urelas | b0e192b2b2bea5858f84ac9ae5dac817250fbc19ec0b30472133688931ca3cf1

Analysis

max time kernel
154s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.90cf0f2336e235631a58a3b342f4e690.exe
Size

488KB
MD5

90cf0f2336e235631a58a3b342f4e690
SHA1

c0d99ffb6f708789231657d99dc47c2c1e992260
SHA256

b0e192b2b2bea5858f84ac9ae5dac817250fbc19ec0b30472133688931ca3cf1
SHA512

66f2384363393c54130fcc14bec2ac9239e799239a03035fb62abaa9e69be3696d581017e40612c0b2e208a43b1a4d9785b6b859424c65bdacf8a7112cd59550
SSDEEP

6144:LKQipZoO4wTpyFkHTMg7mZD4ioWLolzl7X25DJMGG8mnqYJhht/Uu9ri7bpIl:qpn7Cg7mZD4ioWwtX25DRmqirri2l

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022304-22.dat	aspack_v212_v242
behavioral2/files/0x0006000000022304-25.dat	aspack_v212_v242
behavioral2/files/0x0006000000022304-24.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	fuluv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.90cf0f2336e235631a58a3b342f4e690.exe

Executes dropped EXE 2 IoCs

pid	Process
1972	fuluv.exe
2180	guqae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe
2180	guqae.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 1972	4056	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	93
PID 4056 wrote to memory of 1972	4056	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	93
PID 4056 wrote to memory of 1972	4056	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	93
PID 4056 wrote to memory of 3468	4056	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	95
PID 4056 wrote to memory of 3468	4056	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	95
PID 4056 wrote to memory of 3468	4056	NEAS.90cf0f2336e235631a58a3b342f4e690.exe	95
PID 1972 wrote to memory of 2180	1972	fuluv.exe	109
PID 1972 wrote to memory of 2180	1972	fuluv.exe	109
PID 1972 wrote to memory of 2180	1972	fuluv.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.90cf0f2336e235631a58a3b342f4e690.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.90cf0f2336e235631a58a3b342f4e690.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\fuluv.exe
  "C:\Users\Admin\AppData\Local\Temp\fuluv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\guqae.exe
    "C:\Users\Admin\AppData\Local\Temp\guqae.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
7641f4e0aa186c5b4ae4e4254dc4b9cc

SHA1
9efdfe804ab1d947bfcbf6d7a947c12c54e905dc

SHA256
850a41b1967c0c964c8ecff45c33a60a40641ef09073f855ae2291372288029a

SHA512
9ecf832c453cdd3d5f5f1b10c3d3356a0ca4323dd578f7277741ca597ae7d67b7e68d4d8f5a2cbec0c80d867b566fcc23f780024b1caa49368b9d26b3b9974f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuluv.exe

Filesize
488KB

MD5
e97233309fc5eff8ae5e4b0c642903a2

SHA1
7810eb5d2571297138498d3e273ab639e80b5912

SHA256
905df08724c1b1d90d73285fccd9db9949b67a7c87f761198dfba0a887ccf28b

SHA512
223aa1920be5520334aa18b761a2fa1068fa3cdfa7bf2172ed71e809bf4684d689750fa12097c75c31fed8fabb14e47c98112c0058d51bd1970b60971a188c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuluv.exe

Filesize
488KB

MD5
e97233309fc5eff8ae5e4b0c642903a2

SHA1
7810eb5d2571297138498d3e273ab639e80b5912

SHA256
905df08724c1b1d90d73285fccd9db9949b67a7c87f761198dfba0a887ccf28b

SHA512
223aa1920be5520334aa18b761a2fa1068fa3cdfa7bf2172ed71e809bf4684d689750fa12097c75c31fed8fabb14e47c98112c0058d51bd1970b60971a188c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuluv.exe

Filesize
488KB

MD5
e97233309fc5eff8ae5e4b0c642903a2

SHA1
7810eb5d2571297138498d3e273ab639e80b5912

SHA256
905df08724c1b1d90d73285fccd9db9949b67a7c87f761198dfba0a887ccf28b

SHA512
223aa1920be5520334aa18b761a2fa1068fa3cdfa7bf2172ed71e809bf4684d689750fa12097c75c31fed8fabb14e47c98112c0058d51bd1970b60971a188c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a29722aca1af6cea097b709567f44565

SHA1
a1e961e7554c71d8791062e0b29ec85e041a1a83

SHA256
e3e30d9eacfcdb374b44961ac4d52cc9ff16e0745de02c4c816bac9bbfd09027

SHA512
27e58ad4dcb1696db9629fd713844bc9ccdf9a1b17365e3818f8495ed03d2cef88cf373514b483d519fb7e3cba65aff6693e18ae27bb60151dfcd64321fa9ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\guqae.exe

Filesize
242KB

MD5
51dd54797209ecc44fb27ae5f8d80287

SHA1
d483844dda2d4b6c1e981c0b7b183e20c04ee13c

SHA256
a37124d944f4ebb3cd2ec2fac8b75fe64077ab69be0bb92c4c68317a1c2182d1

SHA512
00181ec75a4aa57ca518a1b82284db107b089a391e5c46ad1fbcc983ed4cc0b00bab73f662f7e53e5bbafd47b46897afc1c39c8a8c5256516c6f374361ed8137

Download Submit
C:\Users\Admin\AppData\Local\Temp\guqae.exe

Filesize
242KB

MD5
51dd54797209ecc44fb27ae5f8d80287

SHA1
d483844dda2d4b6c1e981c0b7b183e20c04ee13c

SHA256
a37124d944f4ebb3cd2ec2fac8b75fe64077ab69be0bb92c4c68317a1c2182d1

SHA512
00181ec75a4aa57ca518a1b82284db107b089a391e5c46ad1fbcc983ed4cc0b00bab73f662f7e53e5bbafd47b46897afc1c39c8a8c5256516c6f374361ed8137

Download Submit
C:\Users\Admin\AppData\Local\Temp\guqae.exe

Filesize
242KB

MD5
51dd54797209ecc44fb27ae5f8d80287

SHA1
d483844dda2d4b6c1e981c0b7b183e20c04ee13c

SHA256
a37124d944f4ebb3cd2ec2fac8b75fe64077ab69be0bb92c4c68317a1c2182d1

SHA512
00181ec75a4aa57ca518a1b82284db107b089a391e5c46ad1fbcc983ed4cc0b00bab73f662f7e53e5bbafd47b46897afc1c39c8a8c5256516c6f374361ed8137

Download Submit
memory/1972-10-0x0000000000450000-0x00000000004D2000-memory.dmp

Filesize
520KB

Download
memory/1972-29-0x0000000000450000-0x00000000004D2000-memory.dmp

Filesize
520KB

Download
memory/1972-17-0x0000000000450000-0x00000000004D2000-memory.dmp

Filesize
520KB

Download
memory/2180-31-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/2180-27-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/2180-30-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/2180-28-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/2180-26-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/2180-33-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/2180-34-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/2180-35-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/2180-36-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/2180-37-0x0000000000B70000-0x0000000000C1D000-memory.dmp

Filesize
692KB

Download
memory/4056-14-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/4056-0-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download