urelas | d9ca4bb93c3b8d1e662f0bbb62db56b1de422ba641a51affc7f6ec5ecf1b7f7a

General

Target

563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
Size

6.4MB
MD5

563ec7c004371e55dbcabdefe0a068a0
SHA1

f37214fbf7124578f0bfa4e5793cf79cb0e0a0b8
SHA256

d9ca4bb93c3b8d1e662f0bbb62db56b1de422ba641a51affc7f6ec5ecf1b7f7a
SHA512

6223244be3a7b48095b5264060bb1066c2d4a94ca6b103dd97aa8ae47aaf249b2f3f12da6684ceafe0cc7923661ef49e62814162171abdd23a79b0115647d6f0
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSX:i0LrA2kHKQHNk3og9unipQyOaOX

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exemuebo.exelocugu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	muebo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	locugu.exe

Executes dropped EXE 3 IoCs

Processes:

muebo.exelocugu.exeqopos.exe

pid process

4532 muebo.exe
5004 locugu.exe
5100 qopos.exe

pid	process
4532	muebo.exe
5004	locugu.exe
5100	qopos.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\qopos.exe	upx
behavioral2/memory/5100-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/5100-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exemuebo.exelocugu.exeqopos.exe

pid	process
1216	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
1216	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
4532	muebo.exe
4532	muebo.exe
5004	locugu.exe
5004	locugu.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe
5100	qopos.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exemuebo.exelocugu.exe

description	pid	process	target process
PID 1216 wrote to memory of 4532	1216	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	muebo.exe
PID 1216 wrote to memory of 4532	1216	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	muebo.exe
PID 1216 wrote to memory of 4532	1216	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	muebo.exe
PID 1216 wrote to memory of 2396	1216	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	cmd.exe
PID 1216 wrote to memory of 2396	1216	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	cmd.exe
PID 1216 wrote to memory of 2396	1216	563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe	cmd.exe
PID 4532 wrote to memory of 5004	4532	muebo.exe	locugu.exe
PID 4532 wrote to memory of 5004	4532	muebo.exe	locugu.exe
PID 4532 wrote to memory of 5004	4532	muebo.exe	locugu.exe
PID 5004 wrote to memory of 5100	5004	locugu.exe	qopos.exe
PID 5004 wrote to memory of 5100	5004	locugu.exe	qopos.exe
PID 5004 wrote to memory of 5100	5004	locugu.exe	qopos.exe
PID 5004 wrote to memory of 4732	5004	locugu.exe	cmd.exe
PID 5004 wrote to memory of 4732	5004	locugu.exe	cmd.exe
PID 5004 wrote to memory of 4732	5004	locugu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\563ec7c004371e55dbcabdefe0a068a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\muebo.exe
  "C:\Users\Admin\AppData\Local\Temp\muebo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\locugu.exe
    "C:\Users\Admin\AppData\Local\Temp\locugu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\qopos.exe
      "C:\Users\Admin\AppData\Local\Temp\qopos.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
dcc8b487dfae5d29a2ebd248933341d4

SHA1
c0d87277716ea0072a3a9667d7483048c4573979

SHA256
1b1ecbc4bf3bcf79f5aa92a699e60fd723a5bcb93184baeeee1a9736ee0546c2

SHA512
aa03571400e9a29ae0dfb6fc2fe8e23e69eaba24ca794fd957ce03b16b980a22a45015ec09ce6dc2c21f20d0e78ec91bf28e8dc51080c65654642690755a87a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
72bfec1d9f1b6508ad708a6bec515754

SHA1
435875e2ae52c56792a1db734947551b185ea8fb

SHA256
4b3c41af184451a2507b298ededb9e6cb180ffa03376b48169c42cdea3c0af53

SHA512
321fd53fd04016c39d422e6ec152bd21227a0718f8a86d4b258e9371f17d284776d583ab8a829df238ff4510c49a53fa8a22344d5ae2f362f58232677faadf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a95d41ae4f01657e0ec47e5d70ca96fe

SHA1
8fc7928df9031974214961a1a9e9f62bcc4cbba3

SHA256
2dc12482b984d754f7a0ce20e949137d8b825335cf56b8c941cde3b07cacd0dc

SHA512
a462beeb76b2bbfe4864a7b02e2c17fc25a681a2506960b318c7d3624175abda340dad6a8883d06439c2c416a41dc4d37b6a6d6e86e4c465c2a2c267b416d714

Download Submit
C:\Users\Admin\AppData\Local\Temp\muebo.exe

Filesize
6.4MB

MD5
78c3ddd827f5420b9fd47345ed78c3f3

SHA1
9e5d30f537798497eebe42ba363b2ead3b6c7aa6

SHA256
4625d5652089ddd8f10d964a69fc17219079f7cd01f7be1268e05718e6a4c4bd

SHA512
0068d5475455a39c72b51568363dc7e6acec984d96613ca07ab7adb1e48fa25ea1bc32d0e320cc28eaccea0f8ca97a8882d740734d67aad748bc322bcdb6047a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qopos.exe

Filesize
459KB

MD5
8229318e8dbd0380b3223b2aff95580b

SHA1
391225b64f6eee11431dae8019b30002c46b22c1

SHA256
229474bb92aff5b122b9e84eea93630c412ca3aeee2ddb83bc4525df4c2a6542

SHA512
7dc490cf3fc791425cf93f83bf9306b45fd5e6ef547dd909e60e4e9a0528016f2d5dadfb166aeda29f286bf054a8e73bd01a9d0b28f21967d9c2e3e0d89cccf7

Download Submit
memory/1216-4-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1216-5-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1216-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1216-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1216-1-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1216-6-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1216-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1216-25-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1216-7-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/1216-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1216-8-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/1216-2-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1216-3-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/4532-31-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4532-32-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/4532-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4532-30-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4532-29-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/4532-28-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4532-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4532-27-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4532-33-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/4532-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5004-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5004-55-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/5004-54-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/5004-52-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/5004-51-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/5004-49-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/5004-53-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/5004-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5004-50-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/5004-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5100-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/5100-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads