urelas | 109e35b327c59a354b2611bfc2cdfb889b2644cca2b396332f11965286979ef2

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 13:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe
Size

335KB
MD5

b0b4d7237d84ac0554025d3783738490
SHA1

a7c022f047afe8ca3d415934632a39432cad298a
SHA256

109e35b327c59a354b2611bfc2cdfb889b2644cca2b396332f11965286979ef2
SHA512

a2040ae495d8a51120baeaf981fba99d36fbc3d9aa20375b3b8b18bc5ff84e68c3c46ffd1fe968f1bdf2894a9020e6490532191a35837619754fda4531f0e638
SSDEEP

6144:fn+6ZMDkaGyzBQjBzahZKeKxQ/ynQmvrVn1VZlEE9VX4fzi4ZooQ:PMDkaTBcUhZVKmqvTVrZl1VomB

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000022e4f-9.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e4f-15.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e4f-11.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	bapea.exe

Executes dropped EXE 2 IoCs

pid	Process
4696	bapea.exe
1944	ejxuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe
1944	ejxuk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 4696	724	NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe	92
PID 724 wrote to memory of 4696	724	NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe	92
PID 724 wrote to memory of 4696	724	NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe	92
PID 724 wrote to memory of 1364	724	NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe	93
PID 724 wrote to memory of 1364	724	NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe	93
PID 724 wrote to memory of 1364	724	NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe	93
PID 4696 wrote to memory of 1944	4696	bapea.exe	105
PID 4696 wrote to memory of 1944	4696	bapea.exe	105
PID 4696 wrote to memory of 1944	4696	bapea.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b0b4d7237d84ac0554025d3783738490_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:724
- C:\Users\Admin\AppData\Local\Temp\bapea.exe
  "C:\Users\Admin\AppData\Local\Temp\bapea.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\ejxuk.exe
    "C:\Users\Admin\AppData\Local\Temp\ejxuk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
292B

MD5
2838dbd6ed962e074e589e86cbc00083

SHA1
8d9221e50509b4d168629ee1c866d11df319de5b

SHA256
c489bfffb0acacb44155b96b49ecc1dd3ff70409a0ee240588b77cfc29d90e67

SHA512
5a8cb67e4ab0bd208135cfc14cff9af04cd8d9641abc6199de07e30b45669b6dc50a40d2a8881015db559ca8ac980f2845a42fd6203aacf5488ea1e31ff247e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bapea.exe

Filesize
335KB

MD5
f37b34aab2395ee919359400cd7d4255

SHA1
cb3789d96c147088023e5f4c3cf75fe39b30e434

SHA256
6a725d0d61241b536db0b1297dd27aeb5fce7c24c2545faf0d322e82e7bde253

SHA512
c6a4f2708b670dd4c902b2ac549dde05c60fd5e1e9db741a67f5c898c1eb75a2aeadef1310e054407a9395c28a714d71b3c8317a2072d4af4a441ad05945fcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bapea.exe

Filesize
335KB

MD5
f37b34aab2395ee919359400cd7d4255

SHA1
cb3789d96c147088023e5f4c3cf75fe39b30e434

SHA256
6a725d0d61241b536db0b1297dd27aeb5fce7c24c2545faf0d322e82e7bde253

SHA512
c6a4f2708b670dd4c902b2ac549dde05c60fd5e1e9db741a67f5c898c1eb75a2aeadef1310e054407a9395c28a714d71b3c8317a2072d4af4a441ad05945fcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bapea.exe

Filesize
335KB

MD5
f37b34aab2395ee919359400cd7d4255

SHA1
cb3789d96c147088023e5f4c3cf75fe39b30e434

SHA256
6a725d0d61241b536db0b1297dd27aeb5fce7c24c2545faf0d322e82e7bde253

SHA512
c6a4f2708b670dd4c902b2ac549dde05c60fd5e1e9db741a67f5c898c1eb75a2aeadef1310e054407a9395c28a714d71b3c8317a2072d4af4a441ad05945fcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejxuk.exe

Filesize
179KB

MD5
9e436ac1ac7cb1729970f557837f36f0

SHA1
25335ac7f4d2968b068075075d972f6bf9f3a061

SHA256
46ee49eb185fa062589565a2fce807596088136cc593df2e6b4de3f19154c262

SHA512
717e235dc3314660a9f9cc5e70406783c4e8d4b7eb4185ca1ee45b167424d473d58789e9914f1627c4c57a073154dc63f8c710e341fe5d46e9c1e74df83db57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejxuk.exe

Filesize
179KB

MD5
9e436ac1ac7cb1729970f557837f36f0

SHA1
25335ac7f4d2968b068075075d972f6bf9f3a061

SHA256
46ee49eb185fa062589565a2fce807596088136cc593df2e6b4de3f19154c262

SHA512
717e235dc3314660a9f9cc5e70406783c4e8d4b7eb4185ca1ee45b167424d473d58789e9914f1627c4c57a073154dc63f8c710e341fe5d46e9c1e74df83db57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejxuk.exe

Filesize
179KB

MD5
9e436ac1ac7cb1729970f557837f36f0

SHA1
25335ac7f4d2968b068075075d972f6bf9f3a061

SHA256
46ee49eb185fa062589565a2fce807596088136cc593df2e6b4de3f19154c262

SHA512
717e235dc3314660a9f9cc5e70406783c4e8d4b7eb4185ca1ee45b167424d473d58789e9914f1627c4c57a073154dc63f8c710e341fe5d46e9c1e74df83db57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
db9c84748b8fa1c8390456847780c752

SHA1
c9ae4533bf3377fef29b9f253982abc3f80478e7

SHA256
d52c004b4405daf07d839a62a06ce9428a22f62ede0203ce8927a6d037157b9e

SHA512
b550858f9434ec0b18f66d81f5d85da2f65637bfc654c40047cf79940497634f06cb37c8142a576daf9bed14279a87fafb523402d959caaec4190e72b110151a

Download Submit
memory/724-2-0x0000000000C40000-0x0000000000CC6000-memory.dmp

Filesize
536KB

Download
memory/724-17-0x0000000000C40000-0x0000000000CC6000-memory.dmp

Filesize
536KB

Download
memory/724-3-0x0000000000C40000-0x0000000000CC6000-memory.dmp

Filesize
536KB

Download
memory/724-1-0x0000000000C40000-0x0000000000CC6000-memory.dmp

Filesize
536KB

Download
memory/724-0-0x0000000000C40000-0x0000000000CC6000-memory.dmp

Filesize
536KB

Download
memory/1944-47-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1944-46-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1944-43-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1944-48-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1944-45-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1944-44-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1944-39-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4696-19-0x0000000000D80000-0x0000000000E06000-memory.dmp

Filesize
536KB

Download
memory/4696-23-0x0000000000D80000-0x0000000000E06000-memory.dmp

Filesize
536KB

Download
memory/4696-40-0x0000000000D80000-0x0000000000E06000-memory.dmp

Filesize
536KB

Download
memory/4696-20-0x0000000000D80000-0x0000000000E06000-memory.dmp

Filesize
536KB

Download
memory/4696-18-0x0000000000D80000-0x0000000000E06000-memory.dmp

Filesize
536KB

Download
memory/4696-13-0x0000000000D80000-0x0000000000E06000-memory.dmp

Filesize
536KB

Download