urelas | 2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170

General

Target

2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe
Size

398KB
MD5

454dfb304c96678567a2a0a451ea0f30
SHA1

df28c471fd9dab0fb8c209aafabd5d085c1469c5
SHA256

2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170
SHA512

075f125eca3ff86f50052341dc180d4061b04f2057d8c035182f272e9184295486d6f8b42279bc5f5571a13ee9e3b294ad4d9168b9e6371763c384d7a7add437
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOz:eU7M5ijWh0XOW4sEfeOz

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ifcov.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2772 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

ylaxu.exeifcov.exe

pid process

2648 ylaxu.exe
1924 ifcov.exe

pid	process
2772	cmd.exe

pid	process
2648	ylaxu.exe
1924	ifcov.exe

Loads dropped DLL 3 IoCs

Processes:

2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exeylaxu.exe

pid	process
1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe
1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe
2648	ylaxu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

ifcov.exe

pid	process
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe
1924	ifcov.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exeylaxu.exe

description	pid	process	target process
PID 1708 wrote to memory of 2648	1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	ylaxu.exe
PID 1708 wrote to memory of 2648	1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	ylaxu.exe
PID 1708 wrote to memory of 2648	1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	ylaxu.exe
PID 1708 wrote to memory of 2648	1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	ylaxu.exe
PID 1708 wrote to memory of 2772	1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	cmd.exe
PID 1708 wrote to memory of 2772	1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	cmd.exe
PID 1708 wrote to memory of 2772	1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	cmd.exe
PID 1708 wrote to memory of 2772	1708	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	cmd.exe
PID 2648 wrote to memory of 1924	2648	ylaxu.exe	ifcov.exe
PID 2648 wrote to memory of 1924	2648	ylaxu.exe	ifcov.exe
PID 2648 wrote to memory of 1924	2648	ylaxu.exe	ifcov.exe
PID 2648 wrote to memory of 1924	2648	ylaxu.exe	ifcov.exe

C:\Users\Admin\AppData\Local\Temp\2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\ylaxu.exe
  "C:\Users\Admin\AppData\Local\Temp\ylaxu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\ifcov.exe
    "C:\Users\Admin\AppData\Local\Temp\ifcov.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
370B

MD5
d91d7a60466819d52f66d4c3351d8912

SHA1
ff101aa80edec03c00d9946c62789a383d5c788d

SHA256
ae39ebc228ea8339a7a3641e53bce6f530dcf57da7478ed6b856b6b5d0c3d18b

SHA512
aa5010da30bdbfad1206cd55230b27de6e9a21e98a1abf640ffe2df7b13b0381107cf2fca430a0cdd9914702c0125e70f3c4b96339a6e0d6e045f1ed2e9982d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e29a7b6d7c9629c73468c089100d32b5

SHA1
aefaa6218b63e58745694f21f81e413c93b93239

SHA256
61de0130991adc804f319a9f9b18a116708cbc84332c61829da9d75a993658ea

SHA512
734cef64bc46939997a1ae9ca50403f867bc3ef284e3588188c180816995313cbe4861363d1df8b6ba48b8deb86056c6c4099156d5741f6c80fecac02626c162

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifcov.exe

Filesize
212KB

MD5
0e3680672fa947d037b3f627819b5f63

SHA1
26f2093bc10beba1ad308dc91197a6c1481af683

SHA256
2a18e8d4393068811ce004e9c715ab0770d6ee7999dc0b5afb337241107ea6e0

SHA512
befb2bf8764815d6bd9ed7f59e2e6dab33c95ad839c22e7bf96ae93cd85db1a32e99e76ad31ca3a4aee66955cd8d9cbd7029e9451e2e715338ff1933d5420d64

Download Submit
\Users\Admin\AppData\Local\Temp\ylaxu.exe

Filesize
398KB

MD5
22c537d11f6072d5f5fdbce0a3918f61

SHA1
39b8a77047fe2576108cb9f6421645ed80320e27

SHA256
98fc4ffcf514867c5e6dd8cf0b99d02c7a223c99e34048f71e9983ed9f93a52a

SHA512
15e0adabeb15989b5431ce45da516dffb037022bbf11fa81c3a2e214b652ae928562a7d1a2fc65b20862c4f493f33c042a26d9c5697d67a186049de42510f6c6

Download Submit
memory/1708-11-0x0000000002BB0000-0x0000000002C15000-memory.dmp

Filesize
404KB

Download
memory/1708-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1708-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1924-34-0x0000000000F80000-0x0000000001014000-memory.dmp

Filesize
592KB

Download
memory/1924-31-0x0000000000F80000-0x0000000001014000-memory.dmp

Filesize
592KB

Download
memory/1924-33-0x0000000000F80000-0x0000000001014000-memory.dmp

Filesize
592KB

Download
memory/1924-32-0x0000000000F80000-0x0000000001014000-memory.dmp

Filesize
592KB

Download
memory/1924-37-0x0000000000F80000-0x0000000001014000-memory.dmp

Filesize
592KB

Download
memory/1924-38-0x0000000000F80000-0x0000000001014000-memory.dmp

Filesize
592KB

Download
memory/1924-39-0x0000000000F80000-0x0000000001014000-memory.dmp

Filesize
592KB

Download
memory/1924-40-0x0000000000F80000-0x0000000001014000-memory.dmp

Filesize
592KB

Download
memory/1924-41-0x0000000000F80000-0x0000000001014000-memory.dmp

Filesize
592KB

Download
memory/2648-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2648-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads