urelas | c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe
Size

342KB
MD5

1e805c0b8a34c6295ec6e7d02c0f0539
SHA1

79ab51cb5f5b2b4141eb1a3ec88ee45aca06d027
SHA256

c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160
SHA512

38a508d1100e91f4845b6933dfc432d4c8ef658da1d2bc817cc7dfb3e4e17c4386fb4685e8a3ffb4cc6a312853b81ee49be8c97e0758ab68aabd445f286dadea
SSDEEP

6144:Nd7rpL43btmQ58Z27zw39gY2FeZhrL8Jt:X7dL4AZ0U9gY2Fhz

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000015d4c-39.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
320	lyvyr.exe
2144	qydyza.exe
2848	idyrd.exe

Loads dropped DLL 5 IoCs

pid	Process
1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe
1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe
320	lyvyr.exe
320	lyvyr.exe
2144	qydyza.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe
2848	idyrd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 320	1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe	28
PID 1304 wrote to memory of 320	1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe	28
PID 1304 wrote to memory of 320	1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe	28
PID 1304 wrote to memory of 320	1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe	28
PID 1304 wrote to memory of 2032	1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe	29
PID 1304 wrote to memory of 2032	1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe	29
PID 1304 wrote to memory of 2032	1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe	29
PID 1304 wrote to memory of 2032	1304	c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe	29
PID 320 wrote to memory of 2144	320	lyvyr.exe	30
PID 320 wrote to memory of 2144	320	lyvyr.exe	30
PID 320 wrote to memory of 2144	320	lyvyr.exe	30
PID 320 wrote to memory of 2144	320	lyvyr.exe	30
PID 2144 wrote to memory of 2848	2144	qydyza.exe	34
PID 2144 wrote to memory of 2848	2144	qydyza.exe	34
PID 2144 wrote to memory of 2848	2144	qydyza.exe	34
PID 2144 wrote to memory of 2848	2144	qydyza.exe	34
PID 2144 wrote to memory of 2736	2144	qydyza.exe	35
PID 2144 wrote to memory of 2736	2144	qydyza.exe	35
PID 2144 wrote to memory of 2736	2144	qydyza.exe	35
PID 2144 wrote to memory of 2736	2144	qydyza.exe	35

C:\Users\Admin\AppData\Local\Temp\c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe
"C:\Users\Admin\AppData\Local\Temp\c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\lyvyr.exe
  "C:\Users\Admin\AppData\Local\Temp\lyvyr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\qydyza.exe
    "C:\Users\Admin\AppData\Local\Temp\qydyza.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\idyrd.exe
      "C:\Users\Admin\AppData\Local\Temp\idyrd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
88efb93684df5decb9887287f10efdfc

SHA1
5f6460165baa3025e0b89635833a2321d488304b

SHA256
5beaed606060d2addb60e5149591b29de224396bf6d8fddd87b2a9cfcc157b77

SHA512
0e4ab054d0185e237732afa48b59899c1b1a0bc7a288d33c393205689b9ac8cfd16739454d9ec3ad13d413891ce0bc2d5c032182c53f35d9106a3d70b55b3bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
027a29a84bd8e1e28b3cd8324ba729e2

SHA1
11021977494d9e88cc2de079c69a4c5cce2d2faa

SHA256
a4e6b16d3256de16078fa334940ee4bcf0d8ed8668c258ae0a668dbf7679790a

SHA512
3b7a24f353d1a158b63209d100e866e1e6575202ee70c5ac93127634e194c7a6e0899db73afe682884f156c74e5ef9ce04e9fcffbb88513ba1c7115a5cc032ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
78c97daddf5a4cd7621f3648542ee9a3

SHA1
1592819174be89526f5a481b943da11c11a92178

SHA256
883faba25930b7f8874403a5f49955e6a42a9d23c3efd5daac6aed64a51b1551

SHA512
c5ea18cb4f0d627c0cb2a32425c92a4c54ef634ff3a2e4bd383235421cee681279d50b7d36f85d6dd0e9fb7353900798ca3b7912442379d6c0a32c06e0fd35a6

Download Submit
\Users\Admin\AppData\Local\Temp\idyrd.exe

Filesize
136KB

MD5
6443951b6baeac7561d6209c0309e9b1

SHA1
b5c045ef1e4fcc36bfd891abf92d3f80028ecf72

SHA256
e9b54d2fa66f0e2e737682474a259ee3409f4e8275425728e8c654e55ef303e4

SHA512
f1d9772ddc2f1ec858f86023d810260c42ad3b2fbd61460ad545695ac38986a8f0015410f92d676bdfc28792507fce1325e04b0cba9f6d1d6ed5f3cfe8f17e75

Download Submit
\Users\Admin\AppData\Local\Temp\lyvyr.exe

Filesize
342KB

MD5
35cf95e8dbd660b704d314bbe0f6c3f9

SHA1
79dc25f9a099ede86ebd8127f020399d1f3b031e

SHA256
a41c184ad1a7132ee7abdfde4cc3df0b026965cb283a62b10b84db51619453bd

SHA512
97046b806858a5c6694b9a67b752ff5738541151ca270a7532bb1dcc71eb1aeb7363c5f5d8eadcc26b6349b44b4020380dc00b38a76dbcbc8ea0bfd9fdc7ef69

Download Submit
memory/320-32-0x0000000002080000-0x00000000020D8000-memory.dmp

Filesize
352KB

Download
memory/320-31-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1304-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1304-22-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2144-54-0x0000000002CC0000-0x0000000002D4C000-memory.dmp

Filesize
560KB

Download
memory/2144-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2144-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2144-55-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2848-53-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/2848-56-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/2848-52-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/2848-51-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/2848-59-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/2848-60-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/2848-61-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/2848-62-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/2848-63-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download
memory/2848-64-0x0000000001090000-0x000000000111C000-memory.dmp

Filesize
560KB

Download