urelas | 62e37098e612e1429756e20645812472be1c749dd54ef0db4237d38ee3d7d1f9

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.064410bf9ca035bbc084694a3be71800.exe
Size

446KB
MD5

064410bf9ca035bbc084694a3be71800
SHA1

c75582a53206bb047aaae7714c56e16c01113463
SHA256

62e37098e612e1429756e20645812472be1c749dd54ef0db4237d38ee3d7d1f9
SHA512

0f06373c57356b7c4ba2afe0f8521af5f6fd3af27429ab5a5795e920e9ff7478758c26e956e355b9de572b953759101fa2acde743798e184a9f7bae0b038ad9e
SSDEEP

12288:5Iw12WfKAzArzvrdmCQmmrwABiRxQsA3rNPaPw+NMJ24IYhS:5IhtAzg7rdm77rMQsErN/+M0f

Score

10^/10

urelas aspackv2 trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000015c57-8.dat	aspack_v212_v242
behavioral1/files/0x0009000000015c57-12.dat	aspack_v212_v242
behavioral1/files/0x0009000000015c57-48.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
1696	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1460	cuseo.exe
3016	wapil.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	NEAS.064410bf9ca035bbc084694a3be71800.exe
1460	cuseo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	NEAS.064410bf9ca035bbc084694a3be71800.exe
1460	cuseo.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe
3016	wapil.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1460	1688	NEAS.064410bf9ca035bbc084694a3be71800.exe	28
PID 1688 wrote to memory of 1460	1688	NEAS.064410bf9ca035bbc084694a3be71800.exe	28
PID 1688 wrote to memory of 1460	1688	NEAS.064410bf9ca035bbc084694a3be71800.exe	28
PID 1688 wrote to memory of 1460	1688	NEAS.064410bf9ca035bbc084694a3be71800.exe	28
PID 1688 wrote to memory of 1696	1688	NEAS.064410bf9ca035bbc084694a3be71800.exe	30
PID 1688 wrote to memory of 1696	1688	NEAS.064410bf9ca035bbc084694a3be71800.exe	30
PID 1688 wrote to memory of 1696	1688	NEAS.064410bf9ca035bbc084694a3be71800.exe	30
PID 1688 wrote to memory of 1696	1688	NEAS.064410bf9ca035bbc084694a3be71800.exe	30
PID 1460 wrote to memory of 3016	1460	cuseo.exe	33
PID 1460 wrote to memory of 3016	1460	cuseo.exe	33
PID 1460 wrote to memory of 3016	1460	cuseo.exe	33
PID 1460 wrote to memory of 3016	1460	cuseo.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.064410bf9ca035bbc084694a3be71800.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.064410bf9ca035bbc084694a3be71800.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\cuseo.exe
  "C:\Users\Admin\AppData\Local\Temp\cuseo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\wapil.exe
    "C:\Users\Admin\AppData\Local\Temp\wapil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
286B

MD5
8fb96327cffc73e8e9791d1d383bd5d8

SHA1
ca0e07a0aac5f3d81b7082b5f0ec1d6a92d1dbaa

SHA256
ddb6fb00f3868fb802b093f2b2ceeb76d12d9c844e0ea2a4b838a1ab73f0bcdd

SHA512
0ac2efa64f89018f1aff277442958bc9e4adf7f10be9c1f8a451183fae47c40e2e70462a50fcf5e86133bb9eb80e649b82c1e60b338bc035d11b73340c892b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
286B

MD5
8fb96327cffc73e8e9791d1d383bd5d8

SHA1
ca0e07a0aac5f3d81b7082b5f0ec1d6a92d1dbaa

SHA256
ddb6fb00f3868fb802b093f2b2ceeb76d12d9c844e0ea2a4b838a1ab73f0bcdd

SHA512
0ac2efa64f89018f1aff277442958bc9e4adf7f10be9c1f8a451183fae47c40e2e70462a50fcf5e86133bb9eb80e649b82c1e60b338bc035d11b73340c892b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuseo.exe

Filesize
446KB

MD5
d1bef0232217a38b54e734e30777326c

SHA1
15d135ed895c39d457e742779e2a6f564cfe5f17

SHA256
7401634087d8e02922a15aab6e818ed5b5939ef6fe9bf91b2d213d3241a82a85

SHA512
f340eaabf82a0ddea7d847845851a460d6ad882f038cb9d662a164a68fac4876657d2001f41814a5f51e6cdaf0b23c38a7f4b7530f807ae5dff3dd6751306148

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuseo.exe

Filesize
446KB

MD5
d1bef0232217a38b54e734e30777326c

SHA1
15d135ed895c39d457e742779e2a6f564cfe5f17

SHA256
7401634087d8e02922a15aab6e818ed5b5939ef6fe9bf91b2d213d3241a82a85

SHA512
f340eaabf82a0ddea7d847845851a460d6ad882f038cb9d662a164a68fac4876657d2001f41814a5f51e6cdaf0b23c38a7f4b7530f807ae5dff3dd6751306148

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
83e94d24477fea520d86d658d158a6d1

SHA1
ee336230a3ce1b44ff345ba1966c4eddd7fef8ab

SHA256
dc723edf54b5ab723c860349776930b5d00de89ed5641e3b5d0c35aafe315390

SHA512
8d2ea04de4a272937ca5217cf2272880ced222b1ad35050dcb0e7826ff9b761fa90a3b3710e295d58c80158fdf22ef05216a9be49a6ac2daf20132402d372422

Download Submit
C:\Users\Admin\AppData\Local\Temp\wapil.exe

Filesize
313KB

MD5
5da0e8665aed218411eedf4e7c698023

SHA1
96cf4fd3aafb16428ddfc6729388adbb964d5a06

SHA256
778a502f7a9188d3ff5be9e48b33e129241ce7dc42c44ab818a8da728f780c57

SHA512
cd2b2b8c6fc9877552f3669034263f7b89b8f7fa05ca8b7dad0ffcfe7434074f8a0ab56d5e0994b01a35ea92e87bc38892f821509cb002a71cf3e365e2ce1e39

Download Submit
\Users\Admin\AppData\Local\Temp\cuseo.exe

Filesize
446KB

MD5
d1bef0232217a38b54e734e30777326c

SHA1
15d135ed895c39d457e742779e2a6f564cfe5f17

SHA256
7401634087d8e02922a15aab6e818ed5b5939ef6fe9bf91b2d213d3241a82a85

SHA512
f340eaabf82a0ddea7d847845851a460d6ad882f038cb9d662a164a68fac4876657d2001f41814a5f51e6cdaf0b23c38a7f4b7530f807ae5dff3dd6751306148

Download Submit
\Users\Admin\AppData\Local\Temp\wapil.exe

Filesize
313KB

MD5
5da0e8665aed218411eedf4e7c698023

SHA1
96cf4fd3aafb16428ddfc6729388adbb964d5a06

SHA256
778a502f7a9188d3ff5be9e48b33e129241ce7dc42c44ab818a8da728f780c57

SHA512
cd2b2b8c6fc9877552f3669034263f7b89b8f7fa05ca8b7dad0ffcfe7434074f8a0ab56d5e0994b01a35ea92e87bc38892f821509cb002a71cf3e365e2ce1e39

Download Submit
memory/1460-28-0x0000000000900000-0x000000000099A000-memory.dmp

Filesize
616KB

Download
memory/1460-40-0x0000000003970000-0x0000000003A1F000-memory.dmp

Filesize
700KB

Download
memory/1460-41-0x0000000000900000-0x000000000099A000-memory.dmp

Filesize
616KB

Download
memory/1460-23-0x0000000000900000-0x000000000099A000-memory.dmp

Filesize
616KB

Download
memory/1460-24-0x0000000000900000-0x000000000099A000-memory.dmp

Filesize
616KB

Download
memory/1460-25-0x0000000000900000-0x000000000099A000-memory.dmp

Filesize
616KB

Download
memory/1460-22-0x0000000000900000-0x000000000099A000-memory.dmp

Filesize
616KB

Download
memory/1688-13-0x0000000002700000-0x000000000279A000-memory.dmp

Filesize
616KB

Download
memory/1688-1-0x0000000000A30000-0x0000000000ACA000-memory.dmp

Filesize
616KB

Download
memory/1688-4-0x0000000000A30000-0x0000000000ACA000-memory.dmp

Filesize
616KB

Download
memory/1688-3-0x0000000000A30000-0x0000000000ACA000-memory.dmp

Filesize
616KB

Download
memory/1688-21-0x0000000000A30000-0x0000000000ACA000-memory.dmp

Filesize
616KB

Download
memory/1688-2-0x0000000000A30000-0x0000000000ACA000-memory.dmp

Filesize
616KB

Download
memory/1688-0-0x0000000000A30000-0x0000000000ACA000-memory.dmp

Filesize
616KB

Download
memory/3016-49-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3016-45-0x0000000000AE0000-0x0000000000B8F000-memory.dmp

Filesize
700KB

Download
memory/3016-43-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3016-50-0x0000000000AE0000-0x0000000000B8F000-memory.dmp

Filesize
700KB

Download
memory/3016-51-0x0000000000AE0000-0x0000000000B8F000-memory.dmp

Filesize
700KB

Download
memory/3016-52-0x0000000000AE0000-0x0000000000B8F000-memory.dmp

Filesize
700KB

Download
memory/3016-53-0x0000000000AE0000-0x0000000000B8F000-memory.dmp

Filesize
700KB

Download
memory/3016-54-0x0000000000AE0000-0x0000000000B8F000-memory.dmp

Filesize
700KB

Download
memory/3016-55-0x0000000000AE0000-0x0000000000B8F000-memory.dmp

Filesize
700KB

Download
memory/3016-56-0x0000000000AE0000-0x0000000000B8F000-memory.dmp

Filesize
700KB

Download