urelas | 546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b

General

Target

546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe
Size

359KB
MD5

e1577e0da5c1f73bab67092c37c9fe60
SHA1

ee8df12243b3c74da7d9a824c2d85f707193b2a0
SHA256

546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b
SHA512

34ad4382433f1453d5c8190d06717626d82ee073b941407f002e311b18a3b6096861eaf24aa09c4c3b93a6fcf6093b8a5776f478dc76b3fc93c144fc1dac70dc
SSDEEP

6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0OJXmY:MUyI6QmPPPqVspFXz

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exerohuh.exebyapku.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	rohuh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	byapku.exe

Executes dropped EXE 3 IoCs

Processes:

rohuh.exebyapku.exezilyx.exe

pid process

2028 rohuh.exe
2144 byapku.exe
468 zilyx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2028	rohuh.exe
2144	byapku.exe
468	zilyx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

zilyx.exe

pid	process
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe
468	zilyx.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exerohuh.exebyapku.exe

description	pid	process	target process
PID 5104 wrote to memory of 2028	5104	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	rohuh.exe
PID 5104 wrote to memory of 2028	5104	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	rohuh.exe
PID 5104 wrote to memory of 2028	5104	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	rohuh.exe
PID 5104 wrote to memory of 2888	5104	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	cmd.exe
PID 5104 wrote to memory of 2888	5104	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	cmd.exe
PID 5104 wrote to memory of 2888	5104	546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe	cmd.exe
PID 2028 wrote to memory of 2144	2028	rohuh.exe	byapku.exe
PID 2028 wrote to memory of 2144	2028	rohuh.exe	byapku.exe
PID 2028 wrote to memory of 2144	2028	rohuh.exe	byapku.exe
PID 2144 wrote to memory of 468	2144	byapku.exe	zilyx.exe
PID 2144 wrote to memory of 468	2144	byapku.exe	zilyx.exe
PID 2144 wrote to memory of 468	2144	byapku.exe	zilyx.exe
PID 2144 wrote to memory of 3876	2144	byapku.exe	cmd.exe
PID 2144 wrote to memory of 3876	2144	byapku.exe	cmd.exe
PID 2144 wrote to memory of 3876	2144	byapku.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\546c844f8cfb663c99f6724c4c5a45087a318a464b8b72b60bca4377097f247b_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Local\Temp\rohuh.exe
"C:\Users\Admin\AppData\Local\Temp\rohuh.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\byapku.exe
"C:\Users\Admin\AppData\Local\Temp\byapku.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\zilyx.exe
"C:\Users\Admin\AppData\Local\Temp\zilyx.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3768,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
1⤵
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
6ee57a7264712ffc17755e371eb65b7c

SHA1
b6cb09797d80991c4334ace09b13042f2e2a5ffb

SHA256
fcdee85057ba47b3db883a8bd6a973754fb814934dd55d00652bd4559939ea73

SHA512
610a5bfcc99446ff9dbb26009b1e411716f3e9e3f3ae9a3aa095d4c741ad372663ccbdf61148c7b20edc701d1f0ff04a54fc794e44d6f9980758da2d76d96817

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
370B

MD5
6970a07e2d564493509ed5a2e3b2dd4d

SHA1
60194f3632f48bd1b380ed033e78797e68ae4623

SHA256
296443ef69e7a8a4061907316e5af23efce45c0339a81eec852b031ab709a8a0

SHA512
f908f7bea06794be6e847ce1b2c9898c9efc52e09856a12a4538da4008a5b90b69a81c0f01b62320ab25fa984f289fbf4b3754cf3100efefe0276d40d199c807

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
80f76420f2655c755e2919c4edee7374

SHA1
9d71cd5ea48adb0da659fb0b43b9bf857d136b1b

SHA256
0d1d99b9751811a787bdad28b86002dc0c275ebbfe65706fcfead66a9dc19fda

SHA512
5c3965ab0ee79e7e1fa633bcda906ee6cd22f5e55819a71af0ec25dd4a51534eb13d2d80b068715bb0b15eba29a23d58dda00314e268e7cad824d0e92e407f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rohuh.exe
Filesize
359KB

MD5
35dca61b90891c17f05448d26cd92685

SHA1
185ae219108e3cedf0f67b1364e23c2b405d9361

SHA256
9341d91abc106af6307d58d365401d7d02fb806e38a7bf491a40364008288695

SHA512
c2b959e3d7a095f18ea9c3debdaaed8f8dfc2a669bd95ca95ae802b939dcfefc1c043ab6afed2fb87af4e0c4c424e59558439c554d91588956260684be2667c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zilyx.exe
Filesize
107KB

MD5
590e9bb3b2a8be59ccbc2121e1687f62

SHA1
9f3f2f5b7a4643c8751a9afd3068b89042908a51

SHA256
107d4e93b7ad39173cca9f6fa2a601edd7721c0a4172e84868cc0f7e748ca917

SHA512
ce3b24d6c07d301b8ae5e36ae5c35d87438bf9b2200854fb6bdab695d97265aa0a8f25cf883ffc4c822b7be1e6363ea78992b1bcf82f4975680fb8e5bb899d38

Download Submit
memory/468-42-0x0000000000FF0000-0x0000000001075000-memory.dmp

Filesize
532KB

Download
memory/468-38-0x0000000000FF0000-0x0000000001075000-memory.dmp

Filesize
532KB

Download
memory/468-43-0x0000000000FF0000-0x0000000001075000-memory.dmp

Filesize
532KB

Download
memory/468-44-0x0000000000FF0000-0x0000000001075000-memory.dmp

Filesize
532KB

Download
memory/468-45-0x0000000000FF0000-0x0000000001075000-memory.dmp

Filesize
532KB

Download
memory/468-46-0x0000000000FF0000-0x0000000001075000-memory.dmp

Filesize
532KB

Download
memory/468-47-0x0000000000FF0000-0x0000000001075000-memory.dmp

Filesize
532KB

Download
memory/2028-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2028-11-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2144-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2144-40-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5104-16-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5104-2-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads