urelas | 78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe
Size

417KB
MD5

eafa2454b57dc341ad9acfbd60f6876c
SHA1

768d91ec07f7a4e636e7df1c5174f280d61f0d62
SHA256

78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af
SHA512

e5315102e22a37a44f68b6f3a904352837947567003170321133eef7d3f798825c5d1fa5246358143224e34fb476e2321e84e1331850325a65fea4c761468967
SSDEEP

6144:TzU7blK2P2iCWhWapKRaRXOkN4Swel6f3IsIZOmop:vU7M1ijWh0XOW4sEf4O3

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000f00000000f680-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2032	juvyh.exe
1676	zubas.exe

Loads dropped DLL 3 IoCs

pid	Process
1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe
1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe
2032	juvyh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe
1676	zubas.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2032	1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe	28
PID 1704 wrote to memory of 2032	1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe	28
PID 1704 wrote to memory of 2032	1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe	28
PID 1704 wrote to memory of 2032	1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe	28
PID 1704 wrote to memory of 2652	1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe	29
PID 1704 wrote to memory of 2652	1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe	29
PID 1704 wrote to memory of 2652	1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe	29
PID 1704 wrote to memory of 2652	1704	78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe	29
PID 2032 wrote to memory of 1676	2032	juvyh.exe	33
PID 2032 wrote to memory of 1676	2032	juvyh.exe	33
PID 2032 wrote to memory of 1676	2032	juvyh.exe	33
PID 2032 wrote to memory of 1676	2032	juvyh.exe	33

C:\Users\Admin\AppData\Local\Temp\78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe
"C:\Users\Admin\AppData\Local\Temp\78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\juvyh.exe
  "C:\Users\Admin\AppData\Local\Temp\juvyh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\zubas.exe
    "C:\Users\Admin\AppData\Local\Temp\zubas.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
712af6a6df3dd1cf43c3f568523adcc2

SHA1
1a0d9f81191f657061eefa6289d71ce1cd9bc5f7

SHA256
e9e386a7fab1b0a2bbb5fc81842f8d536950710be0deab1c211b8b38db0ae57a

SHA512
b31d7d52b375f8fec6ddd9a23ad66a9636394fc34e59e74e2c036ff4f31972da3e10be85f008e042179e836973abb447547eddbdc3557d62aed5dd69a36ad13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3003a82fd2dee1b68b04fecbd5289fb3

SHA1
491c8f4ee465af42e022e367b45d4acf352aa2a9

SHA256
0edb6dd13c0afee4dab9e692b8ad2d635683024ba28482e339e19738e29df6f9

SHA512
cfc44d27cfe17cc406553c410a53f1a5b8c476980960dc82c981b007b2f64a0561bdcb19ebeeb5d83dd91f0be6bf61c186abf6f1934eb9315f741d77e252fa16

Download Submit
\Users\Admin\AppData\Local\Temp\juvyh.exe

Filesize
417KB

MD5
b92c0fe89df3e0ca21341aa28653d9d7

SHA1
8fdcc89ed0134e50a71a0f1ae1e76b2e1ab382d8

SHA256
a3464775aa85cef4b2fd02302120236237aa0c521cb33f1b50f5b9a293cbfd53

SHA512
cb2cd0f24ec9c66d2ca7260548ca99e12fea170ccecf7d6778edf41872f881c650b4fb1ce8b4e790ae3a7863e95239403963f056fa5123a36eadb8b296bef6db

Download Submit
\Users\Admin\AppData\Local\Temp\zubas.exe

Filesize
212KB

MD5
0d4d35f67ae932464f61a92f8d77b67a

SHA1
3ba3244ab9548252baaf62ea599e1fd4cf6e46e5

SHA256
d86cc40408f1c1c32c238aee78672befca4bb3db3864f01f33b857e8fd090e1c

SHA512
7f6e1d184f51f8c72008a3ca81fb5422cf0442d5d1b6e38f21cb8c564c261893ccb1687754c2066f1eba762c9edb9ce7b7b261d2e4e8fd97b0a667edb8c8f9fd

Download Submit
memory/1676-40-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/1676-41-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/1676-39-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/1676-35-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/1676-34-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/1676-33-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/1676-37-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/1676-38-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/1704-19-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/1704-0-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/1704-11-0x0000000002700000-0x0000000002766000-memory.dmp

Filesize
408KB

Download
memory/2032-21-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/2032-30-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/2032-28-0x0000000003710000-0x00000000037A4000-memory.dmp

Filesize
592KB

Download