urelas | 96b9c1f6f5bade14e19a5b08c51e867e749970c808b6e86021a25bb657eb31cd

General

Target

1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe
Size

308KB
MD5

1f1263d14acea95bb0acbb46e563cfb0
SHA1

452ce81cd43182a01c1e2fa7d60db0c047c29c95
SHA256

96b9c1f6f5bade14e19a5b08c51e867e749970c808b6e86021a25bb657eb31cd
SHA512

8a24a20e064668da4e1ecfb158b2f510701b09d67a17836a6db4832925b1a06a4f02f2e6a2dad8910615eebb75017d65e61c6bdcddb6f58b49385f092430559b
SSDEEP

3072:dQisJFjI/DmZwx0eJSUbx3ECbZS42t8sJ4yYdfp4Qz28h+0W6Y4704jGopBhj5:dQi+reSUbnbA8VKQq8hpW6p75PpBhj5

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2680 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

mizob.exeebmozo.exefygec.exe

pid process

2752 mizob.exe
2736 ebmozo.exe
272 fygec.exe

pid	process
2680	cmd.exe

pid	process
2752	mizob.exe
2736	ebmozo.exe
272	fygec.exe

Loads dropped DLL 5 IoCs

Processes:

1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exemizob.exeebmozo.exe

pid	process
2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe
2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe
2752	mizob.exe
2752	mizob.exe
2736	ebmozo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

fygec.exe

pid	process
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe
272	fygec.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exemizob.exeebmozo.exe

description	pid	process	target process
PID 2156 wrote to memory of 2752	2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe	mizob.exe
PID 2156 wrote to memory of 2752	2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe	mizob.exe
PID 2156 wrote to memory of 2752	2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe	mizob.exe
PID 2156 wrote to memory of 2752	2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe	mizob.exe
PID 2156 wrote to memory of 2680	2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe	cmd.exe
PID 2156 wrote to memory of 2680	2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe	cmd.exe
PID 2156 wrote to memory of 2680	2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe	cmd.exe
PID 2156 wrote to memory of 2680	2156	1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe	cmd.exe
PID 2752 wrote to memory of 2736	2752	mizob.exe	ebmozo.exe
PID 2752 wrote to memory of 2736	2752	mizob.exe	ebmozo.exe
PID 2752 wrote to memory of 2736	2752	mizob.exe	ebmozo.exe
PID 2752 wrote to memory of 2736	2752	mizob.exe	ebmozo.exe
PID 2736 wrote to memory of 272	2736	ebmozo.exe	fygec.exe
PID 2736 wrote to memory of 272	2736	ebmozo.exe	fygec.exe
PID 2736 wrote to memory of 272	2736	ebmozo.exe	fygec.exe
PID 2736 wrote to memory of 272	2736	ebmozo.exe	fygec.exe
PID 2736 wrote to memory of 356	2736	ebmozo.exe	cmd.exe
PID 2736 wrote to memory of 356	2736	ebmozo.exe	cmd.exe
PID 2736 wrote to memory of 356	2736	ebmozo.exe	cmd.exe
PID 2736 wrote to memory of 356	2736	ebmozo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f1263d14acea95bb0acbb46e563cfb0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\mizob.exe
"C:\Users\Admin\AppData\Local\Temp\mizob.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\ebmozo.exe
"C:\Users\Admin\AppData\Local\Temp\ebmozo.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\fygec.exe
"C:\Users\Admin\AppData\Local\Temp\fygec.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:272

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:356

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
6ff92e1d71f8ec912b7999c54b07b0ae

SHA1
b22d8b5ad28cc9ffff7bef4de0850f4a41848ddf

SHA256
6c8f027206f3611ce5bc97a0a63b347b58fe842c6996c09b8bcc465291901c84

SHA512
0fb18f6ba8e598387a5b7086ef0cd800722d870821fe5fc1caf535ad2eacc80fa62421eecca95630a635873e7cf337b5311a1d1bd6168f11cb94f7cf64d97f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
41631f6094834e4b0e7b4fbc022afddc

SHA1
627d42e85da682b9479c7311d2253d6403ec4a01

SHA256
040b44ee7ccdfd0869097f77a80259b7c1a1eb771b272512da9f97fc09506553

SHA512
27ed05746345af784f85fe8cbb9984d6fecd9504675d68facf666b47f0abc533ed3b5b10efeda1145aef244a2066297200e1f44ed936298b7b95bbfa5899fdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
f6f8049ef02d9a6a99005d80faba01e6

SHA1
c1f1f3028eadac4b04ab7200815ccba968ae57c7

SHA256
8cbc3fa3894fb96b3244b9a135114b217abb39edcb15ba999a1122d05eaf21cc

SHA512
630a663a61dba1c7cbe7d66dd2eb2f864943570153c605f187dccae80cb5d249b2efd1fce7f5122b52c0c48eed9e5eab6596ff09a49d59a545bb7cd5e2af96c8

Download Submit
\Users\Admin\AppData\Local\Temp\fygec.exe
Filesize
111KB

MD5
8af92f14c9ca3268f26e484f23e8b9ed

SHA1
8b77e4f764d93fa23b9e20366b3c509c605a3817

SHA256
6cccfc0b84c20b4ffd747bf79ca3f7c54f41b17096c9f68e6416dd507e5b8b77

SHA512
5609e8abb8790d4b497c593265e1110b7095142dfd95d529efcf81206650135ba3c76dcd6b88e32c87a41456c85e52ed7f10669661119859c3e15b31db39fafc

Download Submit
\Users\Admin\AppData\Local\Temp\mizob.exe
Filesize
308KB

MD5
b81861506967cb231f5c0d75830926b8

SHA1
437d5bb7463d523840dcbc12d2b1f51bb17172b9

SHA256
a02f7169edc6a1f4132629e42044c05822ef00fe7377f7896d60b368b660a41d

SHA512
91f867daecfb6c1dfd4307936f44116a4d604fd776c9a13226b3878680adc4ec06ce12762065faa2b900d7d535d57a20c0f5698efd10f6626dcf9d6c5542b97e

Download Submit
memory/272-51-0x0000000000880000-0x0000000000908000-memory.dmp

Filesize
544KB

Download
memory/272-59-0x0000000000880000-0x0000000000908000-memory.dmp

Filesize
544KB

Download
memory/272-63-0x0000000000880000-0x0000000000908000-memory.dmp

Filesize
544KB

Download
memory/272-62-0x0000000000880000-0x0000000000908000-memory.dmp

Filesize
544KB

Download
memory/272-61-0x0000000000880000-0x0000000000908000-memory.dmp

Filesize
544KB

Download
memory/272-60-0x0000000000880000-0x0000000000908000-memory.dmp

Filesize
544KB

Download
memory/272-58-0x0000000000880000-0x0000000000908000-memory.dmp

Filesize
544KB

Download
memory/272-55-0x0000000000880000-0x0000000000908000-memory.dmp

Filesize
544KB

Download
memory/2156-9-0x0000000000540000-0x000000000058C000-memory.dmp

Filesize
304KB

Download
memory/2156-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2156-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2736-54-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2736-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2752-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2752-32-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads