urelas | 092feaa449f6b06fcad8006164091ae694446ee6631dfea678a2d8f8330fa5be

General

Target

147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe
Size

359KB
MD5

147ddac047e768fcd95ee46620c9bb50
SHA1

fea3efad7bbfbeb51c311abd1269d208e5c99cc4
SHA256

092feaa449f6b06fcad8006164091ae694446ee6631dfea678a2d8f8330fa5be
SHA512

8b7f00cd7f61bfe3bb17220a8bb2e26bb43a39195ece3cff9a8cf3d654cdf1c44fe3e9d8e6442e8b3b29799730f3b0d46f4a38b2c6a89bbe3ab19c3261b72bdb
SSDEEP

6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0ho:MUyI6QmPPPqVspr

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exeugnum.execoticy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ugnum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	coticy.exe

Executes dropped EXE 3 IoCs

Processes:

ugnum.execoticy.exedotus.exe

pid process

1008 ugnum.exe
660 coticy.exe
3352 dotus.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1008	ugnum.exe
660	coticy.exe
3352	dotus.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dotus.exe

pid	process
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe
3352	dotus.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exeugnum.execoticy.exe

description	pid	process	target process
PID 1592 wrote to memory of 1008	1592	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	ugnum.exe
PID 1592 wrote to memory of 1008	1592	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	ugnum.exe
PID 1592 wrote to memory of 1008	1592	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	ugnum.exe
PID 1592 wrote to memory of 1928	1592	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	cmd.exe
PID 1592 wrote to memory of 1928	1592	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	cmd.exe
PID 1592 wrote to memory of 1928	1592	147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe	cmd.exe
PID 1008 wrote to memory of 660	1008	ugnum.exe	coticy.exe
PID 1008 wrote to memory of 660	1008	ugnum.exe	coticy.exe
PID 1008 wrote to memory of 660	1008	ugnum.exe	coticy.exe
PID 660 wrote to memory of 3352	660	coticy.exe	dotus.exe
PID 660 wrote to memory of 3352	660	coticy.exe	dotus.exe
PID 660 wrote to memory of 3352	660	coticy.exe	dotus.exe
PID 660 wrote to memory of 3344	660	coticy.exe	cmd.exe
PID 660 wrote to memory of 3344	660	coticy.exe	cmd.exe
PID 660 wrote to memory of 3344	660	coticy.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\ugnum.exe
"C:\Users\Admin\AppData\Local\Temp\ugnum.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\coticy.exe
"C:\Users\Admin\AppData\Local\Temp\coticy.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\dotus.exe
"C:\Users\Admin\AppData\Local\Temp\dotus.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
46070bde9bc55d529c2973c1069af143

SHA1
2df5f3bc59935cce269190867eb5d9bb84366d51

SHA256
72ef42537cda785e0af8dd0b56e663ed058b78589b347077491f8a482a72fc5a

SHA512
154d0cb95aaeb9779d6202c70c842d399cb7ea012f31bca008d6a2802d97735c4f87a2720faeea480d95c598e6bc47ee5f9263cc4fb1501792608d6c6844d7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
1d62ed3239cc265c6115f40ac391dac6

SHA1
55652006d4012e132640eb81148cc220f453f1ee

SHA256
d41936bc792a7e31892dc5a2adc59b0bc0f22f639120144d99a5156e50414a6c

SHA512
2f4003dfac7b34c144463d7fb8723ac149d65d49282c7f27e3d256b31dd2665028d3fadb3a12ab08e7a2d074178c6215b998b573840476605a44264ecc93f2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dotus.exe
Filesize
107KB

MD5
6a4cedc2de7eb481f78e71c38c79ba88

SHA1
449880fae11877bbfa3dfb10ec39dc3a4c347e4a

SHA256
14150f0ecfbe2825d298d6412cbcf1c597fad58a88e7fcb54b68669b5d248796

SHA512
56cb7e4c2d62e8aef100d5b4d5a3c2caa45d7345c32c56fb13183b8c790d2a374919eb8960670051c510e3a64ade9c03dae6f789028419e2965f418fff744220

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
b5c2f7ed95f4b2d7475f9b740dcb415a

SHA1
9f25e09d17413bc960b79501c5c20094b274a200

SHA256
6453088eb9d88a33151d5d13d83c47b4a1a01bb29f32c1cf85df35485fc9ef13

SHA512
656754db0b592bacce4c2180479bc7b87877d2206d95b9094b3f0f5f7936b960f9b65b963d46bc55dabd3570972aae07ad0bc21bf4e4c43ee23cb2defb45dd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugnum.exe
Filesize
359KB

MD5
588dfe322e18e577153849c30d4c96d4

SHA1
95a8bbfebfc6a948c689f2f265632228b5d03e24

SHA256
5485c4ed98e184e2a6b5ef30df30607c086a809bd113465bd2316df288fe2dd5

SHA512
54919cba0b3f5a735d143e992177a1b589b748eb0ff8f453f8609dc0d18c359e59753d070ca6e87b2bab2bd532a3bb883ac5d95791e5969c9ed2fedb95144ba8

Download Submit
memory/660-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/660-39-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1008-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1592-14-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1592-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3352-37-0x0000000000120000-0x00000000001A5000-memory.dmp

Filesize
532KB

Download
memory/3352-41-0x0000000000120000-0x00000000001A5000-memory.dmp

Filesize
532KB

Download
memory/3352-42-0x0000000000120000-0x00000000001A5000-memory.dmp

Filesize
532KB

Download
memory/3352-43-0x0000000000120000-0x00000000001A5000-memory.dmp

Filesize
532KB

Download
memory/3352-44-0x0000000000120000-0x00000000001A5000-memory.dmp

Filesize
532KB

Download
memory/3352-45-0x0000000000120000-0x00000000001A5000-memory.dmp

Filesize
532KB

Download
memory/3352-46-0x0000000000120000-0x00000000001A5000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads