urelas | 8c0d42321d0e739b89aec2e48b6c31ec459895f9965bc7bc53c127ed0dbe89ac

Analysis

max time kernel
151s
max time network
143s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70dffc95dc1f94ad8f908407819e4dc8_JC.exe
Size

455KB
MD5

70dffc95dc1f94ad8f908407819e4dc8
SHA1

5a97bf3c548a42b61aabc50814aca3e1de36c8b1
SHA256

8c0d42321d0e739b89aec2e48b6c31ec459895f9965bc7bc53c127ed0dbe89ac
SHA512

76040b30cfede6068ace9cad009cf9d175e6c1c6950ed5ae975e6e9f384a64fb8cca1140457262ed8ef8665096304d1cbe98c9ed4339af39e4b43af6032447cf
SSDEEP

6144:r/VW8rQ+dqof6VcVttGhZsXtvmqoI+CNLOnmIbCM2dWwh3gNUie2Jy+5vmSZGpVd:ZtaQt+ZsFeI+CSZbyKLe2JPFE

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed6-26.dat	aspack_v212_v242
behavioral1/files/0x0004000000004ed6-31.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2352	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2424	omfox.exe
2528	zusyw.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	70dffc95dc1f94ad8f908407819e4dc8_JC.exe
2424	omfox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe
2528	zusyw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2424	2260	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	28
PID 2260 wrote to memory of 2424	2260	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	28
PID 2260 wrote to memory of 2424	2260	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	28
PID 2260 wrote to memory of 2424	2260	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	28
PID 2260 wrote to memory of 2352	2260	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	30
PID 2260 wrote to memory of 2352	2260	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	30
PID 2260 wrote to memory of 2352	2260	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	30
PID 2260 wrote to memory of 2352	2260	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	30
PID 2424 wrote to memory of 2528	2424	omfox.exe	33
PID 2424 wrote to memory of 2528	2424	omfox.exe	33
PID 2424 wrote to memory of 2528	2424	omfox.exe	33
PID 2424 wrote to memory of 2528	2424	omfox.exe	33

C:\Users\Admin\AppData\Local\Temp\70dffc95dc1f94ad8f908407819e4dc8_JC.exe
"C:\Users\Admin\AppData\Local\Temp\70dffc95dc1f94ad8f908407819e4dc8_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\omfox.exe
  "C:\Users\Admin\AppData\Local\Temp\omfox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\zusyw.exe
    "C:\Users\Admin\AppData\Local\Temp\zusyw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
81a3e16817570ef36731e83247d70b2a

SHA1
c3a4778cbb648526f60b9e23c2d42067f77e4daa

SHA256
934a68e0fd2b6aa915b45dbe290060f7c2c58ef47d39f80d1fa0ea0ab51d305a

SHA512
f07d70389fee6e9fe6ff341a6e8460bb952fe645fb84e81ba0676c2029cbf521bfb1d7d981d2e027e43ecd58193296dd43e5e09a510a26de95dc8829f4352efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
81a3e16817570ef36731e83247d70b2a

SHA1
c3a4778cbb648526f60b9e23c2d42067f77e4daa

SHA256
934a68e0fd2b6aa915b45dbe290060f7c2c58ef47d39f80d1fa0ea0ab51d305a

SHA512
f07d70389fee6e9fe6ff341a6e8460bb952fe645fb84e81ba0676c2029cbf521bfb1d7d981d2e027e43ecd58193296dd43e5e09a510a26de95dc8829f4352efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0f34d7a166ba9ba6e70e98dcd5eee22d

SHA1
9f6b478cfda372ffdf65630a2027d00c74f0e2eb

SHA256
d508edd73edd0d6884f5fd1bcc8f4463059e2f4c93e8fdc348f420c5e9540f5f

SHA512
4236fb4c5a8b16c72bbd838f43a14b1e3d4b2ee78afb2ca66c83dc1026e199f5616a14f84204f5b4d72e8307a16198486058bdb39e7a981df37b49364f2da6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\omfox.exe

Filesize
455KB

MD5
4ed94be4a851e08ac434940ceddd672f

SHA1
3efec8b8c51f80af563c96332fe0d28c33528e6b

SHA256
dc2b75a106595323f5db125b9ffda73fa1ea38e90f801fe72ddc5ce764d3aa40

SHA512
353b68d0cd099a91a5b90ec0e1068fd4a0c06eba46d2137ddd6de865911f87b4d0ad1d6eb6f06fa203369dd68d33f41332ddd43ab91f6307037f7531f758f3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\omfox.exe

Filesize
455KB

MD5
4ed94be4a851e08ac434940ceddd672f

SHA1
3efec8b8c51f80af563c96332fe0d28c33528e6b

SHA256
dc2b75a106595323f5db125b9ffda73fa1ea38e90f801fe72ddc5ce764d3aa40

SHA512
353b68d0cd099a91a5b90ec0e1068fd4a0c06eba46d2137ddd6de865911f87b4d0ad1d6eb6f06fa203369dd68d33f41332ddd43ab91f6307037f7531f758f3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\omfox.exe

Filesize
455KB

MD5
8081dfa3d233afd54d7a5d6a9a8088a6

SHA1
c95b49d44ac5aad927b04ef1d3608c8fc0ec5b08

SHA256
34866ec873a1fda1bdee1663128103f3501176c12c1704801efd7f8d7e59a66d

SHA512
64554a6409e286e07994ca4330b02caceed182e129670db77126e6468a5edce382f3b925f8b0cff8e288861f645f78d2f83e00ee53e0ee504639fa45a7b6adf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zusyw.exe

Filesize
225KB

MD5
f73f35f82593dd92a16333fc0328b202

SHA1
cbc9d9f828d6f862d1a84cf0ee2dd4abc53bb241

SHA256
1761447beaea29a6c7b6975a5de56ec94bb8f212041cd5d9da94e8eedf5ff762

SHA512
6bd7fae38fd0a18a92e4226b53ac05d6040de1d7893e84e952a20171bf793a65f3d5ec3d41de74d367c94fca2ef2ea9676c3c83333c75a7f6e9bcf9b90603f57

Download Submit
\Users\Admin\AppData\Local\Temp\omfox.exe

Filesize
455KB

MD5
4ed94be4a851e08ac434940ceddd672f

SHA1
3efec8b8c51f80af563c96332fe0d28c33528e6b

SHA256
dc2b75a106595323f5db125b9ffda73fa1ea38e90f801fe72ddc5ce764d3aa40

SHA512
353b68d0cd099a91a5b90ec0e1068fd4a0c06eba46d2137ddd6de865911f87b4d0ad1d6eb6f06fa203369dd68d33f41332ddd43ab91f6307037f7531f758f3fb

Download Submit
\Users\Admin\AppData\Local\Temp\zusyw.exe

Filesize
225KB

MD5
f73f35f82593dd92a16333fc0328b202

SHA1
cbc9d9f828d6f862d1a84cf0ee2dd4abc53bb241

SHA256
1761447beaea29a6c7b6975a5de56ec94bb8f212041cd5d9da94e8eedf5ff762

SHA512
6bd7fae38fd0a18a92e4226b53ac05d6040de1d7893e84e952a20171bf793a65f3d5ec3d41de74d367c94fca2ef2ea9676c3c83333c75a7f6e9bcf9b90603f57

Download Submit
memory/2260-20-0x0000000000860000-0x00000000008E0000-memory.dmp

Filesize
512KB

Download
memory/2260-0-0x0000000000860000-0x00000000008E0000-memory.dmp

Filesize
512KB

Download
memory/2260-8-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2260-1-0x0000000000860000-0x00000000008E0000-memory.dmp

Filesize
512KB

Download
memory/2424-30-0x00000000002F0000-0x0000000000370000-memory.dmp

Filesize
512KB

Download
memory/2424-23-0x00000000002F0000-0x0000000000370000-memory.dmp

Filesize
512KB

Download
memory/2424-19-0x00000000002F0000-0x0000000000370000-memory.dmp

Filesize
512KB

Download
memory/2424-29-0x0000000003920000-0x00000000039BE000-memory.dmp

Filesize
632KB

Download
memory/2528-33-0x0000000000990000-0x0000000000A2E000-memory.dmp

Filesize
632KB

Download
memory/2528-35-0x0000000000990000-0x0000000000A2E000-memory.dmp

Filesize
632KB

Download
memory/2528-34-0x0000000000990000-0x0000000000A2E000-memory.dmp

Filesize
632KB

Download
memory/2528-38-0x0000000000990000-0x0000000000A2E000-memory.dmp

Filesize
632KB

Download
memory/2528-39-0x0000000000990000-0x0000000000A2E000-memory.dmp

Filesize
632KB

Download
memory/2528-40-0x0000000000990000-0x0000000000A2E000-memory.dmp

Filesize
632KB

Download
memory/2528-41-0x0000000000990000-0x0000000000A2E000-memory.dmp

Filesize
632KB

Download
memory/2528-42-0x0000000000990000-0x0000000000A2E000-memory.dmp

Filesize
632KB

Download