urelas | 9af836be97d28f466053fcb064ab98e1c04bc62774b394c5d82fc8b898bc817a

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd49a794911cc9402e712e0e9ffeb0d7_JC.exe
Size

332KB
MD5

dd49a794911cc9402e712e0e9ffeb0d7
SHA1

8b488448f6797440f79c8f8b3742fe63ff52dbc7
SHA256

9af836be97d28f466053fcb064ab98e1c04bc62774b394c5d82fc8b898bc817a
SHA512

0ec4bb119b6149cd04ff097454b90050bbbf05457745b53019681bd5147dcf376af882273bd08808fd88393ad446be704db838a5ab82439e66b954fb9682c3cf
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZis7:Nd7rpL43btmQ58Z27zw39gY2FeZhj

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a000000015c11-53.dat	aspack_v212_v242
behavioral1/files/0x000a000000015c11-40.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1300	pomuw.exe
2760	byolse.exe
2348	uvlei.exe

Loads dropped DLL 5 IoCs

pid	Process
2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe
2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe
1300	pomuw.exe
1300	pomuw.exe
2760	byolse.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe
2348	uvlei.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1300	2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe	28
PID 2480 wrote to memory of 1300	2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe	28
PID 2480 wrote to memory of 1300	2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe	28
PID 2480 wrote to memory of 1300	2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe	28
PID 2480 wrote to memory of 2704	2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe	29
PID 2480 wrote to memory of 2704	2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe	29
PID 2480 wrote to memory of 2704	2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe	29
PID 2480 wrote to memory of 2704	2480	dd49a794911cc9402e712e0e9ffeb0d7_JC.exe	29
PID 1300 wrote to memory of 2760	1300	pomuw.exe	31
PID 1300 wrote to memory of 2760	1300	pomuw.exe	31
PID 1300 wrote to memory of 2760	1300	pomuw.exe	31
PID 1300 wrote to memory of 2760	1300	pomuw.exe	31
PID 2760 wrote to memory of 2348	2760	byolse.exe	34
PID 2760 wrote to memory of 2348	2760	byolse.exe	34
PID 2760 wrote to memory of 2348	2760	byolse.exe	34
PID 2760 wrote to memory of 2348	2760	byolse.exe	34
PID 2760 wrote to memory of 312	2760	byolse.exe	36
PID 2760 wrote to memory of 312	2760	byolse.exe	36
PID 2760 wrote to memory of 312	2760	byolse.exe	36
PID 2760 wrote to memory of 312	2760	byolse.exe	36

C:\Users\Admin\AppData\Local\Temp\dd49a794911cc9402e712e0e9ffeb0d7_JC.exe
"C:\Users\Admin\AppData\Local\Temp\dd49a794911cc9402e712e0e9ffeb0d7_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\pomuw.exe
  "C:\Users\Admin\AppData\Local\Temp\pomuw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\byolse.exe
    "C:\Users\Admin\AppData\Local\Temp\byolse.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\uvlei.exe
      "C:\Users\Admin\AppData\Local\Temp\uvlei.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
282B

MD5
a1aec52cdab054617aa595ed3cd584be

SHA1
8873127a7136ba52beef1725271d80ccad9f7d35

SHA256
53f050b1ba03bc601741fabd65aba819d44c3c92569c083375919967373b081e

SHA512
b8b107a0d898b5c346638e731a73eac69f7f1c80330f29fac5cae2b7cba53305fb3b60803caa636406ab88f7caeb9668d8878dc0a1ca9407b06e6c9b842f0276

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
282B

MD5
a1aec52cdab054617aa595ed3cd584be

SHA1
8873127a7136ba52beef1725271d80ccad9f7d35

SHA256
53f050b1ba03bc601741fabd65aba819d44c3c92569c083375919967373b081e

SHA512
b8b107a0d898b5c346638e731a73eac69f7f1c80330f29fac5cae2b7cba53305fb3b60803caa636406ab88f7caeb9668d8878dc0a1ca9407b06e6c9b842f0276

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
5846200d610915e72b5a910c227a7c3c

SHA1
ec50e6aa04419fb08889b0898dd446779af0d5f8

SHA256
9f686cfb4fce85c079a2b69207af967f5ace614d7814d340b010b7f689c82631

SHA512
ff72d2f44f6822589ca9702f65453c49e80274524b781572feb74fc3ebf32d2deac0d3b416f7308c15082fa32ea64020e0eef76336cd3c1082353690537e0c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
5846200d610915e72b5a910c227a7c3c

SHA1
ec50e6aa04419fb08889b0898dd446779af0d5f8

SHA256
9f686cfb4fce85c079a2b69207af967f5ace614d7814d340b010b7f689c82631

SHA512
ff72d2f44f6822589ca9702f65453c49e80274524b781572feb74fc3ebf32d2deac0d3b416f7308c15082fa32ea64020e0eef76336cd3c1082353690537e0c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\byolse.exe

Filesize
332KB

MD5
b54d777b2c33c5c2d28dbcbac85d7ce1

SHA1
3bf2194e1a385b0d3e5d79e7e3fc38c46b1f8842

SHA256
4ca9cc8739fb0083756ebc888b9945807ff165cbd86c83f3ae7a1acefda1563f

SHA512
b1356e6cef65f433e9d78f56692278a77a211dee39ce20a88fdbac6aa20cbebd2a9f9bebfacde5d1ab246f9c653a72989abf2ea045f29300eaaf7f49885d52da

Download Submit
C:\Users\Admin\AppData\Local\Temp\byolse.exe

Filesize
332KB

MD5
b54d777b2c33c5c2d28dbcbac85d7ce1

SHA1
3bf2194e1a385b0d3e5d79e7e3fc38c46b1f8842

SHA256
4ca9cc8739fb0083756ebc888b9945807ff165cbd86c83f3ae7a1acefda1563f

SHA512
b1356e6cef65f433e9d78f56692278a77a211dee39ce20a88fdbac6aa20cbebd2a9f9bebfacde5d1ab246f9c653a72989abf2ea045f29300eaaf7f49885d52da

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af1d347a68d05285b9ded60bc1281830

SHA1
88ad682eb394e904c090b8202087fe7e8faf284f

SHA256
ccea99389be3e55e162c6b4a53d9f6357b6bcb82884d18a9d188ce3200d50d8c

SHA512
e92f19c19f4cc1fcf8c7e213825ee675830f8017e903e39ad0926aeb9b9cccbb2062fd2da9d31b699eeba16e85414e31ed9bd0bd345dee13bb8adb0aaba18575

Download Submit
C:\Users\Admin\AppData\Local\Temp\pomuw.exe

Filesize
332KB

MD5
b54d777b2c33c5c2d28dbcbac85d7ce1

SHA1
3bf2194e1a385b0d3e5d79e7e3fc38c46b1f8842

SHA256
4ca9cc8739fb0083756ebc888b9945807ff165cbd86c83f3ae7a1acefda1563f

SHA512
b1356e6cef65f433e9d78f56692278a77a211dee39ce20a88fdbac6aa20cbebd2a9f9bebfacde5d1ab246f9c653a72989abf2ea045f29300eaaf7f49885d52da

Download Submit
C:\Users\Admin\AppData\Local\Temp\pomuw.exe

Filesize
332KB

MD5
b54d777b2c33c5c2d28dbcbac85d7ce1

SHA1
3bf2194e1a385b0d3e5d79e7e3fc38c46b1f8842

SHA256
4ca9cc8739fb0083756ebc888b9945807ff165cbd86c83f3ae7a1acefda1563f

SHA512
b1356e6cef65f433e9d78f56692278a77a211dee39ce20a88fdbac6aa20cbebd2a9f9bebfacde5d1ab246f9c653a72989abf2ea045f29300eaaf7f49885d52da

Download Submit
C:\Users\Admin\AppData\Local\Temp\pomuw.exe

Filesize
332KB

MD5
b54d777b2c33c5c2d28dbcbac85d7ce1

SHA1
3bf2194e1a385b0d3e5d79e7e3fc38c46b1f8842

SHA256
4ca9cc8739fb0083756ebc888b9945807ff165cbd86c83f3ae7a1acefda1563f

SHA512
b1356e6cef65f433e9d78f56692278a77a211dee39ce20a88fdbac6aa20cbebd2a9f9bebfacde5d1ab246f9c653a72989abf2ea045f29300eaaf7f49885d52da

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvlei.exe

Filesize
136KB

MD5
30cb1f42bc4cd6e8d75751ddecbc11b3

SHA1
8f5765e7d6843acc4c2430a7fc085eecc9298165

SHA256
41527a1a884e62a2bbb6fd3d3689c950583ff19fcea11d1e3fe14035cc468122

SHA512
dc9ceac9b2750287d9348e5fd4cfb9e057bdd195e105c05aa36063c6f9b0426b5f59d9bbadf1334f076b1ac8c8c9aa89df724e279f08b724c8759c51deb25c3e

Download Submit
\Users\Admin\AppData\Local\Temp\byolse.exe

Filesize
332KB

MD5
b54d777b2c33c5c2d28dbcbac85d7ce1

SHA1
3bf2194e1a385b0d3e5d79e7e3fc38c46b1f8842

SHA256
4ca9cc8739fb0083756ebc888b9945807ff165cbd86c83f3ae7a1acefda1563f

SHA512
b1356e6cef65f433e9d78f56692278a77a211dee39ce20a88fdbac6aa20cbebd2a9f9bebfacde5d1ab246f9c653a72989abf2ea045f29300eaaf7f49885d52da

Download Submit
\Users\Admin\AppData\Local\Temp\byolse.exe

Filesize
332KB

MD5
b54d777b2c33c5c2d28dbcbac85d7ce1

SHA1
3bf2194e1a385b0d3e5d79e7e3fc38c46b1f8842

SHA256
4ca9cc8739fb0083756ebc888b9945807ff165cbd86c83f3ae7a1acefda1563f

SHA512
b1356e6cef65f433e9d78f56692278a77a211dee39ce20a88fdbac6aa20cbebd2a9f9bebfacde5d1ab246f9c653a72989abf2ea045f29300eaaf7f49885d52da

Download Submit
\Users\Admin\AppData\Local\Temp\pomuw.exe

Filesize
332KB

MD5
b54d777b2c33c5c2d28dbcbac85d7ce1

SHA1
3bf2194e1a385b0d3e5d79e7e3fc38c46b1f8842

SHA256
4ca9cc8739fb0083756ebc888b9945807ff165cbd86c83f3ae7a1acefda1563f

SHA512
b1356e6cef65f433e9d78f56692278a77a211dee39ce20a88fdbac6aa20cbebd2a9f9bebfacde5d1ab246f9c653a72989abf2ea045f29300eaaf7f49885d52da

Download Submit
\Users\Admin\AppData\Local\Temp\pomuw.exe

Filesize
332KB

MD5
b54d777b2c33c5c2d28dbcbac85d7ce1

SHA1
3bf2194e1a385b0d3e5d79e7e3fc38c46b1f8842

SHA256
4ca9cc8739fb0083756ebc888b9945807ff165cbd86c83f3ae7a1acefda1563f

SHA512
b1356e6cef65f433e9d78f56692278a77a211dee39ce20a88fdbac6aa20cbebd2a9f9bebfacde5d1ab246f9c653a72989abf2ea045f29300eaaf7f49885d52da

Download Submit
\Users\Admin\AppData\Local\Temp\uvlei.exe

Filesize
136KB

MD5
30cb1f42bc4cd6e8d75751ddecbc11b3

SHA1
8f5765e7d6843acc4c2430a7fc085eecc9298165

SHA256
41527a1a884e62a2bbb6fd3d3689c950583ff19fcea11d1e3fe14035cc468122

SHA512
dc9ceac9b2750287d9348e5fd4cfb9e057bdd195e105c05aa36063c6f9b0426b5f59d9bbadf1334f076b1ac8c8c9aa89df724e279f08b724c8759c51deb25c3e

Download Submit
memory/1300-32-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1300-31-0x0000000002110000-0x0000000002168000-memory.dmp

Filesize
352KB

Download
memory/2348-56-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2348-62-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2348-55-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2348-54-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2348-65-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2348-64-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2348-57-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2348-63-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2348-60-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2348-61-0x0000000001310000-0x000000000139C000-memory.dmp

Filesize
560KB

Download
memory/2480-21-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2480-11-0x0000000001F10000-0x0000000001F68000-memory.dmp

Filesize
352KB

Download
memory/2480-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2760-44-0x0000000002E30000-0x0000000002EBC000-memory.dmp

Filesize
560KB

Download
memory/2760-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2760-52-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2760-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download