urelas | 3465a6f61f1327ffdf1264cc9616040f308f466c2ea8e4d7fa96a954649f0dfc

General

Target

34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe
Size

290KB
MD5

34373a2cd74d55362c44e5bcd569ba00
SHA1

b704e9bdb73bae4d9bca9d4c3b074070e525f07a
SHA256

3465a6f61f1327ffdf1264cc9616040f308f466c2ea8e4d7fa96a954649f0dfc
SHA512

29f7b7a24a9c4dcf315c761d70da5f39488326cc9712195d5772b94f77db376372e350f67e075a7a3abc11beb21ecb64ea10ffb988f3f203ad3b5405b9ae87d8
SSDEEP

6144:96xwSR5NtUIJEWyXuew+q1l0d2Js6H5/TZkKr+:9A3NtUISdPw+Elq2Jsm2j

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\siyqb.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2888 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

ucxiz.exesiyqb.exe

pid process

1996 ucxiz.exe
352 siyqb.exe
Loads dropped DLL 3 IoCs

Processes:

34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exeucxiz.exe

pid process

2468 34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe
2468 34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe
1996 ucxiz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2888	cmd.exe

pid	process
1996	ucxiz.exe
352	siyqb.exe

pid	process
2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe
2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe
1996	ucxiz.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

siyqb.exe

pid	process
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe
352	siyqb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exeucxiz.exe

description	pid	process	target process
PID 2468 wrote to memory of 1996	2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe	ucxiz.exe
PID 2468 wrote to memory of 1996	2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe	ucxiz.exe
PID 2468 wrote to memory of 1996	2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe	ucxiz.exe
PID 2468 wrote to memory of 1996	2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe	ucxiz.exe
PID 2468 wrote to memory of 2888	2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe	cmd.exe
PID 2468 wrote to memory of 2888	2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe	cmd.exe
PID 2468 wrote to memory of 2888	2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe	cmd.exe
PID 2468 wrote to memory of 2888	2468	34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe	cmd.exe
PID 1996 wrote to memory of 352	1996	ucxiz.exe	siyqb.exe
PID 1996 wrote to memory of 352	1996	ucxiz.exe	siyqb.exe
PID 1996 wrote to memory of 352	1996	ucxiz.exe	siyqb.exe
PID 1996 wrote to memory of 352	1996	ucxiz.exe	siyqb.exe

C:\Users\Admin\AppData\Local\Temp\34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34373a2cd74d55362c44e5bcd569ba00_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\ucxiz.exe
  "C:\Users\Admin\AppData\Local\Temp\ucxiz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\siyqb.exe
    "C:\Users\Admin\AppData\Local\Temp\siyqb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
306B

MD5
56c51fa9ecef8e5d1c21f02c7d28aa13

SHA1
88f8148b0e53a827053580a1353abd5f459ec1bd

SHA256
99fd1205ca5ad241687209bc04a06c39a9eab0f0fe8d62af36b31291ee6aa069

SHA512
5ace88a878921c44c69a8ffdcd54cec9613a2e04facf0e84d753826ec1f11b149d6c89c57991bb5ec130c0c0556cf69959f0ea2f51f89834753d857c407c3a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3367dd81a45b2ad884cd1a66963945ce

SHA1
7ea635e836e02baf2a0d009482c2852a0c4b1cfe

SHA256
4568b436511d05696cde0dc18d3a65dd233f84c387899b3ec58a5ad6ea9c31b0

SHA512
3f774522d357f1db4efdf7663498903bb9ead4272c6c999f3947216980480269bf63e397fce42d2ac510a2c863884d433b45c705b6e94330cf0a8f3562dfc63a

Download Submit
\Users\Admin\AppData\Local\Temp\siyqb.exe

Filesize
216KB

MD5
ee5ef65420b717df83c5087f3a5c9b90

SHA1
2c1dfa3e9bd9db0ec1180d6964da47713ac236e3

SHA256
49157ae3208327c519958c30d2c84bab8fad67b854e75bde3c3c2cbff4a33dd1

SHA512
b81d3ed544c32cd3b079d3fd40ebea59aee54882d1648c8db8454da4667652acebee123fe2a20c6f7bfa24a1f06355c02dbfd70b2005377bc39370b59cf1fd54

Download Submit
\Users\Admin\AppData\Local\Temp\ucxiz.exe

Filesize
290KB

MD5
f46e9df83bf08be2aca8592e4c013770

SHA1
3b98a4016317d0dafe85d3c0834a7256c8858327

SHA256
9cfbfea0a33a45cc30820fac2f67a179e2dd715ffdd6732c66fb1cf46b6b12f4

SHA512
e85be237cdd91fb15d4e65f1d7fa516bd9515bc3a0ad1cb546d7c85b7230e72476d55d973baa2e9ca2a0d8f93f8c6267d5651ba4883c940734921b070849abda

Download Submit
memory/352-53-0x0000000000030000-0x00000000000D2000-memory.dmp

Filesize
648KB

Download
memory/352-51-0x0000000000030000-0x00000000000D2000-memory.dmp

Filesize
648KB

Download
memory/352-50-0x0000000000030000-0x00000000000D2000-memory.dmp

Filesize
648KB

Download
memory/352-52-0x0000000000030000-0x00000000000D2000-memory.dmp

Filesize
648KB

Download
memory/352-47-0x0000000000030000-0x00000000000D2000-memory.dmp

Filesize
648KB

Download
memory/352-46-0x0000000000030000-0x00000000000D2000-memory.dmp

Filesize
648KB

Download
memory/352-48-0x0000000000030000-0x00000000000D2000-memory.dmp

Filesize
648KB

Download
memory/352-54-0x0000000000030000-0x00000000000D2000-memory.dmp

Filesize
648KB

Download
memory/352-45-0x0000000000030000-0x00000000000D2000-memory.dmp

Filesize
648KB

Download
memory/1996-28-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1996-43-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1996-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1996-16-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2468-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2468-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2468-11-0x0000000002BC0000-0x0000000002C28000-memory.dmp

Filesize
416KB

Download
memory/2468-13-0x0000000002BC0000-0x0000000002C28000-memory.dmp

Filesize
416KB

Download
memory/2468-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads