urelas | 0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe
Size

420KB
MD5

0a2740f8770c5b39eaddf1de5f72305c
SHA1

4d79fae3129e777edb0423e2162a43cd50452fc6
SHA256

0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf
SHA512

8375940eba553d11e4725d2ba2d7e929c0208a16c413b71cd026898ee9eaaa30635cbbebf3a49d598348f4f257fc75a1cb18990b282cdbdabb2ee84e3ea9a7b8
SSDEEP

6144:UzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODGa:uU7M5ijWh0XOW4sEfeOj

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-26.dat	aspack_v212_v242
behavioral1/files/0x0004000000004ed7-29.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2888	legoo.exe
1980	rocod.exe

Loads dropped DLL 3 IoCs

pid	Process
2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe
2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe
2888	legoo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe
1980	rocod.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2888	2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe	28
PID 2064 wrote to memory of 2888	2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe	28
PID 2064 wrote to memory of 2888	2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe	28
PID 2064 wrote to memory of 2888	2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe	28
PID 2064 wrote to memory of 2916	2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe	29
PID 2064 wrote to memory of 2916	2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe	29
PID 2064 wrote to memory of 2916	2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe	29
PID 2064 wrote to memory of 2916	2064	0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe	29
PID 2888 wrote to memory of 1980	2888	legoo.exe	33
PID 2888 wrote to memory of 1980	2888	legoo.exe	33
PID 2888 wrote to memory of 1980	2888	legoo.exe	33
PID 2888 wrote to memory of 1980	2888	legoo.exe	33

C:\Users\Admin\AppData\Local\Temp\0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe
"C:\Users\Admin\AppData\Local\Temp\0830f9852bb1d63ab5a7fad0a824cbdf24273351cbac12be1568b3d9e1ee4fcf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\legoo.exe
  "C:\Users\Admin\AppData\Local\Temp\legoo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\rocod.exe
    "C:\Users\Admin\AppData\Local\Temp\rocod.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
478650ee80c3972e2f1bcc90d6cd89e7

SHA1
02b3d0e82ea7fc6fec7fe494649930497863e904

SHA256
68957b007f3f7b975f3ff063e9be76a49facd3acfc344b5a9e9e4583c9add9bc

SHA512
a67cf84b115bb80b747c68a9452742bef0c61b3b5d5cbe484976878e449d3145024994e67e4bdfe0ecaf4ad2d6726438a8810ad3dfd65f47e30e025dff189b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bd00d68c6c8d0575164e6e2384d7ae02

SHA1
a5859be93e250ae6ea78723a0fdaf2fbf3a3e551

SHA256
6dc22afee35eb079de6f7f756c6f3ad0559a9ce056bdfa8800e0bee3052f6839

SHA512
ede9ee8bca7d8eaba92fcea459d79fc71d7f3b517f1b3f9246a14490c4463f585b099baa6e2fd3aae8c9d40f30ec268105a5af8817f6f47c63ccd511f3563aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\rocod.exe

Filesize
192KB

MD5
d16d0715e81cfcfe0cdcbbf7f621064d

SHA1
336dd07ab3bafad8e30957c85d9a2536bdd40a8c

SHA256
f6b88502cb21b5ec8aef7f6d13a6788d629d0012b93e4d91f94d567442946bfa

SHA512
9040fcbe22dcd48ca7c673f258e210108b28ac99ae8dc37b87a57bf03f106c5f46a733688ec86b48d240d58ef25da070622aef8de24f7b7761cffc381948e323

Download Submit
\Users\Admin\AppData\Local\Temp\legoo.exe

Filesize
420KB

MD5
37821c122a8efe7e9bb9234e4e5568b8

SHA1
83e64f5d04523488c64da52486bb5eff1a382974

SHA256
a2ee99da90fc1ce043b73bb22ea6fff39944df3cb540e1ac434dd2da3ec4d455

SHA512
bec718583a61b883cb1b614386cf2f9e734b0dee6ae1dc8b28040fa39c60fd198ee80e330cc9835f9c5fc65bfcac4bbf45d5bc8c2f1b597d7b3491f1401fd453

Download Submit
\Users\Admin\AppData\Local\Temp\rocod.exe

Filesize
212KB

MD5
a02df947123009ddf13ee4a9e6302704

SHA1
e92def64f08eecd262364f62d8f415e9ec8e82f1

SHA256
c08582c367254fbf6fa08924a8c9781a8a6729049bd882134fc48abc818029e3

SHA512
5d35cc033353cc0b363a16a13037befeeb2ad45be865c0454ce8c0fa39797efcb51f66fa723ea14d60fa9281f654f643d5d24e46f8078a7e4cb6a3bca57ee14c

Download Submit
memory/1980-41-0x0000000000880000-0x0000000000914000-memory.dmp

Filesize
592KB

Download
memory/1980-39-0x0000000000880000-0x0000000000914000-memory.dmp

Filesize
592KB

Download
memory/1980-40-0x0000000000880000-0x0000000000914000-memory.dmp

Filesize
592KB

Download
memory/1980-38-0x0000000000880000-0x0000000000914000-memory.dmp

Filesize
592KB

Download
memory/1980-31-0x0000000000880000-0x0000000000914000-memory.dmp

Filesize
592KB

Download
memory/1980-37-0x0000000000880000-0x0000000000914000-memory.dmp

Filesize
592KB

Download
memory/1980-35-0x0000000000880000-0x0000000000914000-memory.dmp

Filesize
592KB

Download
memory/1980-34-0x0000000000880000-0x0000000000914000-memory.dmp

Filesize
592KB

Download
memory/2064-19-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2064-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2064-11-0x00000000029D0000-0x0000000002A35000-memory.dmp

Filesize
404KB

Download
memory/2888-32-0x0000000003A90000-0x0000000003B24000-memory.dmp

Filesize
592KB

Download
memory/2888-30-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2888-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download