urelas | 6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df

General

Target

6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe
Size

370KB
MD5

1532e9fd97ee6339d8bcc668457959e0
SHA1

d97a7ca7e036930786f5bd7df43148cb1e4018c1
SHA256

6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df
SHA512

9999dbac2b93d38c413dbe6e43fc9104d9b463ea33d6046615a2c80a81c1fb173b43ae7a72bb432c440adece2a5da41f62119e61dbf537d34910752fb01c65a7
SSDEEP

6144:CuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pii:CzGL2C2aZ2/F1WHHUaveOHjTei

Score

10^/10

urelas trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2696 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

wegyt.exenicod.exe

pid process

2572 wegyt.exe
296 nicod.exe
Loads dropped DLL 3 IoCs

Processes:

6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exewegyt.exe

pid process

2892 6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe
2572 wegyt.exe
2572 wegyt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2696	cmd.exe

pid	process
2572	wegyt.exe
296	nicod.exe

pid	process
2892	6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe
2572	wegyt.exe
2572	wegyt.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

nicod.exe

pid	process
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe
296	nicod.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exewegyt.exe

description	pid	process	target process
PID 2892 wrote to memory of 2572	2892	6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe	wegyt.exe
PID 2892 wrote to memory of 2572	2892	6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe	wegyt.exe
PID 2892 wrote to memory of 2572	2892	6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe	wegyt.exe
PID 2892 wrote to memory of 2572	2892	6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe	wegyt.exe
PID 2892 wrote to memory of 2696	2892	6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe	cmd.exe
PID 2892 wrote to memory of 2696	2892	6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe	cmd.exe
PID 2892 wrote to memory of 2696	2892	6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe	cmd.exe
PID 2892 wrote to memory of 2696	2892	6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe	cmd.exe
PID 2572 wrote to memory of 296	2572	wegyt.exe	nicod.exe
PID 2572 wrote to memory of 296	2572	wegyt.exe	nicod.exe
PID 2572 wrote to memory of 296	2572	wegyt.exe	nicod.exe
PID 2572 wrote to memory of 296	2572	wegyt.exe	nicod.exe

C:\Users\Admin\AppData\Local\Temp\6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c0bf34ab9fea5131166877282eff6933f3d798928ba76ab0f85e17c486c18df_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\wegyt.exe
"C:\Users\Admin\AppData\Local\Temp\wegyt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\nicod.exe
"C:\Users\Admin\AppData\Local\Temp\nicod.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
370B

MD5
820c4d9437dc37744b63c68c17ef2813

SHA1
0bd7958f489dac92b048227c26c5c00b5a7c087f

SHA256
bc3f9a6ab743229eec241dc4f353a2dbca69ac7842fea4ae5e22aed6e186e47c

SHA512
c3bbc006fec3735c69ec456e33339e21b9be05b259cbe0e0197c8b19e1f351fbf87d2ab61929c810f004d4f1087bec266ec2e43f7ecc93d7638952a1349cd1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
1beb0cc2e356ceccde5dbbd76bcc2b89

SHA1
581a09403dda48f60b38029ee96b8bb76404b83f

SHA256
720a3b64989ce2be78d5a9a4541b4fa6cfbf25c1a7c599c2257f444349655000

SHA512
6b27c36b6d40c89c48ec5490bdf25dcdb9718ad12816c2487d1793fdf923e945bfb888c7c9eefa00163b754c6607c11ff83727909421e3ddb814e87357d73a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nicod.exe
Filesize
303KB

MD5
42935f8174e1ab3fcc61fa97f4203e93

SHA1
4d16db55c17b498e0bb4ffc2622d7956b550ddcc

SHA256
85e0b792d051eca6337437cf044b1f893bb570f4683e4a059a129cf097433a17

SHA512
bd38f5dd8bdedb50c832c8f77ed7aecb9bb7a5dc7d32a935d92f0d988f300dd9b4119d45f105e5357f137bbd92382949475fdade050bbb2f0ab41aab4c6e6b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\wegyt.exe
Filesize
370KB

MD5
9736ea34b600c4204281a8137870b4c8

SHA1
4ed35ec808940a659807c93250fda646e7d55eb2

SHA256
cdd00eb99d75c0fe2b4bcf28b182dbf18589c0bf7fae71552520da54c524db12

SHA512
6a8d67ac6a52a95dd83c962fed8d41836e14b5316391fe9caaed462262b6a600eb7ad5a7aeebba881b94db29d39dcbfb45201637a96f3e79d0b8aabe01d6cc7d

Download Submit
\Users\Admin\AppData\Local\Temp\wegyt.exe
Filesize
370KB

MD5
3aed281548316e2d6805d94e58f5f003

SHA1
e4eeee3380c9b426d9e75f242e0f83903330351f

SHA256
b0b91f5c85370964b84e6db0a2828f071ee9fcdd8ce28cdcbe1a5f029c0713cd

SHA512
790fccc6778234c4918f6b00133ec51d267a00196308dd9933f82e306e56ad5c18e167cc7796310e7c16c4cca0c19f60ec2e08acef628dc480087071ce07a164

Download Submit

Analysis

Sharing