urelas | 876b680120060000c51f5f13ad20fc5f53ff9036c2249dcd94fff0479be93de4

General

Target

59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe
Size

415KB
MD5

59b46d52fbe1241c3ef7fea2830eca60
SHA1

ac2375cb83e8e93964a5ba4283bff4b3c5fadce8
SHA256

876b680120060000c51f5f13ad20fc5f53ff9036c2249dcd94fff0479be93de4
SHA512

51101ad0a7ab1c1059ce8d3dcf3804e1f31495910b8c037c14b50c5ad82dc5a0dd56ee52ee4a4523b4b706a4c2e4f11a170c647f741eac9611ea6462c88b6cf4
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODgr:oU7M5ijWh0XOW4sEfeO8r

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\coaqp.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2660 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

qiisz.execoaqp.exe

pid process

3020 qiisz.exe
1624 coaqp.exe
Loads dropped DLL 3 IoCs

Processes:

59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exeqiisz.exe

pid process

2296 59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe
2296 59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe
3020 qiisz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2660	cmd.exe

pid	process
3020	qiisz.exe
1624	coaqp.exe

pid	process
2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe
2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe
3020	qiisz.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

coaqp.exe

pid	process
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe
1624	coaqp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exeqiisz.exe

description	pid	process	target process
PID 2296 wrote to memory of 3020	2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	qiisz.exe
PID 2296 wrote to memory of 3020	2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	qiisz.exe
PID 2296 wrote to memory of 3020	2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	qiisz.exe
PID 2296 wrote to memory of 3020	2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	qiisz.exe
PID 2296 wrote to memory of 2660	2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	cmd.exe
PID 2296 wrote to memory of 2660	2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	cmd.exe
PID 2296 wrote to memory of 2660	2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	cmd.exe
PID 2296 wrote to memory of 2660	2296	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	cmd.exe
PID 3020 wrote to memory of 1624	3020	qiisz.exe	coaqp.exe
PID 3020 wrote to memory of 1624	3020	qiisz.exe	coaqp.exe
PID 3020 wrote to memory of 1624	3020	qiisz.exe	coaqp.exe
PID 3020 wrote to memory of 1624	3020	qiisz.exe	coaqp.exe

C:\Users\Admin\AppData\Local\Temp\59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\qiisz.exe
  "C:\Users\Admin\AppData\Local\Temp\qiisz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\coaqp.exe
    "C:\Users\Admin\AppData\Local\Temp\coaqp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
306B

MD5
9e9123ea1198bdd81248b11102e78a8e

SHA1
846c2c9a50fd61390df1eed539662eb6e06bc4d4

SHA256
2160bbe0e9d2051e3737b08cbcafd91ff91f87eed3484d97afd19f5274c07ce7

SHA512
b8e31b48e56efff69b2d85ba8dfe7002b2c52ab3682966743cfacc7fc48a7c5ba1cc26375a2d1682f47a36aa80ae637f5ee6966bf1326b3421c78067a1ed0bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d5791a097c0094c7c331bb31215d21aa

SHA1
0d0b9d32aa380c3e6c9f89eddfa70cf748db47ed

SHA256
82a5ddad8eed8bc490b0cc30245d0706445b487e8520262de0d24a28fa746d2a

SHA512
6e22a9097a5d2ffca7d929b739e2c9d5fac5b61ebedbbbe83f8627f20bcf9657c85c8f3b105998c40855d953114675d05708f9e00cfccc4d0d485c37a33b503c

Download Submit
\Users\Admin\AppData\Local\Temp\coaqp.exe

Filesize
212KB

MD5
f0686748291431c0c897881bff50a173

SHA1
ec5230c4973d567bd8a8ccff4c93aa1979bbbc5e

SHA256
2b1eef8d3887e41dcb2f8ef24fdba06a4f986c53cc5023cd25fa4fec8e309cd0

SHA512
7dbe0d0b8bc7fe3fb15b544e9c991dbd7dce01dc444e0673a08b99e5eccaf615bfc7db0653eeb49b249b46765776078161084ffd8e322682a905cd238282f35c

Download Submit
\Users\Admin\AppData\Local\Temp\qiisz.exe

Filesize
415KB

MD5
ec1f9618e5f1733de2b3ffaec36627fd

SHA1
2be78f76c029a06347917ca889923d24c60fe7a1

SHA256
4d31a51278642eedd1d8a72d9064d6127ce9595a93ac3a632d137b033214bf07

SHA512
4257328590e9e74f2dd969f89ae793cdee960e7c828bca76bf6990cc8a5467f36b188871ec5a37ae7763a45f45a83842000fad5ab1f6d830fa4edec3f7c31709

Download Submit
memory/1624-32-0x0000000000CB0000-0x0000000000D44000-memory.dmp

Filesize
592KB

Download
memory/1624-37-0x0000000000CB0000-0x0000000000D44000-memory.dmp

Filesize
592KB

Download
memory/1624-41-0x0000000000CB0000-0x0000000000D44000-memory.dmp

Filesize
592KB

Download
memory/1624-40-0x0000000000CB0000-0x0000000000D44000-memory.dmp

Filesize
592KB

Download
memory/1624-39-0x0000000000CB0000-0x0000000000D44000-memory.dmp

Filesize
592KB

Download
memory/1624-35-0x0000000000CB0000-0x0000000000D44000-memory.dmp

Filesize
592KB

Download
memory/1624-34-0x0000000000CB0000-0x0000000000D44000-memory.dmp

Filesize
592KB

Download
memory/1624-33-0x0000000000CB0000-0x0000000000D44000-memory.dmp

Filesize
592KB

Download
memory/1624-38-0x0000000000CB0000-0x0000000000D44000-memory.dmp

Filesize
592KB

Download
memory/2296-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2296-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2296-11-0x0000000002350000-0x00000000023B5000-memory.dmp

Filesize
404KB

Download
memory/3020-31-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3020-29-0x0000000003D50000-0x0000000003DE4000-memory.dmp

Filesize
592KB

Download
memory/3020-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads