urelas | 24233629c98c6865c7d79a93242bad84df570be796849bdd9561a00a30d27df8

General

Target

0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe
Size

272KB
MD5

0a32143e69ceee82bbab560358d992b0
SHA1

2d96118ca36460309d6ec4d10c642ab6720217ee
SHA256

24233629c98c6865c7d79a93242bad84df570be796849bdd9561a00a30d27df8
SHA512

7368aab81b212f79447581a400eb157a93e8348b30af82eb78d94242bebdd6b04c088073e9156192cdf17d96e388f684bad22fc6e9f10219804a399d0a0b9a5f
SSDEEP

6144:XwgM03hO1Gw64OU4OttDPGigknGDjvzYR05CFc/SnOC5:ggM03sA3uttDDgk6vzYR05Mc/QOC5

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\xoebs.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qowyn.exe0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	qowyn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

qowyn.exexoebs.exe

pid process

1936 qowyn.exe
4748 xoebs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1936	qowyn.exe
4748	xoebs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

xoebs.exe

pid	process
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe
4748	xoebs.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exeqowyn.exe

description	pid	process	target process
PID 4360 wrote to memory of 1936	4360	0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe	qowyn.exe
PID 4360 wrote to memory of 1936	4360	0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe	qowyn.exe
PID 4360 wrote to memory of 1936	4360	0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe	qowyn.exe
PID 4360 wrote to memory of 1816	4360	0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe	cmd.exe
PID 4360 wrote to memory of 1816	4360	0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe	cmd.exe
PID 4360 wrote to memory of 1816	4360	0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe	cmd.exe
PID 1936 wrote to memory of 4748	1936	qowyn.exe	xoebs.exe
PID 1936 wrote to memory of 4748	1936	qowyn.exe	xoebs.exe
PID 1936 wrote to memory of 4748	1936	qowyn.exe	xoebs.exe

C:\Users\Admin\AppData\Local\Temp\0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a32143e69ceee82bbab560358d992b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\qowyn.exe
"C:\Users\Admin\AppData\Local\Temp\qowyn.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\xoebs.exe
"C:\Users\Admin\AppData\Local\Temp\xoebs.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
306B

MD5
b7fd2e8cbbf28355e90e0a7c6a7fca64

SHA1
a1dc0eda7627b5e85ebff3d85965cde40862400b

SHA256
85504e0960da61660d2bd57cd792e771a59fea38f9806e319a960dbe21eec8f3

SHA512
4df6404b1dc1b3ea8d7e9c57c550a920b1f1d859c1445f58204ffb4e07a8e5d1b3301cb118f13afb5bdb339e9a3027d76d0dd913ca6b0e85b337b9461c25d090

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e94dda441db19d518bd9197f49118df2

SHA1
d98e2092330f3dd08c262e784ad0a5adb6cc068a

SHA256
c51c4dcc1fef8f258a1e19371c14f44297b7c2f6209471fb578cb2cf9dbc06fc

SHA512
06adae6eba40c701572c277c28396e8974093480773ee71c198fcc0d26b28f878d49502aff7ce872274c3fe0a0cada3606a15ac792c1ee565ea45d6a27fd881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qowyn.exe

Filesize
272KB

MD5
0dd6e231d74a4d2a27f6e1ee52eeb1e7

SHA1
bc62a0440a9cecbe0b960fcf9fdd02d12eb6adf3

SHA256
d336e94c1ccdeadebfbc89016a77cd97fe1130c0686162806d246381d2392f0d

SHA512
3bcec0d5d0e7e13313cca7e5db017c67dec42f326e71b71a23ace77df6bf397f5be698431ccb2f3bd9f0cdbab65d7ca6ab88cd44ca12c642957badc024d54c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoebs.exe

Filesize
212KB

MD5
4f5b0d8228f939df1824bb963abc9faf

SHA1
a54754c4e19a269cfc75393b06c556b62cea02c3

SHA256
591dece02c6ac7131a40cc2f33bc1b95b1f8e2e81869ce0bd4e44426b266eacf

SHA512
654a8572e930b782e1950fd9310169632fb113179fe0ed6f097b7635c6c68af54b66ef590f45f67afe16f828991fd59704c95b5259184edc7b4aa36be35440d9

Download Submit
memory/1936-39-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1936-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1936-14-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1936-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1936-22-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4360-17-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4360-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4360-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4748-41-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4748-43-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4748-40-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4748-42-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4748-45-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4748-46-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4748-47-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4748-48-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4748-49-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads