urelas | 6170fd86b88c72d8aeac1d489f46f7438ed9a9ddad2baff7f7ee16e32146c993

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe
Size

417KB
MD5

31b7c1210dfeae627a127ae5157a6370
SHA1

259ee363b009adaedc475199f18de31878a38e56
SHA256

6170fd86b88c72d8aeac1d489f46f7438ed9a9ddad2baff7f7ee16e32146c993
SHA512

83e103b8c0c7b4b63c5f238583c4ff39065a0b701c667d0997d8581d7c0560e1fc7db02307469eeb82712ece6ba314e5f362c4aadb074e5f0417f67f65df9a9c
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYDr:eU7M5ijWh0XOW4sEfeOir

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-27.dat	aspack_v212_v242
behavioral1/files/0x0004000000004ed7-30.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1852	cogab.exe
2724	yhliq.exe

Loads dropped DLL 3 IoCs

pid	Process
2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe
2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe
1852	cogab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe
2724	yhliq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1852	2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	28
PID 2208 wrote to memory of 1852	2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	28
PID 2208 wrote to memory of 1852	2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	28
PID 2208 wrote to memory of 1852	2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	28
PID 2208 wrote to memory of 2588	2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	29
PID 2208 wrote to memory of 2588	2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	29
PID 2208 wrote to memory of 2588	2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	29
PID 2208 wrote to memory of 2588	2208	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	29
PID 1852 wrote to memory of 2724	1852	cogab.exe	33
PID 1852 wrote to memory of 2724	1852	cogab.exe	33
PID 1852 wrote to memory of 2724	1852	cogab.exe	33
PID 1852 wrote to memory of 2724	1852	cogab.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\cogab.exe
  "C:\Users\Admin\AppData\Local\Temp\cogab.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\yhliq.exe
    "C:\Users\Admin\AppData\Local\Temp\yhliq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
292B

MD5
817f12111d56a3c574eb21343cd17f2c

SHA1
6783b212b1bac50046194bfaf8df46312a6143df

SHA256
94361efd3ad51e3a10ac8f47bfea6caa1c65a055f54633a730df0a97dc9d2ab8

SHA512
9a31b6628817ce8fe7b641c016edd965d8b6544636eb6caca70ee774dbe2b68c4fe8b45854732eb6eb52ea72ec57b0687275ac5d9c5c9de1125247d611b72ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
292B

MD5
817f12111d56a3c574eb21343cd17f2c

SHA1
6783b212b1bac50046194bfaf8df46312a6143df

SHA256
94361efd3ad51e3a10ac8f47bfea6caa1c65a055f54633a730df0a97dc9d2ab8

SHA512
9a31b6628817ce8fe7b641c016edd965d8b6544636eb6caca70ee774dbe2b68c4fe8b45854732eb6eb52ea72ec57b0687275ac5d9c5c9de1125247d611b72ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogab.exe

Filesize
417KB

MD5
031577b38c088e9331cbbea34dd45242

SHA1
6c7f7063beb287f2776d4e38de12b886ea7e7693

SHA256
f193dc7bead54658be6fe42e08c69f54d377f4bc6883a9e204aabcb329f3849e

SHA512
4701a7730e7a81374493532b430c535df58ae92998e5a61fd028e896f161fbd3f889e70cf4881278dbe50c48a4619fd7c947334d334b298741e0bdbab61351a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogab.exe

Filesize
417KB

MD5
031577b38c088e9331cbbea34dd45242

SHA1
6c7f7063beb287f2776d4e38de12b886ea7e7693

SHA256
f193dc7bead54658be6fe42e08c69f54d377f4bc6883a9e204aabcb329f3849e

SHA512
4701a7730e7a81374493532b430c535df58ae92998e5a61fd028e896f161fbd3f889e70cf4881278dbe50c48a4619fd7c947334d334b298741e0bdbab61351a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogab.exe

Filesize
417KB

MD5
031577b38c088e9331cbbea34dd45242

SHA1
6c7f7063beb287f2776d4e38de12b886ea7e7693

SHA256
f193dc7bead54658be6fe42e08c69f54d377f4bc6883a9e204aabcb329f3849e

SHA512
4701a7730e7a81374493532b430c535df58ae92998e5a61fd028e896f161fbd3f889e70cf4881278dbe50c48a4619fd7c947334d334b298741e0bdbab61351a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
984ff04d5ab75d6798e2c7338b1e76f6

SHA1
3d991a730c22dd3f7552d7d28eb7d0d0c02e464d

SHA256
5b49bbfe23ac54c789a3ec52b2d74079d75fb181e2b4906380f49fd217f31281

SHA512
ac211254082893395fc627e7810abc43f458e70bd708d54d33138d4a3ea9f525edb8ca17011e07138a1eecb4217870c1608df19d9edde9ef6d2b0c0892d02407

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhliq.exe

Filesize
212KB

MD5
dd16675ab0b384d8988960e19ad7eadf

SHA1
834102191b40744efe5483b39a5752be7985700f

SHA256
ebebf359a3775eb9dc6380a08b3c195b211f9ce1bfa282b25fb4134138a12e21

SHA512
4fc85e3f7d21a33d81f6c008ef625115e4baffe091172ec2fc90ed371ef49f1bc3a85141ecd57f234446067d618a564083ccd92fa7fa126fcd3ce5f33c26cbbc

Download Submit
\Users\Admin\AppData\Local\Temp\cogab.exe

Filesize
417KB

MD5
031577b38c088e9331cbbea34dd45242

SHA1
6c7f7063beb287f2776d4e38de12b886ea7e7693

SHA256
f193dc7bead54658be6fe42e08c69f54d377f4bc6883a9e204aabcb329f3849e

SHA512
4701a7730e7a81374493532b430c535df58ae92998e5a61fd028e896f161fbd3f889e70cf4881278dbe50c48a4619fd7c947334d334b298741e0bdbab61351a5

Download Submit
\Users\Admin\AppData\Local\Temp\cogab.exe

Filesize
417KB

MD5
031577b38c088e9331cbbea34dd45242

SHA1
6c7f7063beb287f2776d4e38de12b886ea7e7693

SHA256
f193dc7bead54658be6fe42e08c69f54d377f4bc6883a9e204aabcb329f3849e

SHA512
4701a7730e7a81374493532b430c535df58ae92998e5a61fd028e896f161fbd3f889e70cf4881278dbe50c48a4619fd7c947334d334b298741e0bdbab61351a5

Download Submit
\Users\Admin\AppData\Local\Temp\yhliq.exe

Filesize
212KB

MD5
dd16675ab0b384d8988960e19ad7eadf

SHA1
834102191b40744efe5483b39a5752be7985700f

SHA256
ebebf359a3775eb9dc6380a08b3c195b211f9ce1bfa282b25fb4134138a12e21

SHA512
4fc85e3f7d21a33d81f6c008ef625115e4baffe091172ec2fc90ed371ef49f1bc3a85141ecd57f234446067d618a564083ccd92fa7fa126fcd3ce5f33c26cbbc

Download Submit
memory/1852-33-0x0000000003290000-0x0000000003324000-memory.dmp

Filesize
592KB

Download
memory/1852-31-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1852-24-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2208-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2208-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2208-11-0x0000000002800000-0x0000000002865000-memory.dmp

Filesize
404KB

Download
memory/2208-13-0x0000000002800000-0x0000000002865000-memory.dmp

Filesize
404KB

Download
memory/2724-36-0x0000000000B80000-0x0000000000C14000-memory.dmp

Filesize
592KB

Download
memory/2724-35-0x0000000000B80000-0x0000000000C14000-memory.dmp

Filesize
592KB

Download
memory/2724-32-0x0000000000B80000-0x0000000000C14000-memory.dmp

Filesize
592KB

Download
memory/2724-38-0x0000000000B80000-0x0000000000C14000-memory.dmp

Filesize
592KB

Download
memory/2724-39-0x0000000000B80000-0x0000000000C14000-memory.dmp

Filesize
592KB

Download
memory/2724-40-0x0000000000B80000-0x0000000000C14000-memory.dmp

Filesize
592KB

Download
memory/2724-41-0x0000000000B80000-0x0000000000C14000-memory.dmp

Filesize
592KB

Download
memory/2724-42-0x0000000000B80000-0x0000000000C14000-memory.dmp

Filesize
592KB

Download