urelas | 99b0e6c557256717472ab8b99a91e7f819c1f4cc77f165566985c694a86dd1d2

General

Target

aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe
Size

329KB
MD5

aeab4161e9560703eacffcf0b2eb4ff0
SHA1

ee1b406cbd6669467c3a999bae34e7a262ec6b27
SHA256

99b0e6c557256717472ab8b99a91e7f819c1f4cc77f165566985c694a86dd1d2
SHA512

2dd53a07f71dc97c9bb4dd8c701be0648ed66e067d35ddbd0f073504b8171bd4277e8ab4a761654840d6d002e8fad8614c89c12a46a8b40118ba864cce84a897
SSDEEP

6144:sY4zSop9m06QbGTCnTRoOIH3FPA7AthtLpSRFe:PkXpd6jqiOIHZAj3e

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zequd.exebofoax.exeaeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	zequd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	bofoax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

Processes:

zequd.exebofoax.exeordit.exe

pid process

4540 zequd.exe
636 bofoax.exe
3640 ordit.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4540	zequd.exe
636	bofoax.exe
3640	ordit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ordit.exe

pid	process
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe
3640	ordit.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exezequd.exebofoax.exe

description	pid	process	target process
PID 3140 wrote to memory of 4540	3140	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	zequd.exe
PID 3140 wrote to memory of 4540	3140	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	zequd.exe
PID 3140 wrote to memory of 4540	3140	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	zequd.exe
PID 3140 wrote to memory of 3792	3140	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	cmd.exe
PID 3140 wrote to memory of 3792	3140	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	cmd.exe
PID 3140 wrote to memory of 3792	3140	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	cmd.exe
PID 4540 wrote to memory of 636	4540	zequd.exe	bofoax.exe
PID 4540 wrote to memory of 636	4540	zequd.exe	bofoax.exe
PID 4540 wrote to memory of 636	4540	zequd.exe	bofoax.exe
PID 636 wrote to memory of 3640	636	bofoax.exe	ordit.exe
PID 636 wrote to memory of 3640	636	bofoax.exe	ordit.exe
PID 636 wrote to memory of 3640	636	bofoax.exe	ordit.exe
PID 636 wrote to memory of 4736	636	bofoax.exe	cmd.exe
PID 636 wrote to memory of 4736	636	bofoax.exe	cmd.exe
PID 636 wrote to memory of 4736	636	bofoax.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\zequd.exe
  "C:\Users\Admin\AppData\Local\Temp\zequd.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\bofoax.exe
    "C:\Users\Admin\AppData\Local\Temp\bofoax.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Users\Admin\AppData\Local\Temp\ordit.exe
      "C:\Users\Admin\AppData\Local\Temp\ordit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
bc327c5350c2a174333677e1682c8e53

SHA1
5cc21084f5c3fca50f06fbfd270bce475dce7345

SHA256
c82a23978e527e17336b3f6763b499608a74de4e5ed79464f0a3a57e80585f53

SHA512
4ad5d1bed2fc87aee6b0c979ab18dfb5c6db54d8d4caf47725c96d658dc41d7fed868aae15aa71fb1243fa74b8d3f872db39207ab96040b2b698eb56e91ab74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
33d7629c506fa0511c5a52f1e52e1170

SHA1
fc40fca46dfbc2fc213f5dbe4099dff6020c9a60

SHA256
874ad2d37073829774691e3263f91f3458eb836cd488b66abc0962e353c608bc

SHA512
fb509df5983d08f41b2732bcad0484890be6d6ffddb873b1c7dc3d50d2af1952491f84b0e3e40330a22a69d3b2355df6329195b603e74ecebfa2bc5d48012142

Download Submit
C:\Users\Admin\AppData\Local\Temp\bofoax.exe

Filesize
329KB

MD5
9a84d5886ea4a8115ea65e18e4c79192

SHA1
5b6f4bab6146a4f8a1bf7d9e062cede3acfe48ca

SHA256
f4a1f17847e4b53ae3e24167f9fa80e7e6875e04366933576b9293dcad4e59b9

SHA512
f1c215ed74f8c3a1629395ec3ce4d8517b786607547cd72e43479e44cb378cfd8a18001ec3d7854c7256c23b1c26115867d708c79f4b14a7bf547131b9ac8e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1055f0495d91ea7ac5032ef0c007f417

SHA1
1d3d811d1e8cb66135389a706f257a662a564dbc

SHA256
5d4655b5f2b8e8e4737094b689e0d280e32039d498823e1d9c06d686f11bc4aa

SHA512
c97a58973d3b83319ea8f04d661fa34793b075b057e0ce68bdbffa3458f2a449ef732318d72e602333b2b4ce65032123e649dc2a34f90ebb3c3a862f4ef52536

Download Submit
C:\Users\Admin\AppData\Local\Temp\ordit.exe

Filesize
223KB

MD5
5f4c731e45a7842e953277d5993d4eba

SHA1
fe6c637fec169be9717444b1ce820bfbee7dd82e

SHA256
2122985865a7b8fd79c45c1a18c14d90ca2db0c8b9aeb37d126189bbdd604f80

SHA512
e2ff89a3d4f542892dae252edef15b2f9f9c4f37ee35858198a4101b22788e919112e9fb9ad25a4e53ad1ff97ed39f52472f30e0c421b0ccaeb58abca0ea8510

Download Submit
C:\Users\Admin\AppData\Local\Temp\zequd.exe

Filesize
329KB

MD5
2a97c522b4df3a04a73235e67327b926

SHA1
8d92573304665302e028449ce911d2a6b6b9ffea

SHA256
3f354b724fde0e540b2b18119662432a203861d3632f5ffe719b3db46f94a69e

SHA512
a818ef3b0407cbccff4588e11e23c3d7d21d06836f78234bb4d52cc1c28bd670b6fc2e056c4b9b16bd3a74c7fb6a70dfbf11ac175739c863acab7c26ea67ae16

Download Submit
memory/636-47-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/636-34-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/636-33-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3140-21-0x0000000000401000-0x0000000000460000-memory.dmp

Filesize
380KB

Download
memory/3140-5-0x0000000000401000-0x0000000000460000-memory.dmp

Filesize
380KB

Download
memory/3140-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3140-3-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3140-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3140-4-0x00000000020C0000-0x00000000021C0000-memory.dmp

Filesize
1024KB

Download
memory/3640-45-0x0000000000080000-0x0000000000120000-memory.dmp

Filesize
640KB

Download
memory/3640-50-0x0000000000080000-0x0000000000120000-memory.dmp

Filesize
640KB

Download
memory/3640-51-0x0000000000080000-0x0000000000120000-memory.dmp

Filesize
640KB

Download
memory/3640-52-0x0000000000080000-0x0000000000120000-memory.dmp

Filesize
640KB

Download
memory/3640-53-0x0000000000080000-0x0000000000120000-memory.dmp

Filesize
640KB

Download
memory/3640-54-0x0000000000080000-0x0000000000120000-memory.dmp

Filesize
640KB

Download
memory/4540-31-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4540-18-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4540-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads