urelas | 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
Size

420KB
MD5

3477f317276bf2d4ed1a92ece69b7c18
SHA1

87baec845ee28b294a49dc3368de06c1a63f524f
SHA256

01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5
SHA512

cb5111df85eec1cd0fee5c77ebc5a09cecff07bcef19c22ae0d5abf918b8a835e68fa9faaee5a0e8c93bc38c027ac660d84b37e78a76490630e9ea0474c866cb
SSDEEP

6144:UzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODGY:uU7M5ijWh0XOW4sEfeOn

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000e000000023169-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	hyixj.exe

Executes dropped EXE 2 IoCs

pid	Process
1120	hyixj.exe
2280	nuzyd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe
2280	nuzyd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1120	2680	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	91
PID 2680 wrote to memory of 1120	2680	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	91
PID 2680 wrote to memory of 1120	2680	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	91
PID 2680 wrote to memory of 4892	2680	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	92
PID 2680 wrote to memory of 4892	2680	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	92
PID 2680 wrote to memory of 4892	2680	01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe	92
PID 1120 wrote to memory of 2280	1120	hyixj.exe	111
PID 1120 wrote to memory of 2280	1120	hyixj.exe	111
PID 1120 wrote to memory of 2280	1120	hyixj.exe	111

C:\Users\Admin\AppData\Local\Temp\01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
"C:\Users\Admin\AppData\Local\Temp\01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\hyixj.exe
  "C:\Users\Admin\AppData\Local\Temp\hyixj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\nuzyd.exe
    "C:\Users\Admin\AppData\Local\Temp\nuzyd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
86c780808e3c6d7581e2acdb8b80cee4

SHA1
696e0054037417e2e149dceb1c5d5f162bcde5aa

SHA256
fed1d2ceccbc04813bd3c04ca974b9f9452697e3fd5b09e8500a917430318d89

SHA512
6faf7d56ef2e9b10119e9f4c64d53e001ea6346f925badb3b4d8b993579e828a6b006bd576af486a3f3d9efb1da5eb61903d83900a63a76d201ca087d51c788e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7686350269f1267a3a9c93969ca3e77d

SHA1
802a0aa2e18354280629a4a7e45dd42aa332695c

SHA256
4092f33ecf29a5f111bdfb463367a867ff13d645f555d30144ade7fce5d68135

SHA512
83f814c3c496cb77d1bc200866f5f8c65de7148d9fdd0439dc32ce762408e6aa8b45099821751209ffa0b02d93b6013ad4f21d3fe7524ea45c6ea5985a08d84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyixj.exe

Filesize
420KB

MD5
8c15f1f2e773fb79444a3c4b69bfdf84

SHA1
20e57d114ec600b51141751fd8c89bea76c44bcd

SHA256
50f8c2c7d2523d067ba6eb7d5c00602aa1e806b18787b4ee2d19416d3373d3c5

SHA512
5408087dba8fcade2533aaa99f5e50692e70f96f01c5d39e8dbc265a0e11bd7015768945b6dbdbeb363ca6334ffb0e8037c2f559d59d47cd3cfe3a403c87ca86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuzyd.exe

Filesize
212KB

MD5
1fc66116f69c5a2be2e17bf4a317a7bc

SHA1
4c0645cbb9da70aad5cd9babf9ae654eb64031b1

SHA256
515e2a95cc250c07d94722d4eca37c739914605333f00ac26a943c8ef91d7fb3

SHA512
7b2222e9daad458e40d09d5d52a86406ddc5dad8660ed3dac8d5553fc3e0f4475b08610afedd72ce434cd985060e353eb9c9cd666732dff5d3d5215b1d3eb875

Download Submit
memory/1120-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1120-28-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2280-26-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2280-24-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2280-29-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2280-27-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2280-31-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2280-32-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2280-33-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2280-34-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2680-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2680-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download