urelas | 0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 17:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe
Size

417KB
MD5

bbf682ff7366426d6b884a6994100aed
SHA1

9199dde01134ccd3aed358f7ea340624f26caf8e
SHA256

0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379
SHA512

d9fd2eb362ba2f5b15ec32f2926f37f72efd9d6e2f3426d2cb19679f727947d2894de62efaee753a6a222a11ec09dec4a8653093ec9e2e8986bb5bea317d4f06
SSDEEP

6144:TzU7blK2P2iCWhWapKRaRXOkN4Swel6f3IsIZOmox:vU7M1ijWh0XOW4sEf4OT

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00070000000234c8-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	uvnoq.exe

Executes dropped EXE 2 IoCs

pid	Process
1476	uvnoq.exe
1464	ecofg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe
1464	ecofg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1476	4968	0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe	99
PID 4968 wrote to memory of 1476	4968	0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe	99
PID 4968 wrote to memory of 1476	4968	0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe	99
PID 4968 wrote to memory of 1160	4968	0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe	100
PID 4968 wrote to memory of 1160	4968	0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe	100
PID 4968 wrote to memory of 1160	4968	0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe	100
PID 1476 wrote to memory of 1464	1476	uvnoq.exe	116
PID 1476 wrote to memory of 1464	1476	uvnoq.exe	116
PID 1476 wrote to memory of 1464	1476	uvnoq.exe	116

C:\Users\Admin\AppData\Local\Temp\0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe
"C:\Users\Admin\AppData\Local\Temp\0be0aa93bacc5a84150985a3896a2de239b4766b837453b74acbf5c927606379.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\uvnoq.exe
  "C:\Users\Admin\AppData\Local\Temp\uvnoq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\ecofg.exe
    "C:\Users\Admin\AppData\Local\Temp\ecofg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cd8c296243036cd7a25bed23b848bdd4

SHA1
e0359e737f8aa9055869deb47c3816b20e0ae2f4

SHA256
aa8a6ec81fe2a3758481a111d87ba0f1e94106ab063fc124ccea5ea6c7d25dea

SHA512
7aff03c7623783787dce84cc07ae9f7b3e6e4868b47667c141c5038105477980badc04734f6a266a69f7e6ac9df4563298536336a9b76d89ba1dc31c93c2dda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecofg.exe

Filesize
212KB

MD5
d81b356df232152fd61d3a43f257132e

SHA1
257d1e88f8a31db3369ba7d91e06793f33c69791

SHA256
a5f8ee5442b7ee1dec747e25612ab1e295aeab54c8232b21345f4c2b3b0040e6

SHA512
b17e0ae2a1724284f45699cbb7f732baa05973cc0dfcd5af715756214fbcff131e9dee22ae66427150f90a6b77749358914c9f519a1865f7ee137db879260d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6af229edc1e1f5bc53b49414ced4b1d5

SHA1
65660bd74dc230560b810a072720bff33e35b7b2

SHA256
8e696d0be1ed7f193f7d9bf808082d11bf737fbb302d949cb3655f18838cdcd7

SHA512
c0c941406ac6c4321bb4a79601ecedaffa16f47a4af1284b0a4fc949bc9c7404f697a4b37f7e059fb09ed06d65aeefa2b335d959e2593b88e648ffb0c18de883

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvnoq.exe

Filesize
417KB

MD5
885387c7eb7c9706055ce652ff87f9f0

SHA1
3bd60c9c250cc5c54081e3524623dad83ad06c8b

SHA256
c9a8851262b34bf451239467eba3a2718f1374d83979edb563707f8cd9a45e5c

SHA512
f58ea4e01f09bb34e8f0bd306154dd2524644df1ded52303e32898f1cc5549fa5d9991e8b62dffb495ad1913d2f4278c4147df542478b2522f47365fa41afd1a

Download Submit
memory/1464-27-0x0000000000390000-0x0000000000424000-memory.dmp

Filesize
592KB

Download
memory/1464-24-0x0000000000390000-0x0000000000424000-memory.dmp

Filesize
592KB

Download
memory/1464-28-0x0000000000390000-0x0000000000424000-memory.dmp

Filesize
592KB

Download
memory/1464-29-0x0000000000390000-0x0000000000424000-memory.dmp

Filesize
592KB

Download
memory/1464-31-0x0000000000390000-0x0000000000424000-memory.dmp

Filesize
592KB

Download
memory/1464-32-0x0000000000390000-0x0000000000424000-memory.dmp

Filesize
592KB

Download
memory/1464-33-0x0000000000390000-0x0000000000424000-memory.dmp

Filesize
592KB

Download
memory/1464-34-0x0000000000390000-0x0000000000424000-memory.dmp

Filesize
592KB

Download
memory/1464-35-0x0000000000390000-0x0000000000424000-memory.dmp

Filesize
592KB

Download
memory/1476-12-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/1476-26-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/4968-14-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/4968-0-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download