urelas | 88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8

General

Target

88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe
Size

504KB
MD5

c1b3f5eedc8e77b019143769fa6fe510
SHA1

4b716c054c731804c7c6affa3926d0843c70b58f
SHA256

88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8
SHA512

d52b66aea3df5285e1655dfc125ab301e19bef5e25e435d2afcdf8f74d929784928ecc1f89ad050a7a2e307fa6064019517a5810e0c19b6a9a9818f6cbf4d483
SSDEEP

12288:kdBNKTCqqwXCcdgT89+MvA+BisqYpxHtG:kLjQC+fs0E

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exeudlor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	udlor.exe

Executes dropped EXE 2 IoCs

Processes:

udlor.exenoivm.exe

pid process

4856 udlor.exe
3592 noivm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4856	udlor.exe
3592	noivm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

noivm.exe

pid	process
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe
3592	noivm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exeudlor.exe

description	pid	process	target process
PID 1804 wrote to memory of 4856	1804	88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe	udlor.exe
PID 1804 wrote to memory of 4856	1804	88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe	udlor.exe
PID 1804 wrote to memory of 4856	1804	88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe	udlor.exe
PID 1804 wrote to memory of 1464	1804	88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe	cmd.exe
PID 1804 wrote to memory of 1464	1804	88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe	cmd.exe
PID 1804 wrote to memory of 1464	1804	88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe	cmd.exe
PID 4856 wrote to memory of 3592	4856	udlor.exe	noivm.exe
PID 4856 wrote to memory of 3592	4856	udlor.exe	noivm.exe
PID 4856 wrote to memory of 3592	4856	udlor.exe	noivm.exe

C:\Users\Admin\AppData\Local\Temp\88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\88f391229a2b55937636917912f775b33e39ab534c10125d8ffbee309915b3c8_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\udlor.exe
  "C:\Users\Admin\AppData\Local\Temp\udlor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\noivm.exe
    "C:\Users\Admin\AppData\Local\Temp\noivm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
370B

MD5
b4d27d792f577934760884faa114c25b

SHA1
6a8e6082de4eb60105c8b6d5a5221b8e3a41ab83

SHA256
36a17320fc74d6b51dee1eeef79068730edd4a5dbab8f3c6f98e965e24e66d4c

SHA512
204a9e2d081d3f9f1848c1bfe4712ce346fd66969e3b8f16531c23d7d811b776f537f44dcb5d0e884c9334f3e8e1d3b2e02a0a2544e6d6e67b24d3239f273e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c3ed1b146a9baa1cf7c633575d165d5f

SHA1
ccc9a28456efd7696a72313e8c3f3db6a2a55718

SHA256
30a41b373365367092601129f91c80046c076956deced22bd2a8bbb53aec7777

SHA512
6be77d6b8690a87f1844ab7a3ba19db33091be3a1510b9ba19b0a9be93111e107114b267ab18caa230b0de64aff004800cb8f9696c998d86f01801bbf12310ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\noivm.exe

Filesize
241KB

MD5
a0d28ba1203efa29b46b33b4522639c5

SHA1
9c49e49f10ac424487bbe3a6a10abacf743b954e

SHA256
bd98646efaa218f6f5f83f394c9bc71639e1b01df33d620f5cd35322d7ab79a5

SHA512
251ea1701ee2f64f2b9e699c791d6d187de37333a94bff0ae2cdf57ed5bfeb9ef1ec1f40dec7624fcd693b2a45f6c024dd27e8d6823b3099ad926819a2dba629

Download Submit
C:\Users\Admin\AppData\Local\Temp\udlor.exe

Filesize
504KB

MD5
009a12cad21a76c1c237490563e7840e

SHA1
5c2b94cdf0470e8d5ff10c32778f07141cc1c8bd

SHA256
2d8d275ff91f181d4aba3da7fef81a48d3dd45168d97d380fc21385da18e2335

SHA512
1ce80bd9d8c81e92b52f5b55d1651f4a9530dd62416ec5fd5bb165fc21f997a00c55cd4f7b0bf8e6dff8d46bbd1d27ebb9e8034c433064a82c8a40cda46f5412

Download Submit
memory/1804-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3592-25-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/3592-24-0x0000000000520000-0x00000000005D6000-memory.dmp

Filesize
728KB

Download
memory/3592-27-0x0000000000520000-0x00000000005D6000-memory.dmp

Filesize
728KB

Download
memory/3592-28-0x0000000000520000-0x00000000005D6000-memory.dmp

Filesize
728KB

Download
memory/3592-29-0x0000000000520000-0x00000000005D6000-memory.dmp

Filesize
728KB

Download
memory/3592-30-0x0000000000520000-0x00000000005D6000-memory.dmp

Filesize
728KB

Download
memory/3592-31-0x0000000000520000-0x00000000005D6000-memory.dmp

Filesize
728KB

Download
memory/4856-12-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads