urelas | 8f7610a31b5aa74ce38e48fdad2d7bc5e431ba554aad62ac95b2a51ddca67e9f

General

Target

30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe
Size

329KB
MD5

30eda31e95945f221daf84a2679ff390
SHA1

1205495b5e7ca3c3558345a335cd3d82b43e8262
SHA256

8f7610a31b5aa74ce38e48fdad2d7bc5e431ba554aad62ac95b2a51ddca67e9f
SHA512

f33d2a8eb18daa314e1c737fc97f323f9ccd4cd66714e7e6f67e5e115522ec5bccf8ce517418fb3b8e0dcd7d6c5e99eed4fa30bcfe7dd53ee8ceb6d2c712485e
SSDEEP

6144:sY4zSop9m06QbGTCnTRoOIH3FPA7AthtLpM:PkXpd6jqiOIHZA7

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2592 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

syfov.exedygywo.exebazyg.exe

pid process

3040 syfov.exe
2640 dygywo.exe
2124 bazyg.exe
Loads dropped DLL 3 IoCs

Processes:

30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exesyfov.exedygywo.exe

pid process

2884 30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe
3040 syfov.exe
2640 dygywo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2592	cmd.exe

pid	process
3040	syfov.exe
2640	dygywo.exe
2124	bazyg.exe

pid	process
2884	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe
3040	syfov.exe
2640	dygywo.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

bazyg.exe

pid	process
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe
2124	bazyg.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exesyfov.exedygywo.exe

description	pid	process	target process
PID 2884 wrote to memory of 3040	2884	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	syfov.exe
PID 2884 wrote to memory of 3040	2884	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	syfov.exe
PID 2884 wrote to memory of 3040	2884	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	syfov.exe
PID 2884 wrote to memory of 3040	2884	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	syfov.exe
PID 2884 wrote to memory of 2592	2884	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	cmd.exe
PID 2884 wrote to memory of 2592	2884	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	cmd.exe
PID 2884 wrote to memory of 2592	2884	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	cmd.exe
PID 2884 wrote to memory of 2592	2884	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	cmd.exe
PID 3040 wrote to memory of 2640	3040	syfov.exe	dygywo.exe
PID 3040 wrote to memory of 2640	3040	syfov.exe	dygywo.exe
PID 3040 wrote to memory of 2640	3040	syfov.exe	dygywo.exe
PID 3040 wrote to memory of 2640	3040	syfov.exe	dygywo.exe
PID 2640 wrote to memory of 2124	2640	dygywo.exe	bazyg.exe
PID 2640 wrote to memory of 2124	2640	dygywo.exe	bazyg.exe
PID 2640 wrote to memory of 2124	2640	dygywo.exe	bazyg.exe
PID 2640 wrote to memory of 2124	2640	dygywo.exe	bazyg.exe
PID 2640 wrote to memory of 2464	2640	dygywo.exe	cmd.exe
PID 2640 wrote to memory of 2464	2640	dygywo.exe	cmd.exe
PID 2640 wrote to memory of 2464	2640	dygywo.exe	cmd.exe
PID 2640 wrote to memory of 2464	2640	dygywo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\syfov.exe
  "C:\Users\Admin\AppData\Local\Temp\syfov.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\dygywo.exe
    "C:\Users\Admin\AppData\Local\Temp\dygywo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\bazyg.exe
      "C:\Users\Admin\AppData\Local\Temp\bazyg.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
05b9b6bd68fd41daa4bf47640218af42

SHA1
c0fde4c7785cb94b67d61a095e80427a7835c32f

SHA256
fdf8dbd8fd597e0009ee8d7f3dcf8bf47cd4d9a84cd4ad30cc1d215f23773927

SHA512
e2e11795d015a137f56bc574800c19a4c62f4350fb96e1dcb5cded50fa8507102fbd644dcf9864f2298bfcabc32e7d32142b39d5bba98b07b8661db316fef684

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
191134af79a8807d9c67e5324cabaf44

SHA1
d3d275d3a7ed6888da32fe05b339b7de4017d44c

SHA256
a421650227b2cae3129c6b920b7571decc8580031c8a10be1e184834f924ff19

SHA512
622e6fdc69150ffc2db2165895b45866c3bb4d444cc714864373aa83982af6f3160487063902f8a8372d2e8e3a2d05cef21d62a894577833d75e09047e68e80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygywo.exe

Filesize
329KB

MD5
3172a00631d7cf9f44843e50f98aff70

SHA1
b72f468567039937b837fb57e7fe8ec707adcc6e

SHA256
dd95b265415beb2cd96ff90649a494081db69d910a2ce0d4debb2e494607bae6

SHA512
d9241f6b624c3d098fe59a3135c102839c3652829177198a41a9651faa2b71786b81d96c450032b38118d4260358300ff8ebe05ae8c5d760c0c71bdfa8897c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e2dc2401b2bc1f6673a6a2c24132c230

SHA1
13cc6176b4a9d5d2d613d02d620858ebbe031c43

SHA256
bcfba9e65f8914816d41a0dd077e09d6f9af7f8e32c1fd929a0a9bfcef82c40a

SHA512
09a02527fab72732d556fa7d580cc9e81dd3a0aaac648be9b7ca845eb031699bf349b57c462026ccccf44030ea4c5ff2a9a5b5d2b1358a1bbab6519b0539feb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\syfov.exe

Filesize
329KB

MD5
c38867093c85b1cd4a698d808c4879f9

SHA1
a4252f7f17d73c66aca3d3fd6c5063eeb97a2072

SHA256
e1b7bd5b13b74255d26852ca23e9ab8910b06b689f74fc6bdfb5678d886173e9

SHA512
df92077a700e9488094b0614a8c0e67342858adf0d31669f88ff601d970b76e649e43b366e5918f7301f48441ef62625a57ae7b6f7837c04bcc89f51ce7f4ca0

Download Submit
\Users\Admin\AppData\Local\Temp\bazyg.exe

Filesize
223KB

MD5
41c2024d3b4c1b16473715f8d1c41b78

SHA1
3c496a73bc913b8eb0f0e0c38e0431e7731c3e9e

SHA256
407d31e32fa713f7a13f50f64716bb8886f53893b3bb5e4d12bb09f273614f72

SHA512
00af6dbe0713426e1fccde5761e26b8dc487cb8972c53c5cb6cd7220a70970d910e31a6b45346002d6e1d8adafc60fc23f547d1f245bb09008b7b90acc450454

Download Submit
memory/2124-57-0x0000000000A50000-0x0000000000AF0000-memory.dmp

Filesize
640KB

Download
memory/2124-56-0x0000000000A50000-0x0000000000AF0000-memory.dmp

Filesize
640KB

Download
memory/2124-58-0x0000000000A50000-0x0000000000AF0000-memory.dmp

Filesize
640KB

Download
memory/2124-59-0x0000000000A50000-0x0000000000AF0000-memory.dmp

Filesize
640KB

Download
memory/2124-60-0x0000000000A50000-0x0000000000AF0000-memory.dmp

Filesize
640KB

Download
memory/2124-45-0x0000000000A50000-0x0000000000AF0000-memory.dmp

Filesize
640KB

Download
memory/2640-53-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2640-42-0x0000000002DD0000-0x0000000002E70000-memory.dmp

Filesize
640KB

Download
memory/2640-34-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2640-35-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2884-22-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2884-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2884-23-0x0000000000401000-0x0000000000460000-memory.dmp

Filesize
380KB

Download
memory/2884-5-0x0000000000401000-0x0000000000460000-memory.dmp

Filesize
380KB

Download
memory/2884-4-0x0000000000240000-0x0000000000283000-memory.dmp

Filesize
268KB

Download
memory/2884-1-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3040-29-0x0000000003640000-0x00000000036AF000-memory.dmp

Filesize
444KB

Download
memory/3040-32-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3040-21-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing