urelas | bfa75ec54114851e066cd66877ae57e85f9614599eb8c69a4035f386e027a595

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe
Size

456KB
MD5

7f27fb91c862de8d7d1b38571eb975f0
SHA1

2c61422715d762b59177a500c7c38286b1e11e98
SHA256

bfa75ec54114851e066cd66877ae57e85f9614599eb8c69a4035f386e027a595
SHA512

316e3fe41c403aad91e93dc12152d04c8eeb5ee2ea5da8a92dad02689f32ec11692299aef917fdc3af0edf27767acae709d4453917b8e9b2dbcf71853b36e601
SSDEEP

6144:l+89tuc2/zrVhVa2H6jkEgAnLjCyl5afu/KQw3hwglo8uBqjnv6D3WwhD5RzC91O:lJYH6jkEgAnieafuzQTlhuwv6Dd9C9w

Score

10^/10

urelas aspackv2 trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-27.dat	aspack_v212_v242
behavioral1/files/0x0004000000004ed7-23.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2272	vekom.exe
2620	fohyc.exe

Loads dropped DLL 2 IoCs

pid	Process
1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe
2272	vekom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe
2272	vekom.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe
2620	fohyc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2272	1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe	28
PID 1168 wrote to memory of 2272	1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe	28
PID 1168 wrote to memory of 2272	1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe	28
PID 1168 wrote to memory of 2272	1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe	28
PID 1168 wrote to memory of 2708	1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe	29
PID 1168 wrote to memory of 2708	1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe	29
PID 1168 wrote to memory of 2708	1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe	29
PID 1168 wrote to memory of 2708	1168	NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe	29
PID 2272 wrote to memory of 2620	2272	vekom.exe	33
PID 2272 wrote to memory of 2620	2272	vekom.exe	33
PID 2272 wrote to memory of 2620	2272	vekom.exe	33
PID 2272 wrote to memory of 2620	2272	vekom.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7f27fb91c862de8d7d1b38571eb975f0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\vekom.exe
  "C:\Users\Admin\AppData\Local\Temp\vekom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\fohyc.exe
    "C:\Users\Admin\AppData\Local\Temp\fohyc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
292B

MD5
3510f5e5bf55a19369b0a08556685d1d

SHA1
f89909c713050f9a4606ee8ad91d954548209d1c

SHA256
ea0aecd1ada130f87a287eb1c013a39a7be7a9abb2501f372e0e784187249836

SHA512
1da655e6fed65a556e9ead24006193152f52c963738836c6472b96afdab2c0e26265e63e029d885c23729a8b9148a51196a4d2b04fda748665d3b79ddaae4a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
292B

MD5
3510f5e5bf55a19369b0a08556685d1d

SHA1
f89909c713050f9a4606ee8ad91d954548209d1c

SHA256
ea0aecd1ada130f87a287eb1c013a39a7be7a9abb2501f372e0e784187249836

SHA512
1da655e6fed65a556e9ead24006193152f52c963738836c6472b96afdab2c0e26265e63e029d885c23729a8b9148a51196a4d2b04fda748665d3b79ddaae4a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fohyc.exe

Filesize
211KB

MD5
bdb5115c3c8ff6fd0f44a8d523c8aea6

SHA1
f9b6e30d775ea682469b7359a65d6bfa69a137cb

SHA256
80e811f46e3e726cb56f086d9b701a0012064fc6418e93642850ed553dafef99

SHA512
4bb2f9f06ae8e5d5e2187ff9ac3c9d47241dcab28cf7ccf63cd181c626f2d820e1f181770ed337978507b99ca4eb773dfd739c05796c9a2406164f49a95f8dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
091831a1ca517562e3cad97b24d2f9a8

SHA1
c3df0229924bdf4af3f6b72ce7996ad886824117

SHA256
15926e3bb25a0306d717258a25c8a406f8cd8747dc30b36f48b9dc7d62c1ed72

SHA512
d802ad0daf32ee398abb0c93fba9b275e069af74d267790c41aebd334315cc2cb2dd9c197448be51c42caaf910a1c8f543ec414eaac3de4c1973ed15ead3f615

Download Submit
C:\Users\Admin\AppData\Local\Temp\vekom.exe

Filesize
456KB

MD5
4deb240d5d0c3ce88328ca87f47a1b7e

SHA1
f4852ca03d9660aa43a1fdcfd7a037731afa3052

SHA256
1a67b695c393e5c814ff07f7b7c07078d34d52d221fe66ca3efb1b1e14f6f7a8

SHA512
ce867a8297d79961effab1dfbff0945799226de2094f25a70a3407d4787d0079c20cf67b12079e6169f187faccf77eff14c05398092067bf02a9de6bb885edcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vekom.exe

Filesize
456KB

MD5
4deb240d5d0c3ce88328ca87f47a1b7e

SHA1
f4852ca03d9660aa43a1fdcfd7a037731afa3052

SHA256
1a67b695c393e5c814ff07f7b7c07078d34d52d221fe66ca3efb1b1e14f6f7a8

SHA512
ce867a8297d79961effab1dfbff0945799226de2094f25a70a3407d4787d0079c20cf67b12079e6169f187faccf77eff14c05398092067bf02a9de6bb885edcd

Download Submit
\Users\Admin\AppData\Local\Temp\fohyc.exe

Filesize
211KB

MD5
bdb5115c3c8ff6fd0f44a8d523c8aea6

SHA1
f9b6e30d775ea682469b7359a65d6bfa69a137cb

SHA256
80e811f46e3e726cb56f086d9b701a0012064fc6418e93642850ed553dafef99

SHA512
4bb2f9f06ae8e5d5e2187ff9ac3c9d47241dcab28cf7ccf63cd181c626f2d820e1f181770ed337978507b99ca4eb773dfd739c05796c9a2406164f49a95f8dfa

Download Submit
\Users\Admin\AppData\Local\Temp\vekom.exe

Filesize
456KB

MD5
4deb240d5d0c3ce88328ca87f47a1b7e

SHA1
f4852ca03d9660aa43a1fdcfd7a037731afa3052

SHA256
1a67b695c393e5c814ff07f7b7c07078d34d52d221fe66ca3efb1b1e14f6f7a8

SHA512
ce867a8297d79961effab1dfbff0945799226de2094f25a70a3407d4787d0079c20cf67b12079e6169f187faccf77eff14c05398092067bf02a9de6bb885edcd

Download Submit
memory/1168-8-0x0000000002220000-0x000000000229A000-memory.dmp

Filesize
488KB

Download
memory/1168-17-0x0000000000B40000-0x0000000000BBA000-memory.dmp

Filesize
488KB

Download
memory/1168-0-0x0000000000B40000-0x0000000000BBA000-memory.dmp

Filesize
488KB

Download
memory/2272-21-0x0000000000840000-0x00000000008BA000-memory.dmp

Filesize
488KB

Download
memory/2272-26-0x0000000000840000-0x00000000008BA000-memory.dmp

Filesize
488KB

Download
memory/2272-29-0x0000000003970000-0x0000000003A04000-memory.dmp

Filesize
592KB

Download
memory/2620-28-0x0000000000EE0000-0x0000000000F74000-memory.dmp

Filesize
592KB

Download
memory/2620-32-0x0000000000EE0000-0x0000000000F74000-memory.dmp

Filesize
592KB

Download
memory/2620-31-0x0000000000EE0000-0x0000000000F74000-memory.dmp

Filesize
592KB

Download
memory/2620-34-0x0000000000EE0000-0x0000000000F74000-memory.dmp

Filesize
592KB

Download
memory/2620-35-0x0000000000EE0000-0x0000000000F74000-memory.dmp

Filesize
592KB

Download
memory/2620-36-0x0000000000EE0000-0x0000000000F74000-memory.dmp

Filesize
592KB

Download
memory/2620-37-0x0000000000EE0000-0x0000000000F74000-memory.dmp

Filesize
592KB

Download
memory/2620-38-0x0000000000EE0000-0x0000000000F74000-memory.dmp

Filesize
592KB

Download