urelas | 270b2bb94948fc12d73c9cb6766a4b9920e22172e8400afc13d5db4da533e621

General

Target

5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe
Size

56KB
MD5

5f23c5fe29d4e99c992b6c5bb69799e0
SHA1

77498d7bcd1a2292f5bbde0ccf6646c406da2cd8
SHA256

270b2bb94948fc12d73c9cb6766a4b9920e22172e8400afc13d5db4da533e621
SHA512

75e090a5a905e946357e87eeb9ba74a770b7b61201ce07cd38af6a9f80ec1c09fee88fb297edb555cfacefe845350d72f427d408fd3fa90b63a66d413b99ff99
SSDEEP

1536:6W82C0Db1edMckBI1kmJAhTPY6pnouy8W:6n25DbaMySmJAhbvoutW

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2600 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2848 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe

pid process

2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe

pid	process
2600	cmd.exe

pid	process
2848	biudfw.exe

pid	process
2912	5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2912-0-0x00000000000D0000-0x00000000000FC000-memory.dmp	upx
behavioral1/memory/2848-17-0x0000000000950000-0x000000000097C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\biudfw.exe	upx
behavioral1/memory/2912-19-0x00000000000D0000-0x00000000000FC000-memory.dmp	upx
behavioral1/memory/2848-22-0x0000000000950000-0x000000000097C000-memory.dmp	upx
behavioral1/memory/2848-24-0x0000000000950000-0x000000000097C000-memory.dmp	upx
behavioral1/memory/2848-31-0x0000000000950000-0x000000000097C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe

description	pid	process	target process
PID 2912 wrote to memory of 2848	2912	5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe	biudfw.exe
PID 2912 wrote to memory of 2848	2912	5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe	biudfw.exe
PID 2912 wrote to memory of 2848	2912	5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe	biudfw.exe
PID 2912 wrote to memory of 2848	2912	5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe	biudfw.exe
PID 2912 wrote to memory of 2600	2912	5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe	cmd.exe
PID 2912 wrote to memory of 2600	2912	5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe	cmd.exe
PID 2912 wrote to memory of 2600	2912	5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe	cmd.exe
PID 2912 wrote to memory of 2600	2912	5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
Filesize
56KB

MD5
33abf052c37bf9fa90f108a7f48add32

SHA1
98898fa96b3f2027804309a96e0dd2e38c3cde0d

SHA256
70cbc1bf21370dd68fa3149e6d8991af754a28d9f6fd021cd26533c6b790c51c

SHA512
f2d5d99af9eebdd74d7a9e362024b03ec716d7f144ff87b92717b8d1fb4128468c96401a5cc71a513222632ad6d24d444ae13837eaacbdcf47b1f0a3a87f1000

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
b4a86880004da8726288d7ec954885a8

SHA1
1bab1cfbdc2c540246210bc7852f8fe7e8357b31

SHA256
c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46

SHA512
22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
304B

MD5
3f149920e4d09e8d64558827835cc9af

SHA1
dea72bc644c12b27fbfb3236e74b009b0ad7269b

SHA256
f3b5c3f2d164ea317e03dd92a8f2c32ead90dd248bfa4b59cdbebabc6040bb8b

SHA512
2f41fbdf2c99834d10fc93b9e2158bccf88997697c8a4154dbe56262ba4ad007668dcc210fbb73aee899e95c2c1bd628c0b9ed9e0e7787cfc03906b4199f9f77

Download Submit
memory/2848-17-0x0000000000950000-0x000000000097C000-memory.dmp

Filesize
176KB

Download
memory/2848-22-0x0000000000950000-0x000000000097C000-memory.dmp

Filesize
176KB

Download
memory/2848-24-0x0000000000950000-0x000000000097C000-memory.dmp

Filesize
176KB

Download
memory/2848-31-0x0000000000950000-0x000000000097C000-memory.dmp

Filesize
176KB

Download
memory/2912-0-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/2912-15-0x0000000000420000-0x000000000044C000-memory.dmp

Filesize
176KB

Download
memory/2912-19-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing