urelas | 8c0d42321d0e739b89aec2e48b6c31ec459895f9965bc7bc53c127ed0dbe89ac

Analysis

max time kernel
175s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70dffc95dc1f94ad8f908407819e4dc8_JC.exe
Size

455KB
MD5

70dffc95dc1f94ad8f908407819e4dc8
SHA1

5a97bf3c548a42b61aabc50814aca3e1de36c8b1
SHA256

8c0d42321d0e739b89aec2e48b6c31ec459895f9965bc7bc53c127ed0dbe89ac
SHA512

76040b30cfede6068ace9cad009cf9d175e6c1c6950ed5ae975e6e9f384a64fb8cca1140457262ed8ef8665096304d1cbe98c9ed4339af39e4b43af6032447cf
SSDEEP

6144:r/VW8rQ+dqof6VcVttGhZsXtvmqoI+CNLOnmIbCM2dWwh3gNUie2Jy+5vmSZGpVd:ZtaQt+ZsFeI+CSZbyKLe2JPFE

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0010000000023234-24.dat	aspack_v212_v242
behavioral2/files/0x0010000000023234-26.dat	aspack_v212_v242
behavioral2/files/0x0010000000023234-28.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	70dffc95dc1f94ad8f908407819e4dc8_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	muvuf.exe

Executes dropped EXE 2 IoCs

pid	Process
816	muvuf.exe
4416	suebj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe
4416	suebj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 816	2744	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	90
PID 2744 wrote to memory of 816	2744	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	90
PID 2744 wrote to memory of 816	2744	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	90
PID 2744 wrote to memory of 2608	2744	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	91
PID 2744 wrote to memory of 2608	2744	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	91
PID 2744 wrote to memory of 2608	2744	70dffc95dc1f94ad8f908407819e4dc8_JC.exe	91
PID 816 wrote to memory of 4416	816	muvuf.exe	101
PID 816 wrote to memory of 4416	816	muvuf.exe	101
PID 816 wrote to memory of 4416	816	muvuf.exe	101

C:\Users\Admin\AppData\Local\Temp\70dffc95dc1f94ad8f908407819e4dc8_JC.exe
"C:\Users\Admin\AppData\Local\Temp\70dffc95dc1f94ad8f908407819e4dc8_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\muvuf.exe
  "C:\Users\Admin\AppData\Local\Temp\muvuf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\suebj.exe
    "C:\Users\Admin\AppData\Local\Temp\suebj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
81a3e16817570ef36731e83247d70b2a

SHA1
c3a4778cbb648526f60b9e23c2d42067f77e4daa

SHA256
934a68e0fd2b6aa915b45dbe290060f7c2c58ef47d39f80d1fa0ea0ab51d305a

SHA512
f07d70389fee6e9fe6ff341a6e8460bb952fe645fb84e81ba0676c2029cbf521bfb1d7d981d2e027e43ecd58193296dd43e5e09a510a26de95dc8829f4352efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5437fb61ff4edc7027c24eabd9542bca

SHA1
a24795130016f75bb90da50181d97dd00199a762

SHA256
bc807d7b226207cac581a8555b7e2a62a147499d5962e70cf4ee1a10166285a0

SHA512
d5f81da16dc7872a3bd6c21affd42d58d8207097ecc214a8bb403248c96ac6ad3bac05464b2004fd7aa29ce5b03f84e64852f47dce610eabb483b64b0c07f015

Download Submit
C:\Users\Admin\AppData\Local\Temp\muvuf.exe

Filesize
455KB

MD5
c3876d488c36600f2575f1006cb539b0

SHA1
55c4ce3e09001f9b652aeeea55d645117be92069

SHA256
9456317b7cae4870c01298283cfdd492b00c8c131e80d941d0bdf0fa44a5a2a8

SHA512
c686846682923b66e00fd2cc4828b904ed0fa35a28e3e6ce4900f6c7bd6faa2c3979847a7e3f60756db2d5a9f3c33cdeac65e0b5881c99e7632d7db22dc30890

Download Submit
C:\Users\Admin\AppData\Local\Temp\muvuf.exe

Filesize
455KB

MD5
c3876d488c36600f2575f1006cb539b0

SHA1
55c4ce3e09001f9b652aeeea55d645117be92069

SHA256
9456317b7cae4870c01298283cfdd492b00c8c131e80d941d0bdf0fa44a5a2a8

SHA512
c686846682923b66e00fd2cc4828b904ed0fa35a28e3e6ce4900f6c7bd6faa2c3979847a7e3f60756db2d5a9f3c33cdeac65e0b5881c99e7632d7db22dc30890

Download Submit
C:\Users\Admin\AppData\Local\Temp\muvuf.exe

Filesize
455KB

MD5
c3876d488c36600f2575f1006cb539b0

SHA1
55c4ce3e09001f9b652aeeea55d645117be92069

SHA256
9456317b7cae4870c01298283cfdd492b00c8c131e80d941d0bdf0fa44a5a2a8

SHA512
c686846682923b66e00fd2cc4828b904ed0fa35a28e3e6ce4900f6c7bd6faa2c3979847a7e3f60756db2d5a9f3c33cdeac65e0b5881c99e7632d7db22dc30890

Download Submit
C:\Users\Admin\AppData\Local\Temp\suebj.exe

Filesize
225KB

MD5
64eb8bd4ab46a354d7d740f7249af0ce

SHA1
785093e95dcea37742a960e5a45db2864eb7778e

SHA256
b63bf96a4c4499bda95de981f32ac546ee52e2ee00e9657f22fb8fb9f976c7e6

SHA512
7d3d044b073780ca233bdfbe0664fe7deebc038801feb4db5ec6c78b27bac695d304eb70abe7f56b1f893c6348e36856068e21e2193d0f05a452dbe0387b8c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suebj.exe

Filesize
225KB

MD5
64eb8bd4ab46a354d7d740f7249af0ce

SHA1
785093e95dcea37742a960e5a45db2864eb7778e

SHA256
b63bf96a4c4499bda95de981f32ac546ee52e2ee00e9657f22fb8fb9f976c7e6

SHA512
7d3d044b073780ca233bdfbe0664fe7deebc038801feb4db5ec6c78b27bac695d304eb70abe7f56b1f893c6348e36856068e21e2193d0f05a452dbe0387b8c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suebj.exe

Filesize
225KB

MD5
64eb8bd4ab46a354d7d740f7249af0ce

SHA1
785093e95dcea37742a960e5a45db2864eb7778e

SHA256
b63bf96a4c4499bda95de981f32ac546ee52e2ee00e9657f22fb8fb9f976c7e6

SHA512
7d3d044b073780ca233bdfbe0664fe7deebc038801feb4db5ec6c78b27bac695d304eb70abe7f56b1f893c6348e36856068e21e2193d0f05a452dbe0387b8c2c

Download Submit
memory/816-13-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/816-19-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/816-29-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/2744-17-0x00000000007F0000-0x0000000000870000-memory.dmp

Filesize
512KB

Download
memory/2744-1-0x00000000007F0000-0x0000000000870000-memory.dmp

Filesize
512KB

Download
memory/2744-0-0x00000000007F0000-0x0000000000870000-memory.dmp

Filesize
512KB

Download
memory/4416-31-0x0000000000790000-0x000000000082E000-memory.dmp

Filesize
632KB

Download
memory/4416-32-0x0000000000790000-0x000000000082E000-memory.dmp

Filesize
632KB

Download
memory/4416-30-0x0000000000790000-0x000000000082E000-memory.dmp

Filesize
632KB

Download
memory/4416-27-0x0000000000790000-0x000000000082E000-memory.dmp

Filesize
632KB

Download
memory/4416-34-0x0000000000790000-0x000000000082E000-memory.dmp

Filesize
632KB

Download
memory/4416-35-0x0000000000790000-0x000000000082E000-memory.dmp

Filesize
632KB

Download
memory/4416-36-0x0000000000790000-0x000000000082E000-memory.dmp

Filesize
632KB

Download
memory/4416-37-0x0000000000790000-0x000000000082E000-memory.dmp

Filesize
632KB

Download
memory/4416-38-0x0000000000790000-0x000000000082E000-memory.dmp

Filesize
632KB

Download