urelas | 0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce

General

Target

0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe
Size

340KB
MD5

27e2a351373cef3be74f6812949bb150
SHA1

f51906959e491e1718a7ea0464a6f33d948ef183
SHA256

0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce
SHA512

ac39d7c64240f70f8deaad03191bdb841f749ddd624677fd562b867faa10adacd28b1469a7bdbbb57683fa421944f9adedb1156e22c22b06c56e66de54ac35ce
SSDEEP

6144:b/qE9d70WIH9wFHf+MQYVA5TDT44zuQOIFlUMazNWHT7+Q:uGIWiiHWnesT/483Ociy3

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exeiwkux.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	iwkux.exe

Executes dropped EXE 2 IoCs

Processes:

iwkux.exeseixl.exe

pid process

2668 iwkux.exe
3416 seixl.exe

pid	process
2668	iwkux.exe
3416	seixl.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\seixl.exe	upx
behavioral2/memory/3416-38-0x0000000000AC0000-0x0000000000B77000-memory.dmp	upx
behavioral2/memory/3416-41-0x0000000000AC0000-0x0000000000B77000-memory.dmp	upx
behavioral2/memory/3416-42-0x0000000000AC0000-0x0000000000B77000-memory.dmp	upx
behavioral2/memory/3416-43-0x0000000000AC0000-0x0000000000B77000-memory.dmp	upx
behavioral2/memory/3416-44-0x0000000000AC0000-0x0000000000B77000-memory.dmp	upx
behavioral2/memory/3416-45-0x0000000000AC0000-0x0000000000B77000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

seixl.exe

pid	process
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe
3416	seixl.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exeiwkux.exe

description	pid	process	target process
PID 2760 wrote to memory of 2668	2760	0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe	iwkux.exe
PID 2760 wrote to memory of 2668	2760	0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe	iwkux.exe
PID 2760 wrote to memory of 2668	2760	0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe	iwkux.exe
PID 2760 wrote to memory of 2628	2760	0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe	cmd.exe
PID 2760 wrote to memory of 2628	2760	0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe	cmd.exe
PID 2760 wrote to memory of 2628	2760	0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe	cmd.exe
PID 2668 wrote to memory of 3416	2668	iwkux.exe	seixl.exe
PID 2668 wrote to memory of 3416	2668	iwkux.exe	seixl.exe
PID 2668 wrote to memory of 3416	2668	iwkux.exe	seixl.exe

C:\Users\Admin\AppData\Local\Temp\0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ffc8232298d167f8d69ab8301c1cc484c8a9a29bcd5ca4f0ff5fe19186ab5ce_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\iwkux.exe
"C:\Users\Admin\AppData\Local\Temp\iwkux.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\seixl.exe
"C:\Users\Admin\AppData\Local\Temp\seixl.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
370B

MD5
0d4e24699073c6b879285ed4a6b19f26

SHA1
01c46c56d3abd48bcdc5dbcf079efd3f48da1ba1

SHA256
53d7222adb221c7938e0edd103767d7c7d39a7746fae98ac174cc7b705c3c575

SHA512
61727d0fb46611c6615be94252b69ea00772b290d796847e0c741fe93c755d714cce9058a63623efe2cfbc64107eafd4dc647c53575b57a20f6af5bcfa9a156b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
2d4676535b49a273bf937e82016cece4

SHA1
7b71f0e8905780430bb3f7a03b74b8e99db48685

SHA256
f875c75a891037120f666e2a95a4367ff6ace2949d3f2b4e54fd7dcde90633c8

SHA512
69770aa1ddf9435a25eef5b31fb439ac561f7d76d9bda1187d9711daf695e6759149bb3e09bfbb44ac94bf8ed2f695c9cf548be9866aada468321014d682195c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwkux.exe
Filesize
340KB

MD5
e9fb84c536f8fbfb7ca242df43fb9404

SHA1
125818386438072eed19a969ae70f9b3ff510a12

SHA256
993bd01a0d89373fcc6997681af4755720c1a68877dba6edd42b24552e7a2057

SHA512
2c143cc6080e13678bfa2a9d6d557ea9a6ceffdd58fdcb1a8bca28edd253bea5f7ab4b93c0676db24bd66b03a122e0e64c5d346c060d3644b423014bbc567a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\seixl.exe
Filesize
226KB

MD5
e53aa4346c5d372ecfa1cff4f4e08bb8

SHA1
5438c43509c27b4a6dabe5168fd81c2ef5e9dd9e

SHA256
55795a071b79f1c23ea3c42c7a700e6d5a7aaf6d6aa7ac4130460fa795fe7d45

SHA512
0d2d8f9d621f5bc34f56771e622da338de07d1a4bc01ee986143f882c0f2e71a178ccaf689218d20dc4574ddc0e662f8983b5257f745475a0d74dc34ba24bfac

Download Submit
memory/2668-20-0x0000000000C10000-0x0000000000C98000-memory.dmp

Filesize
544KB

Download
memory/2668-22-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/2668-14-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/2668-13-0x0000000000C10000-0x0000000000C98000-memory.dmp

Filesize
544KB

Download
memory/2668-39-0x0000000000C10000-0x0000000000C98000-memory.dmp

Filesize
544KB

Download
memory/2760-0-0x00000000001D0000-0x0000000000258000-memory.dmp

Filesize
544KB

Download
memory/2760-1-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

Filesize
8KB

Download
memory/2760-17-0x00000000001D0000-0x0000000000258000-memory.dmp

Filesize
544KB

Download
memory/3416-38-0x0000000000AC0000-0x0000000000B77000-memory.dmp

Filesize
732KB

Download
memory/3416-41-0x0000000000AC0000-0x0000000000B77000-memory.dmp

Filesize
732KB

Download
memory/3416-42-0x0000000000AC0000-0x0000000000B77000-memory.dmp

Filesize
732KB

Download
memory/3416-43-0x0000000000AC0000-0x0000000000B77000-memory.dmp

Filesize
732KB

Download
memory/3416-44-0x0000000000AC0000-0x0000000000B77000-memory.dmp

Filesize
732KB

Download
memory/3416-45-0x0000000000AC0000-0x0000000000B77000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads