote to memory of 2224	2576	kopiv.exe	puwyru.exe
PID 2224 wrote to memory of 1908	2224	puwyru.exe	ichef.exe
PID 2224 wrote to memory of 1908	2224	puwyru.exe	ichef.exe
PID 2224 wrote to memory of 1908	2224	puwyru.exe	ichef.exe
PID 2224 wrote to memory of 1908	2224	puwyru.exe	ichef.exe
PID 2224 wrote to memory of 1792	2224	puwyru.exe	cmd.exe
PID 2224 wrote to memory of 1792	2224	puwyru.exe	cmd.exe
PID 2224 wrote to memory of 1792	2224	puwyru.exe	cmd.exe
PID 2224 wrote to memory of 1792	2224	puwyru.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\kopiv.exe
"C:\Users\Admin\AppData\Local\Temp\kopiv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\puwyru.exe
"C:\Users\Admin\AppData\Local\Temp\puwyru.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\ichef.exe
"C:\Users\Admin\AppData\Local\Temp\ichef.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
efa6765d21fb6eac0677ce93fabb7615

SHA1
1989576dd36ca3eedfd44a0f40f0d4ca2f0ef93f

SHA256
59ea304dac3346589b1d23a33bfff758aa7838296e72fb44f844522bd45ae40e

SHA512
b99a3a0a8cae2a13d3af9abed0becc0f0d7c5f0c48ae6849c556b27ecdba8275bc43e188118ac6ff582c2e90c782df7fbbcbaae499d16c2a7d9a342f867bb4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
dcc8b487dfae5d29a2ebd248933341d4

SHA1
c0d87277716ea0072a3a9667d7483048c4573979

SHA256
1b1ecbc4bf3bcf79f5aa92a699e60fd723a5bcb93184baeeee1a9736ee0546c2

SHA512
aa03571400e9a29ae0dfb6fc2fe8e23e69eaba24ca794fd957ce03b16b980a22a45015ec09ce6dc2c21f20d0e78ec91bf28e8dc51080c65654642690755a87a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
55067fbdad6010f6e4b981f9013f36cd

SHA1
67427397752cccecabede6c2d599b05f1b2a8e16

SHA256
72ab68b3d77e059db0134a14a4f1fff0d8d4d7c0c98522b894914e7f7d1cbb64

SHA512
8692fb28e6dae952d562ab6380187d2fe229f5f6c7f1ef7d30b71ae23c75671ca611ca58d6758f27e1ac49935b5940de363ca7ffb47caf35747db30344803b54

Download Submit
\Users\Admin\AppData\Local\Temp\ichef.exe
Filesize
459KB

MD5
a8ad12cb5358467c9ae0353b1c37aea7

SHA1
345d83b75ec7c47ea1492e1d63a4dffc7166fd46

SHA256
d52c5e57087b2f406782ed8e1fc8ed09ae78ea0aaaa935e08089864bc3f686bd

SHA512
69ef3d7e742d84d0ad2d19446baece9d45a35ebee41d1ccd2a57159a9cf76fffe1d22add4ab0ca33d93e406062ff0ef715127326c55735a2bfc3434ec598ce26

Download Submit
\Users\Admin\AppData\Local\Temp\kopiv.exe
Filesize
6.4MB

MD5
e0bea249a6d332ab225438b177386879

SHA1
f07d322a4aa49a3eb237f602cc8a243805d661c0

SHA256
feea0e86e0e0cb7a9bb22ed6b3a2b362f45c460097a817b6ef01c79376d1747a

SHA512
75bce7e75921945f438ebf424eb52f6dc59a4209e1c7ea4d0eb8beee4ec3b560b48f3b2d506518e50dfff9607e7cb28bf09151fae9377e0433e0f7e874be2e6b

Download Submit
memory/1500-55-0x0000000003990000-0x000000000447C000-memory.dmp

Filesize
10.9MB

Download
memory/1500-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1500-34-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1500-31-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1500-29-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1500-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1500-24-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1500-21-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1500-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1500-16-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1500-14-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1500-12-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1500-11-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1500-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1500-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1500-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1500-53-0x0000000003990000-0x000000000447C000-memory.dmp

Filesize
10.9MB

Download
memory/1500-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1500-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1500-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1500-89-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1500-36-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1500-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1500-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1500-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1908-164-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1908-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2224-172-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2224-162-0x0000000004410000-0x00000000045A9000-memory.dmp

Filesize
1.6MB

Download
memory/2576-88-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2576-73-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2576-71-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2576-68-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2576-66-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2576-114-0x0000000003C50000-0x000000000473C000-memory.dmp

Filesize
10.9MB

Download
memory/2576-117-0x0000000003C50000-0x000000000473C000-memory.dmp

Filesize
10.9MB

Download
memory/2576-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2576-104-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2576-102-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2576-76-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2576-78-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2576-81-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2576-83-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2576-86-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads