urelas | 2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170

General

Target

2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe
Size

398KB
MD5

454dfb304c96678567a2a0a451ea0f30
SHA1

df28c471fd9dab0fb8c209aafabd5d085c1469c5
SHA256

2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170
SHA512

075f125eca3ff86f50052341dc180d4061b04f2057d8c035182f272e9184295486d6f8b42279bc5f5571a13ee9e3b294ad4d9168b9e6371763c384d7a7add437
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOz:eU7M5ijWh0XOW4sEfeOz

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\yzugl.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exeeltab.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	eltab.exe

Executes dropped EXE 2 IoCs

Processes:

eltab.exeyzugl.exe

pid process

3316 eltab.exe
4436 yzugl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3316	eltab.exe
4436	yzugl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yzugl.exe

pid	process
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe
4436	yzugl.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exeeltab.exe

description	pid	process	target process
PID 3964 wrote to memory of 3316	3964	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	eltab.exe
PID 3964 wrote to memory of 3316	3964	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	eltab.exe
PID 3964 wrote to memory of 3316	3964	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	eltab.exe
PID 3964 wrote to memory of 116	3964	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	cmd.exe
PID 3964 wrote to memory of 116	3964	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	cmd.exe
PID 3964 wrote to memory of 116	3964	2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe	cmd.exe
PID 3316 wrote to memory of 4436	3316	eltab.exe	yzugl.exe
PID 3316 wrote to memory of 4436	3316	eltab.exe	yzugl.exe
PID 3316 wrote to memory of 4436	3316	eltab.exe	yzugl.exe

C:\Users\Admin\AppData\Local\Temp\2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e9c48df48870879b48b8221194c3972996100b148eb74802979cb8db3306170_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\eltab.exe
  "C:\Users\Admin\AppData\Local\Temp\eltab.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Users\Admin\AppData\Local\Temp\yzugl.exe
    "C:\Users\Admin\AppData\Local\Temp\yzugl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
370B

MD5
d91d7a60466819d52f66d4c3351d8912

SHA1
ff101aa80edec03c00d9946c62789a383d5c788d

SHA256
ae39ebc228ea8339a7a3641e53bce6f530dcf57da7478ed6b856b6b5d0c3d18b

SHA512
aa5010da30bdbfad1206cd55230b27de6e9a21e98a1abf640ffe2df7b13b0381107cf2fca430a0cdd9914702c0125e70f3c4b96339a6e0d6e045f1ed2e9982d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eltab.exe

Filesize
398KB

MD5
d9e4b93ca8446c93ec0d558d843f95cd

SHA1
9e718fdda365114cacb9948825dcd8a66f7b8e8a

SHA256
ada79a647d1b2d700419f004358f6824c8b6c1b83fa8980ecd2fc54a0e63fe6d

SHA512
f0a9bbd1523ffb2725b529b3c860a2437b51cc2823bc08a5330bfda887c5c62909c3c1af551d6ae9be8fe4f929566be59441093a071b4febbb0ff34a3b7e2518

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
66656db3a57ef9b4981a9de79d923d2d

SHA1
42004490b298289fb9a58f24298285fd2d94cf11

SHA256
55fb7533f7dd690ab430627edec10adc126b2c6e86277ffc912c0a05986c1595

SHA512
8d0bb4aaf43a12594b79882a43394917229ac9fb704f9c121468c79119a0e2d3f8be2b2189ea2e100eaa50495cac281ff397144cba612d90bed66b82845e1af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzugl.exe

Filesize
212KB

MD5
6af2e43616d4cd625e3ab663782cfaf3

SHA1
6cce5aa8661a8c9260e753839dcf0991a1d3cde4

SHA256
ee8ba58463abcb3ddbc5f928bdc9720d01239fe612745a7ac3f62dbd6bcdd572

SHA512
477ccc3c43b7a793d251926e6e9b10b30abef6e7f95d30185bc2b565798fdc3c518cd0466bc12e921a33c2adc09b6a12e3a3337b1d7e24aa0e9a64c914453adc

Download Submit
memory/3316-28-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3964-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3964-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4436-24-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4436-26-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4436-27-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4436-25-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4436-30-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4436-31-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4436-32-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/4436-33-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads