urelas | e00f491885497115ba49a9e0cc7331164e31e68dc1a9727677e7750c85b98f93

General

Target

9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
Size

6.5MB
MD5

9d6e1791cd381d5dc03cbd241e09c1d0
SHA1

fa8beeaae0d4a8fdc8dcb3dfb127f719a3e0d29a
SHA256

e00f491885497115ba49a9e0cc7331164e31e68dc1a9727677e7750c85b98f93
SHA512

dd7b2691a86acf76eeda10fe63e87ef409c96590b450fe09643e8224af6e2ebbe8a2785e7b3d016f1cf2eda7a9265cddc73e9c5bc238088e271b9cbb943577a8
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS+:i0LrA2kHKQHNk3og9unipQyOaO+

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exeseict.exeuhzolo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	seict.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	uhzolo.exe

Executes dropped EXE 3 IoCs

Processes:

seict.exeuhzolo.exegykyd.exe

pid process

3368 seict.exe
3656 uhzolo.exe
5104 gykyd.exe

pid	process
3368	seict.exe
3656	uhzolo.exe
5104	gykyd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gykyd.exe	upx
behavioral2/memory/5104-69-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/5104-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exeseict.exeuhzolo.exegykyd.exe

pid	process
2184	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
2184	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
3368	seict.exe
3368	seict.exe
3656	uhzolo.exe
3656	uhzolo.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe
5104	gykyd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exeseict.exeuhzolo.exe

description	pid	process	target process
PID 2184 wrote to memory of 3368	2184	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	seict.exe
PID 2184 wrote to memory of 3368	2184	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	seict.exe
PID 2184 wrote to memory of 3368	2184	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	seict.exe
PID 2184 wrote to memory of 1464	2184	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	cmd.exe
PID 2184 wrote to memory of 1464	2184	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	cmd.exe
PID 2184 wrote to memory of 1464	2184	9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe	cmd.exe
PID 3368 wrote to memory of 3656	3368	seict.exe	uhzolo.exe
PID 3368 wrote to memory of 3656	3368	seict.exe	uhzolo.exe
PID 3368 wrote to memory of 3656	3368	seict.exe	uhzolo.exe
PID 3656 wrote to memory of 5104	3656	uhzolo.exe	gykyd.exe
PID 3656 wrote to memory of 5104	3656	uhzolo.exe	gykyd.exe
PID 3656 wrote to memory of 5104	3656	uhzolo.exe	gykyd.exe
PID 3656 wrote to memory of 1892	3656	uhzolo.exe	cmd.exe
PID 3656 wrote to memory of 1892	3656	uhzolo.exe	cmd.exe
PID 3656 wrote to memory of 1892	3656	uhzolo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d6e1791cd381d5dc03cbd241e09c1d0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\seict.exe
  "C:\Users\Admin\AppData\Local\Temp\seict.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\uhzolo.exe
    "C:\Users\Admin\AppData\Local\Temp\uhzolo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\gykyd.exe
      "C:\Users\Admin\AppData\Local\Temp\gykyd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
3679f43bfd1cf9229cc0e203a3087f84

SHA1
0cfe37b23eaba874c3e2c63019aa3c6515b9d27e

SHA256
24a78a2a466b5c86fb11a4e721996f238e149fb5d11e6b58ea61255ccdf30a59

SHA512
3967be244eaa6794156cd118d36d2458e089a69d6612e9001edef01365baeb3829963b06aacf0b3225c6cefa16f8172ee0006a8a389257955e10e2540158fd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
70f70943c447d552db1a84dd7475e00c

SHA1
bba2d6457f3b17003be3797f93fb4e055f3c3797

SHA256
40d6e64b3e56c7f59d53e94226e410564b0ba56a5ebba79b1aab3ff12229126a

SHA512
ccc7924fa677e406d0fbd90fa6b16ebe059e581d1f3220e1a0264bceeffa4f2fb348a4ac13a367009d71e8731639c7ed98b401b9b14970aba497cc7dc2f6d7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4331fe31811ab1f0c5cd5f98e8bd0923

SHA1
03d776dddaaa31de81441ae69f4f84ac640cd850

SHA256
9155ba4bdd722e384f648797049c0ba8846637f14212620ca1d818a16b2d833b

SHA512
1be57670dd569786242897bdff539be10120915b96dc935d174663e24d4445d86d00262e15a10ba6b8a3c87eb7b24809fdf1cabb989f89bfa214b91a5aa2dc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\gykyd.exe

Filesize
459KB

MD5
558a3ef565ec9f6868f9e9542eadeda7

SHA1
06309a509aa5f26dbffc4ebc9f16cfbb64ad4e33

SHA256
c7c5dc09440780ca36e1ce632a27acd4991f890b15f0d84c2ee2c2fdd262f290

SHA512
c63052b92e8b0d433267b283ebccdf728ba26892da61fce0e00697421460ab6919e756a2444ce9ab35246db46b3b6bc4454ba322145d9f624bea54b4bbba1518

Download Submit
C:\Users\Admin\AppData\Local\Temp\seict.exe

Filesize
6.5MB

MD5
b8421bccbf777c0592278c9e73f2f823

SHA1
670951cedd14efa26b5c93d33f2261f0c78015de

SHA256
1c4ddcd33818738b4d6ee386b7b9fc9a8c764482455a46d3f365bbf58e96c2bf

SHA512
fe2ece5912f87a4f57e409770c076a0713a32ffbd1c1ca74483260381f0953a6ac8492172a3d6d8b4db3dfcf816f7511a3d66d90cbc2b613b5cf1eb9adb0e76b

Download Submit
memory/2184-5-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2184-6-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/2184-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2184-4-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/2184-17-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2184-7-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/2184-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2184-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2184-9-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2184-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2184-1-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2184-2-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/2184-3-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/3368-31-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/3368-34-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/3368-30-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/3368-29-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/3368-28-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/3368-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3368-33-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/3368-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3368-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3368-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3368-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3368-32-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3656-54-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3656-52-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3656-51-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/3656-50-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3656-49-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3656-53-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3656-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3656-55-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3656-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5104-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/5104-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads