urelas | 546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b

General

Target

546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe
Size

359KB
MD5

e1577e0da5c1f73bab67092c37c9fe60
SHA1

ee8df12243b3c74da7d9a824c2d85f707193b2a0
SHA256

546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b
SHA512

34ad4382433f1453d5c8190d06717626d82ee073b941407f002e311b18a3b6096861eaf24aa09c4c3b93a6fcf6093b8a5776f478dc76b3fc93c144fc1dac70dc
SSDEEP

6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0OJXmY:MUyI6QmPPPqVspFXz

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2596 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

velom.exebaciwi.exeinafp.exe

pid process

2308 velom.exe
2668 baciwi.exe
500 inafp.exe

pid	process
2596	cmd.exe

pid	process
2308	velom.exe
2668	baciwi.exe
500	inafp.exe

Loads dropped DLL 5 IoCs

Processes:

546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exevelom.exebaciwi.exe

pid	process
1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe
1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe
2308	velom.exe
2308	velom.exe
2668	baciwi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

inafp.exe

pid	process
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe
500	inafp.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exevelom.exebaciwi.exe

description	pid	process	target process
PID 1984 wrote to memory of 2308	1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	velom.exe
PID 1984 wrote to memory of 2308	1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	velom.exe
PID 1984 wrote to memory of 2308	1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	velom.exe
PID 1984 wrote to memory of 2308	1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	velom.exe
PID 1984 wrote to memory of 2596	1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 2596	1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 2596	1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 2596	1984	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	cmd.exe
PID 2308 wrote to memory of 2668	2308	velom.exe	baciwi.exe
PID 2308 wrote to memory of 2668	2308	velom.exe	baciwi.exe
PID 2308 wrote to memory of 2668	2308	velom.exe	baciwi.exe
PID 2308 wrote to memory of 2668	2308	velom.exe	baciwi.exe
PID 2668 wrote to memory of 500	2668	baciwi.exe	inafp.exe
PID 2668 wrote to memory of 500	2668	baciwi.exe	inafp.exe
PID 2668 wrote to memory of 500	2668	baciwi.exe	inafp.exe
PID 2668 wrote to memory of 500	2668	baciwi.exe	inafp.exe
PID 2668 wrote to memory of 1828	2668	baciwi.exe	cmd.exe
PID 2668 wrote to memory of 1828	2668	baciwi.exe	cmd.exe
PID 2668 wrote to memory of 1828	2668	baciwi.exe	cmd.exe
PID 2668 wrote to memory of 1828	2668	baciwi.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\velom.exe
"C:\Users\Admin\AppData\Local\Temp\velom.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\baciwi.exe
"C:\Users\Admin\AppData\Local\Temp\baciwi.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\inafp.exe
"C:\Users\Admin\AppData\Local\Temp\inafp.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
370B

MD5
6970a07e2d564493509ed5a2e3b2dd4d

SHA1
60194f3632f48bd1b380ed033e78797e68ae4623

SHA256
296443ef69e7a8a4061907316e5af23efce45c0339a81eec852b031ab709a8a0

SHA512
f908f7bea06794be6e847ce1b2c9898c9efc52e09856a12a4538da4008a5b90b69a81c0f01b62320ab25fa984f289fbf4b3754cf3100efefe0276d40d199c807

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
4786a1dbbe9e24c58bbd2f00cefdc1db

SHA1
f916ce5486981cb0b7a47d8e94cd28fa829c0a10

SHA256
705434c8fb0b3403304ae8e364fd06b9fe02ae495f57e025a4a012a7c401ea1e

SHA512
3d64b99e364375760c8bdb7ba09082fb66c9017968aabb6c1501b79a106bb25c5b059d9e5d376dd639a1c9efc46ea7471d85c38f6d368743a1db1ad6d8bde1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
19d4be6f724527088540b1f906e7cc1c

SHA1
46c7a81f28df3fc4e3edf33b0690effb4b8ec064

SHA256
baed9ae7889834b2dd1b0176189dd7209f749b363b7bfbf4d32640efee15f9a6

SHA512
584e2eddf27e2cba60fefd3885a80559a6ce2bd0ff9163d18cf17f210df80e878cb56079f446cc25ff8d610b90611e239abbcb2b54f4e3fb33d1b390e1290878

Download Submit
C:\Users\Admin\AppData\Local\Temp\velom.exe
Filesize
359KB

MD5
97d50f45805a49d6b4673bbba3fdc520

SHA1
18c237a510808f038d36370e0c0d0e53856e7a8b

SHA256
e088d7ea3cd428baabda3067d0e48c9bf2952ca9c5fc545b67dd2988b8abf63f

SHA512
ebfbf85f01d0d70ef6f6bed38e78e0573159bb7b5e2ccf7ae808492b4b5efd2a2810d99b32183e4a0b51073640fe8d3eabd5499e156f4d13354a3a67fdc7aaf2

Download Submit
\Users\Admin\AppData\Local\Temp\inafp.exe
Filesize
107KB

MD5
65e619f5e7f5399bf153c777b4a2604a

SHA1
402dd9841e00ff83efe4428ea2a075d237f7d835

SHA256
2d8ea7208a36e5c17f40ab688e28766b78d6dc1432193e8b27e3633e78013b36

SHA512
83179f19182ebd699928e1acdb75fd335ba3a2d99d1e6f8814ba74868ef8588085b64d41e91585789d003366268876f111ca153a62e5ad76fe5ccf72c4816240

Download Submit
memory/500-51-0x0000000000130000-0x00000000001B5000-memory.dmp

Filesize
532KB

Download
memory/500-60-0x0000000000130000-0x00000000001B5000-memory.dmp

Filesize
532KB

Download
memory/500-59-0x0000000000130000-0x00000000001B5000-memory.dmp

Filesize
532KB

Download
memory/500-58-0x0000000000130000-0x00000000001B5000-memory.dmp

Filesize
532KB

Download
memory/500-57-0x0000000000130000-0x00000000001B5000-memory.dmp

Filesize
532KB

Download
memory/500-56-0x0000000000130000-0x00000000001B5000-memory.dmp

Filesize
532KB

Download
memory/500-55-0x0000000000130000-0x00000000001B5000-memory.dmp

Filesize
532KB

Download
memory/1984-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1984-13-0x0000000002C30000-0x0000000002C89000-memory.dmp

Filesize
356KB

Download
memory/1984-12-0x0000000002C30000-0x0000000002C89000-memory.dmp

Filesize
356KB

Download
memory/1984-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2308-33-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2668-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2668-40-0x0000000003D80000-0x0000000003E05000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads