urelas | b4023aa399dd4f730da4f450b76e18f828aaf8d3c278bed74324907fad536335

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe
Size

334KB
MD5

e03641b70bd4717d8b523aaefedf73bb
SHA1

ca8776736a7bd77b6d8fc84dcde0b9c8ff1debda
SHA256

b4023aa399dd4f730da4f450b76e18f828aaf8d3c278bed74324907fad536335
SHA512

3f97f92b9025458560c9f95f141a5218633df95bfd601102c14814a19f17c12156a5072f670f2a950f53cb52fd6b7e5828568eb4f56e70d04886156ea43258c2
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisT:Nd7rpL43btmQ58Z27zw39gY2FeZh7

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023265-32.dat	aspack_v212_v242
behavioral2/files/0x0009000000023265-36.dat	aspack_v212_v242
behavioral2/files/0x0009000000023265-34.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	biefg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	hiojqi.exe

Executes dropped EXE 3 IoCs

pid	Process
3936	biefg.exe
1380	hiojqi.exe
4208	qevoz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe
4208	qevoz.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3936	916	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	86
PID 916 wrote to memory of 3936	916	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	86
PID 916 wrote to memory of 3936	916	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	86
PID 916 wrote to memory of 3644	916	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	87
PID 916 wrote to memory of 3644	916	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	87
PID 916 wrote to memory of 3644	916	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	87
PID 3936 wrote to memory of 1380	3936	biefg.exe	89
PID 3936 wrote to memory of 1380	3936	biefg.exe	89
PID 3936 wrote to memory of 1380	3936	biefg.exe	89
PID 1380 wrote to memory of 4208	1380	hiojqi.exe	102
PID 1380 wrote to memory of 4208	1380	hiojqi.exe	102
PID 1380 wrote to memory of 4208	1380	hiojqi.exe	102
PID 1380 wrote to memory of 1356	1380	hiojqi.exe	103
PID 1380 wrote to memory of 1356	1380	hiojqi.exe	103
PID 1380 wrote to memory of 1356	1380	hiojqi.exe	103

C:\Users\Admin\AppData\Local\Temp\NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\biefg.exe
  "C:\Users\Admin\AppData\Local\Temp\biefg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\hiojqi.exe
    "C:\Users\Admin\AppData\Local\Temp\hiojqi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\qevoz.exe
      "C:\Users\Admin\AppData\Local\Temp\qevoz.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b6205883b74ceee63b539cfcc5156111

SHA1
1e08d81d41dc576bb48ca2301414dd1c77b9fc6e

SHA256
24e21bc329c0465c8c38078c21626a8cf14be7a062877a2572c6f14595df4d2e

SHA512
5ad49e6896c1c31f37909877732b79fa2cbc85ac1369052b6de10f8e696b134510ad40c8355ec7e2ad6d31341f15e06c17c25feb8e7e73dd7951b3c3fa02a1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
44aa4b758d48421e898232e04c6cdcfa

SHA1
26b31dafe725cd4b9e0183a8dc24cfa0baf35014

SHA256
46ebcf649ac77ec09a8a4a6e1d7dd3ebdfbc6e037e076cfeedcbc7a47502a039

SHA512
73850be20c227207048b3973c4c6f7e4442d18354d0e742b229862b6fbfc7681ecc6907bc7b6f009d19d1e864b5c3db74544b46372c4f7de736993e79d0f6dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\biefg.exe

Filesize
334KB

MD5
28552ddc8417d051292185ac8b7aa89e

SHA1
8a2c30314ea20f917c12c13093984bec77165cb7

SHA256
6aa089cc951c5554e93b0f8012d92a15911663f175b4de52ec0d38425488be29

SHA512
cbb37e01b576beed2f0897cc615ca8ffcb69bf54c24084d483831c7e4d156c54a01790a1e0f93d7909578af9ffe16bfe4940ac0c69c34471e5323ac9948c5c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\biefg.exe

Filesize
334KB

MD5
28552ddc8417d051292185ac8b7aa89e

SHA1
8a2c30314ea20f917c12c13093984bec77165cb7

SHA256
6aa089cc951c5554e93b0f8012d92a15911663f175b4de52ec0d38425488be29

SHA512
cbb37e01b576beed2f0897cc615ca8ffcb69bf54c24084d483831c7e4d156c54a01790a1e0f93d7909578af9ffe16bfe4940ac0c69c34471e5323ac9948c5c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\biefg.exe

Filesize
334KB

MD5
28552ddc8417d051292185ac8b7aa89e

SHA1
8a2c30314ea20f917c12c13093984bec77165cb7

SHA256
6aa089cc951c5554e93b0f8012d92a15911663f175b4de52ec0d38425488be29

SHA512
cbb37e01b576beed2f0897cc615ca8ffcb69bf54c24084d483831c7e4d156c54a01790a1e0f93d7909578af9ffe16bfe4940ac0c69c34471e5323ac9948c5c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a69e57f59e2d55f2018fb51e7d494674

SHA1
2ebc01149072227c1bc335a71326a6edc04f87cc

SHA256
c8dbdbcfc11c8626b64e9384875b41bc88445406c89f6e5289a4713afb6622d8

SHA512
715586d9a6845c17eefd1e72e71de133f6a1ecb0029c3b69845090ea5932a5f28e310cebac00ce6339419274d6fc288b78b3adff8cfcc694c4ac1ec9703cf5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiojqi.exe

Filesize
334KB

MD5
28552ddc8417d051292185ac8b7aa89e

SHA1
8a2c30314ea20f917c12c13093984bec77165cb7

SHA256
6aa089cc951c5554e93b0f8012d92a15911663f175b4de52ec0d38425488be29

SHA512
cbb37e01b576beed2f0897cc615ca8ffcb69bf54c24084d483831c7e4d156c54a01790a1e0f93d7909578af9ffe16bfe4940ac0c69c34471e5323ac9948c5c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiojqi.exe

Filesize
334KB

MD5
28552ddc8417d051292185ac8b7aa89e

SHA1
8a2c30314ea20f917c12c13093984bec77165cb7

SHA256
6aa089cc951c5554e93b0f8012d92a15911663f175b4de52ec0d38425488be29

SHA512
cbb37e01b576beed2f0897cc615ca8ffcb69bf54c24084d483831c7e4d156c54a01790a1e0f93d7909578af9ffe16bfe4940ac0c69c34471e5323ac9948c5c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\qevoz.exe

Filesize
136KB

MD5
1e6377ee906dbc79ebd707d397c7e9ab

SHA1
1eb73076788cc48aa63a9fd9cdf41c7d04c525d0

SHA256
e8abb9ee4c245584710af68fd769ee827b30ab475dab917a9b919bf939ae9eac

SHA512
e1ca0cd183690d59feb311486b5ecf16c0674c8ac4c48b2c39badd7f932700bad582ae14a861c3a2a0dc93d2bf1993172de3da26ea9711cedbb3a5302d50a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qevoz.exe

Filesize
136KB

MD5
1e6377ee906dbc79ebd707d397c7e9ab

SHA1
1eb73076788cc48aa63a9fd9cdf41c7d04c525d0

SHA256
e8abb9ee4c245584710af68fd769ee827b30ab475dab917a9b919bf939ae9eac

SHA512
e1ca0cd183690d59feb311486b5ecf16c0674c8ac4c48b2c39badd7f932700bad582ae14a861c3a2a0dc93d2bf1993172de3da26ea9711cedbb3a5302d50a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qevoz.exe

Filesize
136KB

MD5
1e6377ee906dbc79ebd707d397c7e9ab

SHA1
1eb73076788cc48aa63a9fd9cdf41c7d04c525d0

SHA256
e8abb9ee4c245584710af68fd769ee827b30ab475dab917a9b919bf939ae9eac

SHA512
e1ca0cd183690d59feb311486b5ecf16c0674c8ac4c48b2c39badd7f932700bad582ae14a861c3a2a0dc93d2bf1993172de3da26ea9711cedbb3a5302d50a00e

Download Submit
memory/916-16-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/916-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1380-43-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1380-26-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3936-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3936-13-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4208-42-0x0000000000F70000-0x0000000000FFC000-memory.dmp

Filesize
560KB

Download
memory/4208-41-0x0000000000F70000-0x0000000000FFC000-memory.dmp

Filesize
560KB

Download
memory/4208-39-0x0000000000F70000-0x0000000000FFC000-memory.dmp

Filesize
560KB

Download
memory/4208-45-0x0000000000F70000-0x0000000000FFC000-memory.dmp

Filesize
560KB

Download
memory/4208-46-0x0000000000F70000-0x0000000000FFC000-memory.dmp

Filesize
560KB

Download
memory/4208-47-0x0000000000F70000-0x0000000000FFC000-memory.dmp

Filesize
560KB

Download
memory/4208-48-0x0000000000F70000-0x0000000000FFC000-memory.dmp

Filesize
560KB

Download
memory/4208-49-0x0000000000F70000-0x0000000000FFC000-memory.dmp

Filesize
560KB

Download
memory/4208-50-0x0000000000F70000-0x0000000000FFC000-memory.dmp

Filesize
560KB

Download