urelas | 604e4873305c29b900ad2f6307726dde665a69c54bcb00df0c4b82403f098205

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe
Size

430KB
MD5

db2dae2c9dcb4e0ca11c4954d2ac6210
SHA1

0af265bc32c5e04bf672c5214b7336a45e5f610d
SHA256

604e4873305c29b900ad2f6307726dde665a69c54bcb00df0c4b82403f098205
SHA512

866e2ff535549ebd89df3812eca77a6d418f6e45ab0ab2c7c34f72e6cc5c7941929858d9099cd212bcae625a97414d62b5deda817d81a46a00970ac90d35754d
SSDEEP

6144:BKbwhNxUjDVMytD2NkWuRk/oBmodd+sAaTmQo2fkKmC:4ANxU3VH1t19MsAlpXw

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-27.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	ijkur.exe
1040	yqpub.exe

Loads dropped DLL 3 IoCs

pid	Process
2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe
2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe
2980	ijkur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe
1040	yqpub.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2980	2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2980	2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2980	2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2980	2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2540	2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe	29
PID 2268 wrote to memory of 2540	2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe	29
PID 2268 wrote to memory of 2540	2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe	29
PID 2268 wrote to memory of 2540	2268	db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe	29
PID 2980 wrote to memory of 1040	2980	ijkur.exe	33
PID 2980 wrote to memory of 1040	2980	ijkur.exe	33
PID 2980 wrote to memory of 1040	2980	ijkur.exe	33
PID 2980 wrote to memory of 1040	2980	ijkur.exe	33

C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\ijkur.exe
  "C:\Users\Admin\AppData\Local\Temp\ijkur.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\yqpub.exe
    "C:\Users\Admin\AppData\Local\Temp\yqpub.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
306B

MD5
767f7cfaad35e21a8867d8a753eea7d3

SHA1
b62fe2147de17fca026d5a283ec3e13b6a8669d8

SHA256
a10dd3841802d279970e590b17da1e1078e147fec3633cfdf45f4aca122bb9d5

SHA512
f59804b3c4d0865d7cd4eae59cda35d2b1e6fdab0d6f70e5cc07dee695ae080a17e4b92ce9aa5e03987f1de68ff47e362cce0f2a6f52f62124a5dbd9a721e689

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
49e9e46c708fb568cd298d22461b3615

SHA1
f0a580212911dfb0d15f63db116e6c0e9425904d

SHA256
8812740ade2b1e433d976b0893392c07d63823b78b1f4e8dae437812894d8223

SHA512
76c82a8ea9f033449028702bb5fd3967bca4c344ec2bd52d25d06893fc7f9f89143c43f4be773a93b4a3477c8a4fb27c320bd1ee1d3043052e1d0940ab41146f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijkur.exe

Filesize
430KB

MD5
09c984bc42f859a6c456c7a84ffbe74b

SHA1
2cff3fc42a05d20805de13fbd59eae30c8b1751d

SHA256
69308496a625f26d7b81a92967ada6ea9fc2738b4571a20b911b8aefdaeaafdb

SHA512
3954684bb6ca00188b1a15e9241730ec8371f41ce415c087c9993fac7ccfc05c1733eb1c36cfbfec9e2102cec4f7aacf6eb5fd50b5b1a4ebdbe215aa64af4542

Download Submit
\Users\Admin\AppData\Local\Temp\yqpub.exe

Filesize
216KB

MD5
5f762341d3a5126a6b36640941809abf

SHA1
3e1b77a58f6de2fbbd33f75e198fc77cbaf61aea

SHA256
115f093489c76339e609d120726f2fb62bd579c576eb86118acf7c1483d5bbf7

SHA512
33969b9a72dcdcfa6124cb0bd754a0b9516ffd209d0b10acbae2f64955e56ad296779c9ed16b2be7271d2502e82b429d7f980bddc47667cd7807b285daecfd29

Download Submit
memory/1040-41-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/1040-39-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/1040-40-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/1040-36-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/1040-42-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/1040-38-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/1040-34-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/1040-33-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/1040-35-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/2268-22-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2268-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2268-11-0x0000000002BC0000-0x0000000002C28000-memory.dmp

Filesize
416KB

Download
memory/2268-12-0x0000000002BC0000-0x0000000002C28000-memory.dmp

Filesize
416KB

Download
memory/2980-30-0x0000000003D90000-0x0000000003E32000-memory.dmp

Filesize
648KB

Download
memory/2980-31-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2980-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download