urelas | c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe
Size

422KB
MD5

e41a7d87cf5e5af616c4d7f9413d26f0
SHA1

6bf09e6e60b144977d346439cf215c4bea40b510
SHA256

c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c
SHA512

21b5864632119ae429484b9e7fa3ba75fc0d4354fe99b404118d7a7f0ff5379664299b729d27de7edd35334604e3bfa1e2c97eec8303c0a05b2c6a43dff6d8fc
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYqI:eU7M5ijWh0XOW4sEfeObI

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023483-20.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	becoc.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	becoc.exe
3712	zuulr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe
3712	zuulr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2896	2092	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	93
PID 2092 wrote to memory of 2896	2092	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	93
PID 2092 wrote to memory of 2896	2092	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	93
PID 2092 wrote to memory of 4960	2092	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	94
PID 2092 wrote to memory of 4960	2092	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	94
PID 2092 wrote to memory of 4960	2092	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	94
PID 2896 wrote to memory of 3712	2896	becoc.exe	108
PID 2896 wrote to memory of 3712	2896	becoc.exe	108
PID 2896 wrote to memory of 3712	2896	becoc.exe	108

C:\Users\Admin\AppData\Local\Temp\c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe
"C:\Users\Admin\AppData\Local\Temp\c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\becoc.exe
  "C:\Users\Admin\AppData\Local\Temp\becoc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\zuulr.exe
    "C:\Users\Admin\AppData\Local\Temp\zuulr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
0b10cd83fd8a55a75fe654db12d752ce

SHA1
0e4f27159346b32adb6e64b18f4128cca9dd9a17

SHA256
71d35ffeb3d91026463f07dfad70192e2601d70d9028f45daf3e4e9113063dab

SHA512
623b5b07298e0393125fd5fd7bf54eae05c756a72a895a0b7d537075116bd92287ff0f5e6367679feba83b1677375c5aaa16817f85e37303f37fb348b914b4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\becoc.exe

Filesize
422KB

MD5
bc1f8061e8761d79829a295bfbea3aa7

SHA1
49c2408d1073630a7420434c5d2f2f88c272569f

SHA256
fb03915d7998b8418d57c1da131a487ae0ab7927f3b13fda832eba9a2e601699

SHA512
89a4d543cd9e60b33e1ef95c7cc67e76f1074c0ecdcc7965eb5711c08d02231c6255603d84de15b7723e99c9a4ce6b335e9d4adc5a0a424a1666a8bd3aff55b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
17852201fed2d158d3d6c5ebfa32e07e

SHA1
96736d4dc0c23aba9241779f727e0638f0a2537e

SHA256
ca81ca71f65a2c2ad20f55d2536f801e182da3c7c82ad5674fd977a0172457b6

SHA512
f0e5e8cff0efa18cd8404183b859f1d777064cfb67129ec5caebbe961e3e9cabe07f5d32cab47c34574363a4225e9f03d24bc96bb2a540843bed03d93240500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuulr.exe

Filesize
212KB

MD5
bcc871995d26e8c5865403888079fc9c

SHA1
a90cf9fcbb2991368f4d760073187e6c61b3f6ee

SHA256
a6d135ac0dd571238fdfac7f12146a18262bb4af8fb1d5962c8ddeeda9c9354e

SHA512
16dd8e33e81b74b0aa9741cb2aaece973361c42f1b4ca70239317ab1b24643b7db66f0f88825bc5eb93014d5cd71431be0212db3939ca46a4bee54bd61b1a171

Download Submit
memory/2092-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2092-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2896-24-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3712-26-0x0000000000BA0000-0x0000000000C34000-memory.dmp

Filesize
592KB

Download
memory/3712-27-0x0000000000BA0000-0x0000000000C34000-memory.dmp

Filesize
592KB

Download
memory/3712-28-0x0000000000BA0000-0x0000000000C34000-memory.dmp

Filesize
592KB

Download
memory/3712-30-0x0000000000BA0000-0x0000000000C34000-memory.dmp

Filesize
592KB

Download
memory/3712-31-0x0000000000BA0000-0x0000000000C34000-memory.dmp

Filesize
592KB

Download
memory/3712-32-0x0000000000BA0000-0x0000000000C34000-memory.dmp

Filesize
592KB

Download
memory/3712-33-0x0000000000BA0000-0x0000000000C34000-memory.dmp

Filesize
592KB

Download
memory/3712-34-0x0000000000BA0000-0x0000000000C34000-memory.dmp

Filesize
592KB

Download