urelas | e00f491885497115ba49a9e0cc7331164e31e68dc1a9727677e7750c85b98f93

General

Target

9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
Size

6.5MB
MD5

9d6e1791cd381d5dc03cbd241e09c1d0
SHA1

fa8beeaae0d4a8fdc8dcb3dfb127f719a3e0d29a
SHA256

e00f491885497115ba49a9e0cc7331164e31e68dc1a9727677e7750c85b98f93
SHA512

dd7b2691a86acf76eeda10fe63e87ef409c96590b450fe09643e8224af6e2ebbe8a2785e7b3d016f1cf2eda7a9265cddc73e9c5bc238088e271b9cbb943577a8
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS+:i0LrA2kHKQHNk3og9unipQyOaO+

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2676 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

ubism.exetonezo.exeziikd.exe

pid process

2308 ubism.exe
1308 tonezo.exe
2168 ziikd.exe

pid	process
2676	cmd.exe

pid	process
2308	ubism.exe
1308	tonezo.exe
2168	ziikd.exe

Loads dropped DLL 5 IoCs

Processes:

9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exeubism.exetonezo.exe

pid	process
2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
2308	ubism.exe
2308	ubism.exe
1308	tonezo.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ziikd.exe	upx
behavioral1/memory/1308-161-0x0000000004240000-0x00000000043D9000-memory.dmp	upx
behavioral1/memory/2168-171-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2168-178-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exeubism.exetonezo.exeziikd.exe

pid	process
2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
2308	ubism.exe
1308	tonezo.exe
2168	ziikd.exe
2168	ziikd.exe
2168	ziikd.exe
2168	ziikd.exe
2168	ziikd.exe
2168	ziikd.exe
2168	ziikd.exe
2168	ziikd.exe
2168	ziikd.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exeubism.exetonezo.exe

description	pid	process	target process
PID 2988 wrote to memory of 2308	2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	ubism.exe
PID 2988 wrote to memory of 2308	2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	ubism.exe
PID 2988 wrote to memory of 2308	2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	ubism.exe
PID 2988 wrote to memory of 2308	2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	ubism.exe
PID 2988 wrote to memory of 2676	2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	cmd.exe
PID 2988 wrote to memory of 2676	2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	cmd.exe
PID 2988 wrote to memory of 2676	2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	cmd.exe
PID 2988 wrote to memory of 2676	2988	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	cmd.exe
PID 2308 wrote to memory of 1308	2308	ubism.exe	tonezo.exe
PID 2308 wrote to memory of 1308	2308	ubism.exe	tonezo.exe
PID 2308 wrote to memory of 1308	2308	ubism.exe	tonezo.exe
PID 2308 wrote to memory of 1308	2308	ubism.exe	tonezo.exe
PID 1308 wrote to memory of 2168	1308	tonezo.exe	ziikd.exe
PID 1308 wrote to memory of 2168	1308	tonezo.exe	ziikd.exe
PID 1308 wrote to memory of 2168	1308	tonezo.exe	ziikd.exe
PID 1308 wrote to memory of 2168	1308	tonezo.exe	ziikd.exe
PID 1308 wrote to memory of 772	1308	tonezo.exe	cmd.exe
PID 1308 wrote to memory of 772	1308	tonezo.exe	cmd.exe
PID 1308 wrote to memory of 772	1308	tonezo.exe	cmd.exe
PID 1308 wrote to memory of 772	1308	tonezo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\ubism.exe
"C:\Users\Admin\AppData\Local\Temp\ubism.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\tonezo.exe
"C:\Users\Admin\AppData\Local\Temp\tonezo.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\ziikd.exe
"C:\Users\Admin\AppData\Local\Temp\ziikd.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
7675e9ebd70a12a5a681f7f794dcd9d8

SHA1
c18367950aee7df1b4e6b2cf13aaf3ecc2b62a22

SHA256
8b8b2f71a0294e85562c0c582b0d93d7e8c58e55fc3b911013940267998cc0a1

SHA512
928628d939ec9fdfefd7a48b5666f7ea34c0d6ae57c02021f9245df75d363bf79b14257d5512718aa8f6c69485fe28685cdd507bc160a61961697568f865c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
3679f43bfd1cf9229cc0e203a3087f84

SHA1
0cfe37b23eaba874c3e2c63019aa3c6515b9d27e

SHA256
24a78a2a466b5c86fb11a4e721996f238e149fb5d11e6b58ea61255ccdf30a59

SHA512
3967be244eaa6794156cd118d36d2458e089a69d6612e9001edef01365baeb3829963b06aacf0b3225c6cefa16f8172ee0006a8a389257955e10e2540158fd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
c2ec819428fc8f4b3e68743e452e1ebf

SHA1
d03e266fbbb30f9207b0939557dc1141b14d4623

SHA256
d25bcb56f789130a93a1a8da4859ab1796624f74a5a34494d39504e3e95788aa

SHA512
7cde6aae6cbcc6eecf6bdbc968c3fa1909e32a17fd7b4bac8dababa958b367d312bdb9d6b38ba8a1d11c09592fc95e85bb8d5938ffdf2c08b58a01b12250116f

Download Submit
\Users\Admin\AppData\Local\Temp\ubism.exe
Filesize
6.5MB

MD5
ff30dc2f1b0ab9eda44acb5f6e5c5440

SHA1
bdbed5865db2bba024a5900c4cde27b86499a99d

SHA256
adc212ab6ef57e903102ff96055f6957fc456099be0fafbd6aec17d3389dc1d2

SHA512
4982890091f3d6a8502a1a3a52ce8099014b07ea2e1149a733a60530133c384cd0117272eec0a87ea20306a4cd4e181e323ec020718299ab0801e4c7dd99a0e6

Download Submit
\Users\Admin\AppData\Local\Temp\ziikd.exe
Filesize
459KB

MD5
26553835844d8d2ef339ee9c989d1612

SHA1
1ca13e038d5dbf82eb38d6fa5ba349d0b81594b4

SHA256
2a4d4b7d333fce662761649c05d1fa732d2cf4343cf57da8f22eac5b7c883ac6

SHA512
ce25f40af92d7e8111392b44a4118e24bf5e43e0dadd0a209c9e199eca5ef6b0cf28a6f60008877acdd65c77375bb9050840a60ff3cd13cf810cc2f925f464e7

Download Submit
memory/1308-173-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1308-161-0x0000000004240000-0x00000000043D9000-memory.dmp

Filesize
1.6MB

Download
memory/2168-178-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2168-171-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2308-117-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2308-80-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2308-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2308-85-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2308-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2308-87-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2308-116-0x0000000003D60000-0x000000000484C000-memory.dmp

Filesize
10.9MB

Download
memory/2308-82-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2308-114-0x0000000003D60000-0x000000000484C000-memory.dmp

Filesize
10.9MB

Download
memory/2308-54-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2988-16-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2988-14-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2988-51-0x0000000003D30000-0x000000000481C000-memory.dmp

Filesize
10.9MB

Download
memory/2988-52-0x0000000003D30000-0x000000000481C000-memory.dmp

Filesize
10.9MB

Download
memory/2988-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2988-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2988-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2988-100-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2988-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2988-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2988-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2988-13-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2988-106-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2988-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2988-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2988-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2988-21-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2988-28-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2988-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2988-32-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2988-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-37-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-24-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2988-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2988-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads