urelas | 876b680120060000c51f5f13ad20fc5f53ff9036c2249dcd94fff0479be93de4

General

Target

59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe
Size

415KB
MD5

59b46d52fbe1241c3ef7fea2830eca60
SHA1

ac2375cb83e8e93964a5ba4283bff4b3c5fadce8
SHA256

876b680120060000c51f5f13ad20fc5f53ff9036c2249dcd94fff0479be93de4
SHA512

51101ad0a7ab1c1059ce8d3dcf3804e1f31495910b8c037c14b50c5ad82dc5a0dd56ee52ee4a4523b4b706a4c2e4f11a170c647f741eac9611ea6462c88b6cf4
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODgr:oU7M5ijWh0XOW4sEfeO8r

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\loivx.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exefutog.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	futog.exe

Executes dropped EXE 2 IoCs

Processes:

futog.exeloivx.exe

pid process

2184 futog.exe
3376 loivx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2184	futog.exe
3376	loivx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

loivx.exe

pid	process
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe
3376	loivx.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exefutog.exe

description	pid	process	target process
PID 1392 wrote to memory of 2184	1392	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	futog.exe
PID 1392 wrote to memory of 2184	1392	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	futog.exe
PID 1392 wrote to memory of 2184	1392	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	futog.exe
PID 1392 wrote to memory of 2912	1392	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	cmd.exe
PID 1392 wrote to memory of 2912	1392	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	cmd.exe
PID 1392 wrote to memory of 2912	1392	59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe	cmd.exe
PID 2184 wrote to memory of 3376	2184	futog.exe	loivx.exe
PID 2184 wrote to memory of 3376	2184	futog.exe	loivx.exe
PID 2184 wrote to memory of 3376	2184	futog.exe	loivx.exe

C:\Users\Admin\AppData\Local\Temp\59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59b46d52fbe1241c3ef7fea2830eca60_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\futog.exe
"C:\Users\Admin\AppData\Local\Temp\futog.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\loivx.exe
"C:\Users\Admin\AppData\Local\Temp\loivx.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:2912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
9e9123ea1198bdd81248b11102e78a8e

SHA1
846c2c9a50fd61390df1eed539662eb6e06bc4d4

SHA256
2160bbe0e9d2051e3737b08cbcafd91ff91f87eed3484d97afd19f5274c07ce7

SHA512
b8e31b48e56efff69b2d85ba8dfe7002b2c52ab3682966743cfacc7fc48a7c5ba1cc26375a2d1682f47a36aa80ae637f5ee6966bf1326b3421c78067a1ed0bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\futog.exe
Filesize
415KB

MD5
50692059b149638fe262014aba5999c0

SHA1
71e1d6c136b9741cf363573fa7ff58c09d3ae5dc

SHA256
3c516e04e3d6e1c65a130183b1e3b0e4170a320a0b09606af7a68e66b50d8604

SHA512
55d9cb9e8bce0d519bbe35de175d45f762983c28c128dd2d1404a849e0469149b0db6bf5c1ce0544ae1884ed457b6a100008872f2a5943a53cff75cfc9ef6c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
b941b3c81bcc4547f0486c4134742088

SHA1
c56b8664b3a60d8b8214a3ae730cb0b20cd1196a

SHA256
8d90530eb5f2b385b713ec504e945c61150e3adbc6595ff2205741a3310f146c

SHA512
85c3c6af72067d9a00245518c3d884b7b52a1e3dbe00ecd295d6e1432e580bad40bd9bac00c63f8067cb1c11698f45777005d67cd3043539095cd22e16c78f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\loivx.exe
Filesize
212KB

MD5
d58eded4bd0eefe55a87531a76bd24d1

SHA1
319703a3aa70385f4d770a36124f9f3788deedab

SHA256
6ca5b6caa0014af0f6d040a2543e83881c7e4caa90a1ee280f8fb8d3f39b48c8

SHA512
e94569c08a2b130813bfef0b4d9f913169eb58efa85307bd610031decdb984398b944347681c36f787e1ce8a385bfcdb1ea6a69be210bba3746a209f9e16a191

Download Submit
memory/1392-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1392-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2184-28-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3376-26-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/3376-27-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/3376-25-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/3376-23-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/3376-30-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/3376-31-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/3376-32-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/3376-33-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/3376-34-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads