urelas | 8f7610a31b5aa74ce38e48fdad2d7bc5e431ba554aad62ac95b2a51ddca67e9f

General

Target

30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe
Size

329KB
MD5

30eda31e95945f221daf84a2679ff390
SHA1

1205495b5e7ca3c3558345a335cd3d82b43e8262
SHA256

8f7610a31b5aa74ce38e48fdad2d7bc5e431ba554aad62ac95b2a51ddca67e9f
SHA512

f33d2a8eb18daa314e1c737fc97f323f9ccd4cd66714e7e6f67e5e115522ec5bccf8ce517418fb3b8e0dcd7d6c5e99eed4fa30bcfe7dd53ee8ceb6d2c712485e
SSDEEP

6144:sY4zSop9m06QbGTCnTRoOIH3FPA7AthtLpM:PkXpd6jqiOIHZA7

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exehovyc.exehilydy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hovyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hilydy.exe

Executes dropped EXE 3 IoCs

Processes:

hovyc.exehilydy.exezoqiu.exe

pid process

3192 hovyc.exe
1320 hilydy.exe
980 zoqiu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3192	hovyc.exe
1320	hilydy.exe
980	zoqiu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

zoqiu.exe

pid	process
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe
980	zoqiu.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exehovyc.exehilydy.exe

description	pid	process	target process
PID 2356 wrote to memory of 3192	2356	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	hovyc.exe
PID 2356 wrote to memory of 3192	2356	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	hovyc.exe
PID 2356 wrote to memory of 3192	2356	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	hovyc.exe
PID 2356 wrote to memory of 2996	2356	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	cmd.exe
PID 2356 wrote to memory of 2996	2356	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	cmd.exe
PID 2356 wrote to memory of 2996	2356	30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe	cmd.exe
PID 3192 wrote to memory of 1320	3192	hovyc.exe	hilydy.exe
PID 3192 wrote to memory of 1320	3192	hovyc.exe	hilydy.exe
PID 3192 wrote to memory of 1320	3192	hovyc.exe	hilydy.exe
PID 1320 wrote to memory of 980	1320	hilydy.exe	zoqiu.exe
PID 1320 wrote to memory of 980	1320	hilydy.exe	zoqiu.exe
PID 1320 wrote to memory of 980	1320	hilydy.exe	zoqiu.exe
PID 1320 wrote to memory of 3216	1320	hilydy.exe	cmd.exe
PID 1320 wrote to memory of 3216	1320	hilydy.exe	cmd.exe
PID 1320 wrote to memory of 3216	1320	hilydy.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30eda31e95945f221daf84a2679ff390_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\hovyc.exe
"C:\Users\Admin\AppData\Local\Temp\hovyc.exe" hi
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\hilydy.exe
"C:\Users\Admin\AppData\Local\Temp\hilydy.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\zoqiu.exe
"C:\Users\Admin\AppData\Local\Temp\zoqiu.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
05b9b6bd68fd41daa4bf47640218af42

SHA1
c0fde4c7785cb94b67d61a095e80427a7835c32f

SHA256
fdf8dbd8fd597e0009ee8d7f3dcf8bf47cd4d9a84cd4ad30cc1d215f23773927

SHA512
e2e11795d015a137f56bc574800c19a4c62f4350fb96e1dcb5cded50fa8507102fbd644dcf9864f2298bfcabc32e7d32142b39d5bba98b07b8661db316fef684

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
10987d7911a3d3914ec5f5908edae0a5

SHA1
936fca3ec4e670ad4f49d80ac50f265f54937f0c

SHA256
5ae08758341c9d3794e2682cfccbb8b774a84515e4c8a219863967d43c98baa9

SHA512
1c3ed22b393c8aa502138e1c713f97b0509e761d4032360cb5a8fcf7a112ced40e7b827b1f76d00b56fbfa1fd259186414437217f094bcedc206127da13a3c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
26d5994e32e4d951a8073d93c8313423

SHA1
f8678ed579a3560b82c94eff0973ece2f2b2e96d

SHA256
9920787cd31ca827f06b2744c6b5be0ee7ed61db4b782f9f9cc037d9e0f93950

SHA512
da058dfcb2accd2b5b8b55c3cd53beac23a255a4ce8bcb7806cf4bab54298d9065d91f32d83c1dfca80758a61cf4ff2fd239a17c6ef1eb975ae2e658c7a430d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hilydy.exe
Filesize
329KB

MD5
f49d0bc5412bdd509b004e3e2c3ca7c1

SHA1
3933d8ed5f467a6ababcba1c5e3e2f5a3bf70d60

SHA256
dce4cd308312143fce25d71ba8c857a50f0fd2840f9883183264ceb49bcf7e18

SHA512
4cbcfe7bd0fbddd9b7eeb4f8b6a63ac1e04648477d78aed44cbff13bdebeb2687912c9c1ca50adef6085ce2028ae4ea5c02338571ad82eccc3f87bec751e7d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\hovyc.exe
Filesize
329KB

MD5
184bf19fc5a8dd567e322ba901abfaeb

SHA1
4003f19cdafccee99de58dd3c1d03f3f4d73d995

SHA256
e936c24a53dbc366ea1bf9871dd6c758454145c00564c04ac467926b9f07b006

SHA512
012086516a9f784ae24683b521418754892c58a46b0749633c807c38d4df12315479c53e156d0223335a5005a6d998d98848160bc5cb47c502d9fd078acd7ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoqiu.exe
Filesize
223KB

MD5
eaa06ae99bf4e9f068dc63205cee6a0e

SHA1
cb6524f7679c6275b336b0c8e691fe05149326e6

SHA256
0dc64147923c4f368cab3f7161bcc2faefcd9d43348726fe31bb5ba3160b0626

SHA512
e656e2784d6a5e97d5f5756c7c25370bb4b147ec669977370d8f5b618455d5961038bf4fa096b2796f6c04ec622858abacfeef15fc84c5eecbfb8c5a3235c87d

Download Submit
memory/980-44-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/980-53-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/980-52-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/980-51-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/980-50-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/980-49-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/1320-32-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1320-46-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1320-33-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2356-19-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2356-1-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2356-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2356-5-0x0000000000401000-0x0000000000460000-memory.dmp

Filesize
380KB

Download
memory/2356-20-0x0000000000401000-0x0000000000460000-memory.dmp

Filesize
380KB

Download
memory/2356-4-0x0000000002090000-0x00000000020D3000-memory.dmp

Filesize
268KB

Download
memory/3192-30-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3192-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads