urelas | 092feaa449f6b06fcad8006164091ae694446ee6631dfea678a2d8f8330fa5be

General

Target

147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe
Size

359KB
MD5

147ddac047e768fcd95ee46620c9bb50
SHA1

fea3efad7bbfbeb51c311abd1269d208e5c99cc4
SHA256

092feaa449f6b06fcad8006164091ae694446ee6631dfea678a2d8f8330fa5be
SHA512

8b7f00cd7f61bfe3bb17220a8bb2e26bb43a39195ece3cff9a8cf3d654cdf1c44fe3e9d8e6442e8b3b29799730f3b0d46f4a38b2c6a89bbe3ab19c3261b72bdb
SSDEEP

6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0ho:MUyI6QmPPPqVspr

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2976 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

ildee.exeliajna.exeanfot.exe

pid process

2308 ildee.exe
2652 liajna.exe
1744 anfot.exe

pid	process
2976	cmd.exe

pid	process
2308	ildee.exe
2652	liajna.exe
1744	anfot.exe

Loads dropped DLL 5 IoCs

Processes:

147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exeildee.exeliajna.exe

pid	process
1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe
1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe
2308	ildee.exe
2308	ildee.exe
2652	liajna.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

anfot.exe

pid	process
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe
1744	anfot.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exeildee.exeliajna.exe

description	pid	process	target process
PID 1984 wrote to memory of 2308	1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	ildee.exe
PID 1984 wrote to memory of 2308	1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	ildee.exe
PID 1984 wrote to memory of 2308	1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	ildee.exe
PID 1984 wrote to memory of 2308	1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	ildee.exe
PID 1984 wrote to memory of 2976	1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 2976	1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 2976	1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 2976	1984	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	cmd.exe
PID 2308 wrote to memory of 2652	2308	ildee.exe	liajna.exe
PID 2308 wrote to memory of 2652	2308	ildee.exe	liajna.exe
PID 2308 wrote to memory of 2652	2308	ildee.exe	liajna.exe
PID 2308 wrote to memory of 2652	2308	ildee.exe	liajna.exe
PID 2652 wrote to memory of 1744	2652	liajna.exe	anfot.exe
PID 2652 wrote to memory of 1744	2652	liajna.exe	anfot.exe
PID 2652 wrote to memory of 1744	2652	liajna.exe	anfot.exe
PID 2652 wrote to memory of 1744	2652	liajna.exe	anfot.exe
PID 2652 wrote to memory of 704	2652	liajna.exe	cmd.exe
PID 2652 wrote to memory of 704	2652	liajna.exe	cmd.exe
PID 2652 wrote to memory of 704	2652	liajna.exe	cmd.exe
PID 2652 wrote to memory of 704	2652	liajna.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\ildee.exe
"C:\Users\Admin\AppData\Local\Temp\ildee.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\liajna.exe
"C:\Users\Admin\AppData\Local\Temp\liajna.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\anfot.exe
"C:\Users\Admin\AppData\Local\Temp\anfot.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
1d62ed3239cc265c6115f40ac391dac6

SHA1
55652006d4012e132640eb81148cc220f453f1ee

SHA256
d41936bc792a7e31892dc5a2adc59b0bc0f22f639120144d99a5156e50414a6c

SHA512
2f4003dfac7b34c144463d7fb8723ac149d65d49282c7f27e3d256b31dd2665028d3fadb3a12ab08e7a2d074178c6215b998b573840476605a44264ecc93f2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
eb2f512529c62a70d8625da94d8f7011

SHA1
6ab1e80eea7aeaeb3320c1f275edf6a74796420b

SHA256
e9d026f21845fd41543f5bf21692df4e4a12315622e8a461068b80a8847312fb

SHA512
5a191ed11096d9deb37b7b94c27668d4925b57e0054d3f5952af0d154d6e7ede5887f8ad01f587db9b1f5370d059b4f7c9808d8249ce2b6fd4c7fddf1d136b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
fb2b6386f3756256540ae25bc3515ee8

SHA1
92d80c0b40be33c8dc5f19f68777df0f08383a40

SHA256
4ed484e395c6249a31112db4b6e7f8eb8ef354b87a5aa90d195a7d374168861d

SHA512
147caa22cbac458a5b380640f4bec47274ad591db971e49de608e59143ffa0c587c8bd0b6166d98fcbf1aa0502016c9da39f20237862679e40bb022d5d432cc4

Download Submit
\Users\Admin\AppData\Local\Temp\anfot.exe
Filesize
107KB

MD5
0f89d40bdef5eb6389429ecadb1bc8d7

SHA1
a9c448ea51dfcf54c0173fb453203c98f2e1b381

SHA256
55b5bc6f853cc39dfa25a456b5bdcd04547ac271f57abce1aafa7067de4223c1

SHA512
82bc955389c9137ad25d85469076958ef9d580390cc7cd4feaeeaac6a218aee2fd9fc616fa7f74edc7635bd46011f4086fea00ec32c99373dc0cf24b3d86e03b

Download Submit
\Users\Admin\AppData\Local\Temp\ildee.exe
Filesize
359KB

MD5
eca610dc7e52567bf7e2c8a013a05373

SHA1
32a979a381f6c2f2e7b51e862af27fe115ae3c33

SHA256
4053dba8028e71f8a70846e376f64b712836906c51fd7347f9f1b22e7f942567

SHA512
76863347b94c0f07031d9ebe490ae0f69c81912da5df5f01bd54ce28fec8abc5868f64fd46b31e61de649c41c795ac15d8de950f2c5555ff854dbfe034e763a1

Download Submit
memory/1744-57-0x0000000000F40000-0x0000000000FC5000-memory.dmp

Filesize
532KB

Download
memory/1744-62-0x0000000000F40000-0x0000000000FC5000-memory.dmp

Filesize
532KB

Download
memory/1744-61-0x0000000000F40000-0x0000000000FC5000-memory.dmp

Filesize
532KB

Download
memory/1744-60-0x0000000000F40000-0x0000000000FC5000-memory.dmp

Filesize
532KB

Download
memory/1744-59-0x0000000000F40000-0x0000000000FC5000-memory.dmp

Filesize
532KB

Download
memory/1744-58-0x0000000000F40000-0x0000000000FC5000-memory.dmp

Filesize
532KB

Download
memory/1744-54-0x0000000000F40000-0x0000000000FC5000-memory.dmp

Filesize
532KB

Download
memory/1984-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1984-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1984-5-0x0000000002BE0000-0x0000000002C39000-memory.dmp

Filesize
356KB

Download
memory/2308-31-0x0000000001EF0000-0x0000000001F49000-memory.dmp

Filesize
356KB

Download
memory/2308-33-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2308-32-0x0000000001EF0000-0x0000000001F49000-memory.dmp

Filesize
356KB

Download
memory/2652-53-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2652-42-0x0000000003340000-0x00000000033C5000-memory.dmp

Filesize
532KB

Download
memory/2652-35-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads