urelas | 62e37098e612e1429756e20645812472be1c749dd54ef0db4237d38ee3d7d1f9

Analysis

max time kernel
238s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.064410bf9ca035bbc084694a3be71800.exe
Size

446KB
MD5

064410bf9ca035bbc084694a3be71800
SHA1

c75582a53206bb047aaae7714c56e16c01113463
SHA256

62e37098e612e1429756e20645812472be1c749dd54ef0db4237d38ee3d7d1f9
SHA512

0f06373c57356b7c4ba2afe0f8521af5f6fd3af27429ab5a5795e920e9ff7478758c26e956e355b9de572b953759101fa2acde743798e184a9f7bae0b038ad9e
SSDEEP

12288:5Iw12WfKAzArzvrdmCQmmrwABiRxQsA3rNPaPw+NMJ24IYhS:5IhtAzg7rdm77rMQsErN/+M0f

Score

10^/10

urelas aspackv2 trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000022de0-12.dat	aspack_v212_v242
behavioral2/files/0x0008000000022de0-14.dat	aspack_v212_v242
behavioral2/files/0x0008000000022de0-19.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	ojmuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	NEAS.064410bf9ca035bbc084694a3be71800.exe

Executes dropped EXE 2 IoCs

pid	Process
4400	ojmuq.exe
4784	lyxay.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1752	NEAS.064410bf9ca035bbc084694a3be71800.exe
1752	NEAS.064410bf9ca035bbc084694a3be71800.exe
4400	ojmuq.exe
4400	ojmuq.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe
4784	lyxay.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4400	1752	NEAS.064410bf9ca035bbc084694a3be71800.exe	86
PID 1752 wrote to memory of 4400	1752	NEAS.064410bf9ca035bbc084694a3be71800.exe	86
PID 1752 wrote to memory of 4400	1752	NEAS.064410bf9ca035bbc084694a3be71800.exe	86
PID 1752 wrote to memory of 3116	1752	NEAS.064410bf9ca035bbc084694a3be71800.exe	87
PID 1752 wrote to memory of 3116	1752	NEAS.064410bf9ca035bbc084694a3be71800.exe	87
PID 1752 wrote to memory of 3116	1752	NEAS.064410bf9ca035bbc084694a3be71800.exe	87
PID 4400 wrote to memory of 4784	4400	ojmuq.exe	92
PID 4400 wrote to memory of 4784	4400	ojmuq.exe	92
PID 4400 wrote to memory of 4784	4400	ojmuq.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.064410bf9ca035bbc084694a3be71800.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.064410bf9ca035bbc084694a3be71800.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\ojmuq.exe
  "C:\Users\Admin\AppData\Local\Temp\ojmuq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\lyxay.exe
    "C:\Users\Admin\AppData\Local\Temp\lyxay.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
286B

MD5
8fb96327cffc73e8e9791d1d383bd5d8

SHA1
ca0e07a0aac5f3d81b7082b5f0ec1d6a92d1dbaa

SHA256
ddb6fb00f3868fb802b093f2b2ceeb76d12d9c844e0ea2a4b838a1ab73f0bcdd

SHA512
0ac2efa64f89018f1aff277442958bc9e4adf7f10be9c1f8a451183fae47c40e2e70462a50fcf5e86133bb9eb80e649b82c1e60b338bc035d11b73340c892b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b2cb3b0a9a6597479e1001eb18f3688a

SHA1
c2647fb1e833a8b343cd2c1deb85dcd8e3ceb073

SHA256
896d16eada1c42d0f02d80ceb788a940793f2c18bb0d5522cae9835d0f8e3e68

SHA512
97145e4b447a1657482cb93a76be0ab99642251ebca0dd55074f1aa4f326559e0597b150ef2fd3da0ff662213399d20e0cb78a75a0a800eabd87a0b477229fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyxay.exe

Filesize
313KB

MD5
829370e2a96601e4fc68d39290f485ba

SHA1
cfb79f108232bb4486f22527a725d9352ef194d8

SHA256
0b4b82ca3e3b3986bcef1416f5e3af3710ed9ba175e7743984e8594b59bc101c

SHA512
595e3d107af77c67659cb3f735d2840d1859cb107f73aa42e9181c91934da014d4f6502fe97175b20042e9cb36e4f78d025f38cb4d88a6d6481aee8ca9e58ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyxay.exe

Filesize
313KB

MD5
829370e2a96601e4fc68d39290f485ba

SHA1
cfb79f108232bb4486f22527a725d9352ef194d8

SHA256
0b4b82ca3e3b3986bcef1416f5e3af3710ed9ba175e7743984e8594b59bc101c

SHA512
595e3d107af77c67659cb3f735d2840d1859cb107f73aa42e9181c91934da014d4f6502fe97175b20042e9cb36e4f78d025f38cb4d88a6d6481aee8ca9e58ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyxay.exe

Filesize
313KB

MD5
829370e2a96601e4fc68d39290f485ba

SHA1
cfb79f108232bb4486f22527a725d9352ef194d8

SHA256
0b4b82ca3e3b3986bcef1416f5e3af3710ed9ba175e7743984e8594b59bc101c

SHA512
595e3d107af77c67659cb3f735d2840d1859cb107f73aa42e9181c91934da014d4f6502fe97175b20042e9cb36e4f78d025f38cb4d88a6d6481aee8ca9e58ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojmuq.exe

Filesize
446KB

MD5
0c5d6db0b15a9160ba5b8d295ec82a06

SHA1
ee620b0303e84461c2740b376f4cc6b585411de0

SHA256
8a407b2bad37ebc9dc9fe90344c720816cf5a9638f2f5a820a939d95221d99a8

SHA512
086eec102b85680cb9a653daaee29fe14692e18869004fc7b92b460378412ae7c856032f7c3f9b988abd04a8882a240dee7da2625302a25ee2ad3853c6040736

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojmuq.exe

Filesize
446KB

MD5
0c5d6db0b15a9160ba5b8d295ec82a06

SHA1
ee620b0303e84461c2740b376f4cc6b585411de0

SHA256
8a407b2bad37ebc9dc9fe90344c720816cf5a9638f2f5a820a939d95221d99a8

SHA512
086eec102b85680cb9a653daaee29fe14692e18869004fc7b92b460378412ae7c856032f7c3f9b988abd04a8882a240dee7da2625302a25ee2ad3853c6040736

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojmuq.exe

Filesize
446KB

MD5
0c5d6db0b15a9160ba5b8d295ec82a06

SHA1
ee620b0303e84461c2740b376f4cc6b585411de0

SHA256
8a407b2bad37ebc9dc9fe90344c720816cf5a9638f2f5a820a939d95221d99a8

SHA512
086eec102b85680cb9a653daaee29fe14692e18869004fc7b92b460378412ae7c856032f7c3f9b988abd04a8882a240dee7da2625302a25ee2ad3853c6040736

Download Submit
memory/1752-8-0x0000000000210000-0x00000000002AA000-memory.dmp

Filesize
616KB

Download
memory/1752-25-0x0000000000210000-0x00000000002AA000-memory.dmp

Filesize
616KB

Download
memory/1752-4-0x0000000000210000-0x00000000002AA000-memory.dmp

Filesize
616KB

Download
memory/1752-5-0x0000000000210000-0x00000000002AA000-memory.dmp

Filesize
616KB

Download
memory/1752-3-0x0000000000210000-0x00000000002AA000-memory.dmp

Filesize
616KB

Download
memory/1752-2-0x0000000000210000-0x00000000002AA000-memory.dmp

Filesize
616KB

Download
memory/1752-0-0x0000000000210000-0x00000000002AA000-memory.dmp

Filesize
616KB

Download
memory/1752-1-0x0000000000210000-0x00000000002AA000-memory.dmp

Filesize
616KB

Download
memory/4400-23-0x0000000000B60000-0x0000000000BFA000-memory.dmp

Filesize
616KB

Download
memory/4400-16-0x0000000000B60000-0x0000000000BFA000-memory.dmp

Filesize
616KB

Download
memory/4400-28-0x0000000000B60000-0x0000000000BFA000-memory.dmp

Filesize
616KB

Download
memory/4400-21-0x0000000000B60000-0x0000000000BFA000-memory.dmp

Filesize
616KB

Download
memory/4400-20-0x0000000000B60000-0x0000000000BFA000-memory.dmp

Filesize
616KB

Download
memory/4400-44-0x0000000000B60000-0x0000000000BFA000-memory.dmp

Filesize
616KB

Download
memory/4400-22-0x0000000000B60000-0x0000000000BFA000-memory.dmp

Filesize
616KB

Download
memory/4784-45-0x00000000004A0000-0x000000000054F000-memory.dmp

Filesize
700KB

Download
memory/4784-47-0x0000000000D00000-0x0000000000D02000-memory.dmp

Filesize
8KB

Download
memory/4784-48-0x00000000004A0000-0x000000000054F000-memory.dmp

Filesize
700KB

Download
memory/4784-51-0x00000000004A0000-0x000000000054F000-memory.dmp

Filesize
700KB

Download
memory/4784-52-0x0000000000D00000-0x0000000000D02000-memory.dmp

Filesize
8KB

Download
memory/4784-54-0x00000000004A0000-0x000000000054F000-memory.dmp

Filesize
700KB

Download
memory/4784-55-0x00000000004A0000-0x000000000054F000-memory.dmp

Filesize
700KB

Download