urelas | 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
Size

420KB
MD5

3477f317276bf2d4ed1a92ece69b7c18
SHA1

87baec845ee28b294a49dc3368de06c1a63f524f
SHA256

01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5
SHA512

cb5111df85eec1cd0fee5c77ebc5a09cecff07bcef19c22ae0d5abf918b8a835e68fa9faaee5a0e8c93bc38c027ac660d84b37e78a76490630e9ea0474c866cb
SSDEEP

6144:UzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODGY:uU7M5ijWh0XOW4sEfeOn

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
1956	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1212	cisyz.exe
1640	gyrol.exe

Loads dropped DLL 3 IoCs

pid	Process
1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
1212	cisyz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe
1640	gyrol.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1212	1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	28
PID 1724 wrote to memory of 1212	1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	28
PID 1724 wrote to memory of 1212	1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	28
PID 1724 wrote to memory of 1212	1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	28
PID 1724 wrote to memory of 1956	1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	29
PID 1724 wrote to memory of 1956	1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	29
PID 1724 wrote to memory of 1956	1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	29
PID 1724 wrote to memory of 1956	1724	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	29
PID 1212 wrote to memory of 1640	1212	cisyz.exe	33
PID 1212 wrote to memory of 1640	1212	cisyz.exe	33
PID 1212 wrote to memory of 1640	1212	cisyz.exe	33
PID 1212 wrote to memory of 1640	1212	cisyz.exe	33

C:\Users\Admin\AppData\Local\Temp\01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
"C:\Users\Admin\AppData\Local\Temp\01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\cisyz.exe
  "C:\Users\Admin\AppData\Local\Temp\cisyz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\gyrol.exe
    "C:\Users\Admin\AppData\Local\Temp\gyrol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
86c780808e3c6d7581e2acdb8b80cee4

SHA1
696e0054037417e2e149dceb1c5d5f162bcde5aa

SHA256
fed1d2ceccbc04813bd3c04ca974b9f9452697e3fd5b09e8500a917430318d89

SHA512
6faf7d56ef2e9b10119e9f4c64d53e001ea6346f925badb3b4d8b993579e828a6b006bd576af486a3f3d9efb1da5eb61903d83900a63a76d201ca087d51c788e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f8f82dd5433fc21d1d74982e045d46fa

SHA1
15e99e7017cd52fdcb6685845617d1654ee7f34a

SHA256
9f4ab79474754b0c3917940eb76052c52e0b62772b45cfdb7d9924fd80ea78f5

SHA512
2caac6ac9dafdffb9e9c7c675bba7cfb016de50d4441b2dd623449c14f5f2669996bb31977464236c9cbf0c418e248730b9923ffc1c4d53a3dfd411ee01953ab

Download Submit
\Users\Admin\AppData\Local\Temp\cisyz.exe

Filesize
420KB

MD5
ab5df41a26911bfc1881b91b9b036a70

SHA1
9474176271e7dbb6b83a39d86fa2c2434074e49e

SHA256
b54c60bf057b11c5b45dc64993eab191b15e4f9a0a4e64353b29ca1f8c2deb3a

SHA512
6fe66234d214b4cd9ab50a10d25fa743242d62e48af30ddaac8de355973f22ca0a97475a1ef7e2a0322c15477417b45c8478e9108b7855f8f97ac5cdc79cc46e

Download Submit
\Users\Admin\AppData\Local\Temp\gyrol.exe

Filesize
212KB

MD5
5e83e1ea74bbdf4b7c348fa38c04ecac

SHA1
8a3a413a72cc55759702764ed34b348878538aff

SHA256
3c905d9abe0305da5ed4dd21d9187e76b9c313a457f69b1fe30f9889852aff7f

SHA512
a9f643ee293c047af9a3010c8783725d605c54d59b96c0ec3d0af8da35c5ff033b01646b3709a35c7917f309e8ab2ad0a548c7c661661df110537922a2b97b7e

Download Submit
memory/1212-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1212-30-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1212-29-0x0000000003060000-0x00000000030F4000-memory.dmp

Filesize
592KB

Download
memory/1640-34-0x0000000000C20000-0x0000000000CB4000-memory.dmp

Filesize
592KB

Download
memory/1640-33-0x0000000000C20000-0x0000000000CB4000-memory.dmp

Filesize
592KB

Download
memory/1640-35-0x0000000000C20000-0x0000000000CB4000-memory.dmp

Filesize
592KB

Download
memory/1640-37-0x0000000000C20000-0x0000000000CB4000-memory.dmp

Filesize
592KB

Download
memory/1640-38-0x0000000000C20000-0x0000000000CB4000-memory.dmp

Filesize
592KB

Download
memory/1640-39-0x0000000000C20000-0x0000000000CB4000-memory.dmp

Filesize
592KB

Download
memory/1640-40-0x0000000000C20000-0x0000000000CB4000-memory.dmp

Filesize
592KB

Download
memory/1640-41-0x0000000000C20000-0x0000000000CB4000-memory.dmp

Filesize
592KB

Download
memory/1724-12-0x00000000029E0000-0x0000000002A45000-memory.dmp

Filesize
404KB

Download
memory/1724-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1724-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download