urelas | b0e192b2b2bea5858f84ac9ae5dac817250fbc19ec0b30472133688931ca3cf1

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.90cf0f2336e235631a58a3b342f4e690.exe
Size

488KB
MD5

90cf0f2336e235631a58a3b342f4e690
SHA1

c0d99ffb6f708789231657d99dc47c2c1e992260
SHA256

b0e192b2b2bea5858f84ac9ae5dac817250fbc19ec0b30472133688931ca3cf1
SHA512

66f2384363393c54130fcc14bec2ac9239e799239a03035fb62abaa9e69be3696d581017e40612c0b2e208a43b1a4d9785b6b859424c65bdacf8a7112cd59550
SSDEEP

6144:LKQipZoO4wTpyFkHTMg7mZD4ioWLolzl7X25DJMGG8mnqYJhht/Uu9ri7bpIl:qpn7Cg7mZD4ioWwtX25DRmqirri2l

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-24.dat	aspack_v212_v242
behavioral1/files/0x0004000000004ed7-29.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2608	lumaa.exe
2580	dukea.exe

Loads dropped DLL 2 IoCs

pid	Process
2472	NEAS.90cf0f2336e235631a58a3b342f4e690.exe
2608	lumaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe
2580	dukea.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2608	2472	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	28
PID 2472 wrote to memory of 2608	2472	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	28
PID 2472 wrote to memory of 2608	2472	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	28
PID 2472 wrote to memory of 2608	2472	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	28
PID 2472 wrote to memory of 2744	2472	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	29
PID 2472 wrote to memory of 2744	2472	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	29
PID 2472 wrote to memory of 2744	2472	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	29
PID 2472 wrote to memory of 2744	2472	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	29
PID 2608 wrote to memory of 2580	2608	lumaa.exe	33
PID 2608 wrote to memory of 2580	2608	lumaa.exe	33
PID 2608 wrote to memory of 2580	2608	lumaa.exe	33
PID 2608 wrote to memory of 2580	2608	lumaa.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.90cf0f2336e235631a58a3b342f4e690.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.90cf0f2336e235631a58a3b342f4e690.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\lumaa.exe
  "C:\Users\Admin\AppData\Local\Temp\lumaa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\dukea.exe
    "C:\Users\Admin\AppData\Local\Temp\dukea.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
7641f4e0aa186c5b4ae4e4254dc4b9cc

SHA1
9efdfe804ab1d947bfcbf6d7a947c12c54e905dc

SHA256
850a41b1967c0c964c8ecff45c33a60a40641ef09073f855ae2291372288029a

SHA512
9ecf832c453cdd3d5f5f1b10c3d3356a0ca4323dd578f7277741ca597ae7d67b7e68d4d8f5a2cbec0c80d867b566fcc23f780024b1caa49368b9d26b3b9974f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
7641f4e0aa186c5b4ae4e4254dc4b9cc

SHA1
9efdfe804ab1d947bfcbf6d7a947c12c54e905dc

SHA256
850a41b1967c0c964c8ecff45c33a60a40641ef09073f855ae2291372288029a

SHA512
9ecf832c453cdd3d5f5f1b10c3d3356a0ca4323dd578f7277741ca597ae7d67b7e68d4d8f5a2cbec0c80d867b566fcc23f780024b1caa49368b9d26b3b9974f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dukea.exe

Filesize
242KB

MD5
aaa2f0c84efd4061cfe84b98dd16520f

SHA1
84b93f10b51c64e09ca1cc8d4d079f5d2198e64d

SHA256
5127aa27974fcaf48ad96e45bd1b088a521fabf984d3dc0935a293ed4d3561b5

SHA512
e650864e5d80b3f10a7db10d84f6e16d7b99434e88eb5e66399ff1c67bdf509161b832a524f80217d35383a2a6e008276c40acc7f18c738fa2864b580237a269

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
781033808868bc1bf9c932c975b5bb2f

SHA1
0eda72a56f37ccdbcc44ccf32a193e0a559730fe

SHA256
9f82decba886b7c554b9f9aaed823aed6a536e7a57f26ac0ba6831fd88e457d6

SHA512
93b8c595032fbfe3903aa6b1f6fd393af4edc7ae9bdcd7c61fbf520c69a58e2b5509eedfe6f331406a4331b91aa5fd650040697f712f72f9518422a9614009fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lumaa.exe

Filesize
488KB

MD5
2c4d1907f667d070c593133d6b7e72f9

SHA1
a1e7a568c6abcb5b5ef6ec3408097321db94b237

SHA256
5d175981ce85800825bc14d98a9b077ce4dc9c4835f4c58b1dfce999d60045e2

SHA512
6e7c7069e1a3e083a6e8355f83c3a269a6f8fddd0c2d87c6295ff9378d40b81e2ddb845c47dfd5f1de86eecf21166443ef299eb915c077696fe0d674b847cede

Download Submit
C:\Users\Admin\AppData\Local\Temp\lumaa.exe

Filesize
488KB

MD5
2c4d1907f667d070c593133d6b7e72f9

SHA1
a1e7a568c6abcb5b5ef6ec3408097321db94b237

SHA256
5d175981ce85800825bc14d98a9b077ce4dc9c4835f4c58b1dfce999d60045e2

SHA512
6e7c7069e1a3e083a6e8355f83c3a269a6f8fddd0c2d87c6295ff9378d40b81e2ddb845c47dfd5f1de86eecf21166443ef299eb915c077696fe0d674b847cede

Download Submit
\Users\Admin\AppData\Local\Temp\dukea.exe

Filesize
242KB

MD5
aaa2f0c84efd4061cfe84b98dd16520f

SHA1
84b93f10b51c64e09ca1cc8d4d079f5d2198e64d

SHA256
5127aa27974fcaf48ad96e45bd1b088a521fabf984d3dc0935a293ed4d3561b5

SHA512
e650864e5d80b3f10a7db10d84f6e16d7b99434e88eb5e66399ff1c67bdf509161b832a524f80217d35383a2a6e008276c40acc7f18c738fa2864b580237a269

Download Submit
\Users\Admin\AppData\Local\Temp\lumaa.exe

Filesize
488KB

MD5
2c4d1907f667d070c593133d6b7e72f9

SHA1
a1e7a568c6abcb5b5ef6ec3408097321db94b237

SHA256
5d175981ce85800825bc14d98a9b077ce4dc9c4835f4c58b1dfce999d60045e2

SHA512
6e7c7069e1a3e083a6e8355f83c3a269a6f8fddd0c2d87c6295ff9378d40b81e2ddb845c47dfd5f1de86eecf21166443ef299eb915c077696fe0d674b847cede

Download Submit
memory/2472-18-0x0000000001100000-0x0000000001182000-memory.dmp

Filesize
520KB

Download
memory/2472-6-0x0000000002590000-0x0000000002612000-memory.dmp

Filesize
520KB

Download
memory/2472-0-0x0000000001100000-0x0000000001182000-memory.dmp

Filesize
520KB

Download
memory/2580-33-0x0000000000020000-0x00000000000CD000-memory.dmp

Filesize
692KB

Download
memory/2580-31-0x0000000000020000-0x00000000000CD000-memory.dmp

Filesize
692KB

Download
memory/2580-32-0x0000000000020000-0x00000000000CD000-memory.dmp

Filesize
692KB

Download
memory/2580-34-0x0000000000020000-0x00000000000CD000-memory.dmp

Filesize
692KB

Download
memory/2580-36-0x0000000000020000-0x00000000000CD000-memory.dmp

Filesize
692KB

Download
memory/2580-37-0x0000000000020000-0x00000000000CD000-memory.dmp

Filesize
692KB

Download
memory/2580-38-0x0000000000020000-0x00000000000CD000-memory.dmp

Filesize
692KB

Download
memory/2580-39-0x0000000000020000-0x00000000000CD000-memory.dmp

Filesize
692KB

Download
memory/2580-40-0x0000000000020000-0x00000000000CD000-memory.dmp

Filesize
692KB

Download
memory/2608-28-0x00000000000A0000-0x0000000000122000-memory.dmp

Filesize
520KB

Download
memory/2608-10-0x00000000000A0000-0x0000000000122000-memory.dmp

Filesize
520KB

Download
memory/2608-21-0x00000000000A0000-0x0000000000122000-memory.dmp

Filesize
520KB

Download
memory/2608-27-0x0000000002780000-0x000000000282D000-memory.dmp

Filesize
692KB

Download