urelas | a173df64c5cac8fade7a480d53d0c55af138f41ae25a11a0f1653984eb3cf019

General

Target

87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe
Size

399KB
MD5

87df4aa743aa38020380f61c9cee9100
SHA1

891fa34174bd7386a255659d2e1a43dc133c65fb
SHA256

a173df64c5cac8fade7a480d53d0c55af138f41ae25a11a0f1653984eb3cf019
SHA512

54b59e529a7ac51c3819cb5f437edcb869bea35c796f7fbbdbce91238c5a83f997542845a4fd12dd848c60b43fb04df12f78bf9670500b6bcc18eeb1d7c30a3d
SSDEEP

6144:1sa1jZVgy03se7k5kBTTg7YMz6j8GuHEqqtKKUrBwj3bT3RzS:rtVgyuse2kBXg7Cj81cKK7jfRS

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2668 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

fojul.execoizk.exe

pid process

1264 fojul.exe
1684 coizk.exe
Loads dropped DLL 4 IoCs

Processes:

87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exefojul.exe

pid process

1312 87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe
1312 87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe
1264 fojul.exe
1264 fojul.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2668	cmd.exe

pid	process
1264	fojul.exe
1684	coizk.exe

pid	process
1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe
1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe
1264	fojul.exe
1264	fojul.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

coizk.exe

pid	process
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe
1684	coizk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exefojul.exe

description	pid	process	target process
PID 1312 wrote to memory of 1264	1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe	fojul.exe
PID 1312 wrote to memory of 1264	1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe	fojul.exe
PID 1312 wrote to memory of 1264	1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe	fojul.exe
PID 1312 wrote to memory of 1264	1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe	fojul.exe
PID 1312 wrote to memory of 2668	1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe	cmd.exe
PID 1312 wrote to memory of 2668	1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe	cmd.exe
PID 1312 wrote to memory of 2668	1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe	cmd.exe
PID 1312 wrote to memory of 2668	1312	87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe	cmd.exe
PID 1264 wrote to memory of 1684	1264	fojul.exe	coizk.exe
PID 1264 wrote to memory of 1684	1264	fojul.exe	coizk.exe
PID 1264 wrote to memory of 1684	1264	fojul.exe	coizk.exe
PID 1264 wrote to memory of 1684	1264	fojul.exe	coizk.exe

C:\Users\Admin\AppData\Local\Temp\87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\87df4aa743aa38020380f61c9cee9100_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\fojul.exe
"C:\Users\Admin\AppData\Local\Temp\fojul.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\coizk.exe
"C:\Users\Admin\AppData\Local\Temp\coizk.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
2583926963fac30b7d5af56123f46fa5

SHA1
fb0328e4027c2bdf7464bf0a339016b64cc212b5

SHA256
d78b8a268eb39c1875165e8a448a1b47c48aa446d3475218086167d440dcc198

SHA512
75f6e4c90a4f679f8d0c8fba0bcf58b5b3b29abbc204f9e8045c12169bc061ecfc3dc33890d07844284f3f9bef111b1f903d9ad0d19f5fcf5004ffae88d415c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
fe0798606da994b3496b0a606f222bfa

SHA1
37fcd2710253214250e68f6124349ca6fb90ce8f

SHA256
2b711a35e21e008383426561494c2e82772635797262ed7b09f1ca061a068e2e

SHA512
5c404131c47be9d66d9f15d9972ce25531c87ceb0b826991d60cab0e38eb64c532406363c89663df2212690aaec34600f9be47021025c9464188ad6f55eddc74

Download Submit
\Users\Admin\AppData\Local\Temp\coizk.exe
Filesize
206KB

MD5
06fe64e048d493299341e61bdb5083dd

SHA1
e54c5dbf069b3835f46a4598c61a43c77a5a44c6

SHA256
347382b492de8652216e8dac4c00906ca96c3d671687d3aed6145262705f3f6f

SHA512
3f04abf11b090992331887c904810995a19bb9b4d79fb2fa6a897b69a3f23d99919dcce50c9dfcd5a152d4bb503551da047cc24468f79109e40c4ab693abc354

Download Submit
\Users\Admin\AppData\Local\Temp\fojul.exe
Filesize
399KB

MD5
b2f20a44ad2fddf96b0979f2694e01a2

SHA1
42c47fe3b87e9ec7ceb9584cda849681ecb60189

SHA256
d405f9264db27f38d300e5cf10968137beea0f92c4b052ce000e87f10aada4e5

SHA512
17fc2d9d198b7b6c9bfaaf4e2b071a21b28843361b0d9c2f55168425d650380830e7913f3f7668d782f6bbec2ccf6a7deb85add277ec45dfc7002deeb3bd087e

Download Submit
memory/1264-13-0x0000000000830000-0x0000000000898000-memory.dmp

Filesize
416KB

Download
memory/1264-32-0x0000000000830000-0x0000000000898000-memory.dmp

Filesize
416KB

Download
memory/1312-21-0x0000000000B10000-0x0000000000B78000-memory.dmp

Filesize
416KB

Download
memory/1312-0-0x0000000000B10000-0x0000000000B78000-memory.dmp

Filesize
416KB

Download
memory/1312-6-0x0000000000A20000-0x0000000000A88000-memory.dmp

Filesize
416KB

Download
memory/1684-34-0x00000000013C0000-0x000000000145B000-memory.dmp

Filesize
620KB

Download
memory/1684-36-0x00000000013C0000-0x000000000145B000-memory.dmp

Filesize
620KB

Download
memory/1684-37-0x00000000013C0000-0x000000000145B000-memory.dmp

Filesize
620KB

Download
memory/1684-38-0x00000000013C0000-0x000000000145B000-memory.dmp

Filesize
620KB

Download
memory/1684-39-0x00000000013C0000-0x000000000145B000-memory.dmp

Filesize
620KB

Download
memory/1684-40-0x00000000013C0000-0x000000000145B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing