urelas | 6170fd86b88c72d8aeac1d489f46f7438ed9a9ddad2baff7f7ee16e32146c993

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe
Size

417KB
MD5

31b7c1210dfeae627a127ae5157a6370
SHA1

259ee363b009adaedc475199f18de31878a38e56
SHA256

6170fd86b88c72d8aeac1d489f46f7438ed9a9ddad2baff7f7ee16e32146c993
SHA512

83e103b8c0c7b4b63c5f238583c4ff39065a0b701c667d0997d8581d7c0560e1fc7db02307469eeb82712ece6ba314e5f362c4aadb074e5f0417f67f65df9a9c
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYDr:eU7M5ijWh0XOW4sEfeOir

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000400000001e784-22.dat	aspack_v212_v242
behavioral2/files/0x000400000001e784-24.dat	aspack_v212_v242
behavioral2/files/0x000400000001e784-25.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	ebnie.exe

Executes dropped EXE 2 IoCs

pid	Process
3664	ebnie.exe
4112	kihyg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe
4112	kihyg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3664	5056	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	91
PID 5056 wrote to memory of 3664	5056	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	91
PID 5056 wrote to memory of 3664	5056	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	91
PID 5056 wrote to memory of 2596	5056	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	92
PID 5056 wrote to memory of 2596	5056	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	92
PID 5056 wrote to memory of 2596	5056	NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe	92
PID 3664 wrote to memory of 4112	3664	ebnie.exe	103
PID 3664 wrote to memory of 4112	3664	ebnie.exe	103
PID 3664 wrote to memory of 4112	3664	ebnie.exe	103

C:\Users\Admin\AppData\Local\Temp\NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.31b7c1210dfeae627a127ae5157a6370_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\ebnie.exe
  "C:\Users\Admin\AppData\Local\Temp\ebnie.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\kihyg.exe
    "C:\Users\Admin\AppData\Local\Temp\kihyg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
292B

MD5
817f12111d56a3c574eb21343cd17f2c

SHA1
6783b212b1bac50046194bfaf8df46312a6143df

SHA256
94361efd3ad51e3a10ac8f47bfea6caa1c65a055f54633a730df0a97dc9d2ab8

SHA512
9a31b6628817ce8fe7b641c016edd965d8b6544636eb6caca70ee774dbe2b68c4fe8b45854732eb6eb52ea72ec57b0687275ac5d9c5c9de1125247d611b72ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebnie.exe

Filesize
417KB

MD5
7906381cc0e65b176d80fb6147fdf3c3

SHA1
aee026d3c3869c11cc98f18e0ee2a78945fa1464

SHA256
c4999aab833f80fa91c6e6bfa0486bd2dd20486e8a705cf7bcb07b16cf0807c7

SHA512
70be92fc8f7cfcf9fe1ec65e7d70de41e5fdf90987d92a71b4cd01c84b65106dac8259e8f23c3626a02d299d07c63f18e43a0594667981c02bbe2807800139d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebnie.exe

Filesize
417KB

MD5
7906381cc0e65b176d80fb6147fdf3c3

SHA1
aee026d3c3869c11cc98f18e0ee2a78945fa1464

SHA256
c4999aab833f80fa91c6e6bfa0486bd2dd20486e8a705cf7bcb07b16cf0807c7

SHA512
70be92fc8f7cfcf9fe1ec65e7d70de41e5fdf90987d92a71b4cd01c84b65106dac8259e8f23c3626a02d299d07c63f18e43a0594667981c02bbe2807800139d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebnie.exe

Filesize
417KB

MD5
7906381cc0e65b176d80fb6147fdf3c3

SHA1
aee026d3c3869c11cc98f18e0ee2a78945fa1464

SHA256
c4999aab833f80fa91c6e6bfa0486bd2dd20486e8a705cf7bcb07b16cf0807c7

SHA512
70be92fc8f7cfcf9fe1ec65e7d70de41e5fdf90987d92a71b4cd01c84b65106dac8259e8f23c3626a02d299d07c63f18e43a0594667981c02bbe2807800139d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b5b599b09f148393aca9ccf3ed86c492

SHA1
9978b83484a93103dca21fcd85d97a78151b18ca

SHA256
baed5263def77af04b0974963f4ba9a84a802fbe8aaf42f6daece9efd5865487

SHA512
e5995cfc7853975e71cd20f837087d480c92787d0bd85e1d984a0b4bf9aa92283370701b6b243a7aa8af18ac4d8dc59919acf0b30e9d01c9a681b55ba75b1014

Download Submit
C:\Users\Admin\AppData\Local\Temp\kihyg.exe

Filesize
212KB

MD5
3aa8b96ccffdef3aa068330439044ab0

SHA1
58051c8a15a28ed998935d2468312ac1eebc25b0

SHA256
44b93adf62d7a63610892a4c7be8f95d6e85bdf2c4ba306f9f5891009fbaaf3c

SHA512
ce204939a37befd0a5aaa457f0def74a2079ec5063c8a64836fac5ac1b7b538274dc344af4f3e1d0fee14061040128dcc2e5bb6da24a13c6fc48a997c3a4c5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kihyg.exe

Filesize
212KB

MD5
3aa8b96ccffdef3aa068330439044ab0

SHA1
58051c8a15a28ed998935d2468312ac1eebc25b0

SHA256
44b93adf62d7a63610892a4c7be8f95d6e85bdf2c4ba306f9f5891009fbaaf3c

SHA512
ce204939a37befd0a5aaa457f0def74a2079ec5063c8a64836fac5ac1b7b538274dc344af4f3e1d0fee14061040128dcc2e5bb6da24a13c6fc48a997c3a4c5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kihyg.exe

Filesize
212KB

MD5
3aa8b96ccffdef3aa068330439044ab0

SHA1
58051c8a15a28ed998935d2468312ac1eebc25b0

SHA256
44b93adf62d7a63610892a4c7be8f95d6e85bdf2c4ba306f9f5891009fbaaf3c

SHA512
ce204939a37befd0a5aaa457f0def74a2079ec5063c8a64836fac5ac1b7b538274dc344af4f3e1d0fee14061040128dcc2e5bb6da24a13c6fc48a997c3a4c5bb

Download Submit
memory/3664-28-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3664-10-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3664-17-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4112-26-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/4112-29-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/4112-30-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/4112-27-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/4112-32-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/4112-33-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/4112-34-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/4112-35-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/4112-36-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/5056-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5056-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download