urelas | 0e5558661eb5f41024501a214e450206e8000f27d528053126db9055df520d27

General

Target

0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe
Size

331KB
MD5

0a5299aad2c051d927fbf424d98bb080
SHA1

d70a7563a998e324969a42b0a346eb5079513e08
SHA256

0e5558661eb5f41024501a214e450206e8000f27d528053126db9055df520d27
SHA512

1113535074cf4a4b06ed86bc9694ebfafdb882cce759ed09fbd65e0d0676e51192b2e31f2a3eddfb61afbeffc8209239c8a55ddbc05ed33cdac0ad0f017d0a5b
SSDEEP

6144:yty5fbpxDuMcHYwt1gxloqtaE5iWbUMqfn8EijRUNafrHBw/iA:ytCLD7+51gxeq3gOU9EEQrhMz

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exeamyvf.exeruxiko.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	amyvf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ruxiko.exe

Executes dropped EXE 3 IoCs

Processes:

amyvf.exeruxiko.exegokue.exe

pid process

216 amyvf.exe
1180 ruxiko.exe
3328 gokue.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
216	amyvf.exe
1180	ruxiko.exe
3328	gokue.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gokue.exe

pid	process
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe
3328	gokue.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exeamyvf.exeruxiko.exe

description	pid	process	target process
PID 100 wrote to memory of 216	100	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	amyvf.exe
PID 100 wrote to memory of 216	100	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	amyvf.exe
PID 100 wrote to memory of 216	100	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	amyvf.exe
PID 100 wrote to memory of 2400	100	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	cmd.exe
PID 100 wrote to memory of 2400	100	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	cmd.exe
PID 100 wrote to memory of 2400	100	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	cmd.exe
PID 216 wrote to memory of 1180	216	amyvf.exe	ruxiko.exe
PID 216 wrote to memory of 1180	216	amyvf.exe	ruxiko.exe
PID 216 wrote to memory of 1180	216	amyvf.exe	ruxiko.exe
PID 1180 wrote to memory of 3328	1180	ruxiko.exe	gokue.exe
PID 1180 wrote to memory of 3328	1180	ruxiko.exe	gokue.exe
PID 1180 wrote to memory of 3328	1180	ruxiko.exe	gokue.exe
PID 1180 wrote to memory of 1920	1180	ruxiko.exe	cmd.exe
PID 1180 wrote to memory of 1920	1180	ruxiko.exe	cmd.exe
PID 1180 wrote to memory of 1920	1180	ruxiko.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:100
- C:\Users\Admin\AppData\Local\Temp\amyvf.exe
  "C:\Users\Admin\AppData\Local\Temp\amyvf.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\ruxiko.exe
    "C:\Users\Admin\AppData\Local\Temp\ruxiko.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\gokue.exe
      "C:\Users\Admin\AppData\Local\Temp\gokue.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
a011fbf19e5e6d993f257224c8c022ba

SHA1
19d0e28f14ee707c0a2adbddf93b3d7204b4fbe4

SHA256
0f99d4760105424657c8d593e87b17ab5890381a8cea295396b6baae5657ca14

SHA512
385d72981735bffa898b761b1122246dffc6c3cd2cb6b5b91d9b27e3d1beb742538218d30e457ecf8bf517848618ea4e37a73c9c2275fb8fa8e8b7cfd9530229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0645507e8ff36c4fbd93ffc29d34d0e1

SHA1
ef6ebeae97032bbe919e66c058d6a9c9f3ab25e2

SHA256
d0d1af0cfd519df2ff5632f6fbe9cdc1937891e2a4caeb9df230f873f6e4916d

SHA512
db14abd137fda52111fd4d27c58cebae7e4158b9f9f87f2c3893153864f9a8a821c3294654046700cb0d50e1d806e9cbb716a2eaa79274b8adcde9a7fe410d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amyvf.exe

Filesize
331KB

MD5
e2bec74958cdde9d203f5622ca1717e7

SHA1
f514929651b991cf7998124be60b8ac91a42ece3

SHA256
3719297383cc8c05fa5629aefbeb2b6458b35568cb28cbeb6063000d052ea19d

SHA512
0e48768f18a03f2723765870b877b7885583ca289dc7e6983efa738a203fe25b6e50572a3b0d5d3fe752d72d543919c41daa711c8bae6f3723ff8362eceb69ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokue.exe

Filesize
223KB

MD5
2c3eb74542e4cda86d9d16be4f577a7d

SHA1
9e8d362981338db406d5db1b47d48337183c8048

SHA256
e98d6ea2c78f7244be3a85d9c56df34a2946e32decabbb09c8dab68ad044b8ba

SHA512
3aa14174299a65258caa7ed6a77375195db7a7ea9f1ffb6d71ecb6b8102744b74cfc346628505aa308269628d46141f7e3d7fc660eeb112acf485930c6833386

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b73b858327b283b185f84e49c79549ae

SHA1
0eee43c68c775197877d0972b8dbc6a52659654e

SHA256
04bc9f197f0c705560494c1bc2587bc08d4138c751242e9f590e57dcc7b84c5c

SHA512
570c9707dc107ec9a30af219d4dff7ce8089b46617a38ec74d45ddd5d7968046694dbbd03b7df6bd43771b0bd83c4c678f480db350738c2c76bfe98557b4d23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruxiko.exe

Filesize
331KB

MD5
5819a1602a5f61467d3aca4c1019cfad

SHA1
89e56ad12d31dbb6965c80a8eb399f107d0c5587

SHA256
2e420e988c096afeae5785b3c8c9a9d5e9234ffe898cef7fbf24ad5a8ceb1bbd

SHA512
7921015c097cb0f815912a8a13e8635efd8c54bc3a324c9b5ad972fa8b47f84a32bff255381ea87ff4451b51149b4b8d0f7c92a96f00b670a88b815ccf085042

Download Submit
memory/100-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/100-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/216-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/216-28-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1180-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1180-51-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1180-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3328-49-0x00000000008E0000-0x0000000000980000-memory.dmp

Filesize
640KB

Download
memory/3328-54-0x00000000008E0000-0x0000000000980000-memory.dmp

Filesize
640KB

Download
memory/3328-55-0x00000000008E0000-0x0000000000980000-memory.dmp

Filesize
640KB

Download
memory/3328-56-0x00000000008E0000-0x0000000000980000-memory.dmp

Filesize
640KB

Download
memory/3328-57-0x00000000008E0000-0x0000000000980000-memory.dmp

Filesize
640KB

Download
memory/3328-58-0x00000000008E0000-0x0000000000980000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads