urelas | 30bc6aac70c297dbc3f99cc8330d5cf5e0e67a71f87ed2342279501dae62a69a

General

Target

3eb1e68377fb22d4b531be21ecda0f45.exe
Size

457KB
MD5

3eb1e68377fb22d4b531be21ecda0f45
SHA1

f2063ab713fb85b60db9bd9a756935ce1b1db294
SHA256

30bc6aac70c297dbc3f99cc8330d5cf5e0e67a71f87ed2342279501dae62a69a
SHA512

37d3c1aaac772a1f2e1811aebcd558681b41b2b21f5eb37a1a1f15cf8a132772a4d6d5ba13d4fc87f5f7f577afa3f2ec9342bb838318cfc7bcfdc73e4e3bf5ef
SSDEEP

6144:r/VW8rQ+dqof6VcVttGhZsXtvmqoI+CNLOnmIbCM2dWwh3gNUie2Jy+5vmSZGpq:ZtaQt+ZsFeI+CSZbyKLe2JPFl

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00030000000006e3-25.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	3eb1e68377fb22d4b531be21ecda0f45.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cexyw.exe

Executes dropped EXE 2 IoCs

pid	Process
4208	cexyw.exe
4956	jyqoj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe
4956	jyqoj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4208	4616	3eb1e68377fb22d4b531be21ecda0f45.exe	98
PID 4616 wrote to memory of 4208	4616	3eb1e68377fb22d4b531be21ecda0f45.exe	98
PID 4616 wrote to memory of 4208	4616	3eb1e68377fb22d4b531be21ecda0f45.exe	98
PID 4616 wrote to memory of 1136	4616	3eb1e68377fb22d4b531be21ecda0f45.exe	99
PID 4616 wrote to memory of 1136	4616	3eb1e68377fb22d4b531be21ecda0f45.exe	99
PID 4616 wrote to memory of 1136	4616	3eb1e68377fb22d4b531be21ecda0f45.exe	99
PID 4208 wrote to memory of 4956	4208	cexyw.exe	108
PID 4208 wrote to memory of 4956	4208	cexyw.exe	108
PID 4208 wrote to memory of 4956	4208	cexyw.exe	108

C:\Users\Admin\AppData\Local\Temp\3eb1e68377fb22d4b531be21ecda0f45.exe
"C:\Users\Admin\AppData\Local\Temp\3eb1e68377fb22d4b531be21ecda0f45.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\cexyw.exe
  "C:\Users\Admin\AppData\Local\Temp\cexyw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\jyqoj.exe
    "C:\Users\Admin\AppData\Local\Temp\jyqoj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
d49099acd1ed0db38ac6cf0c46ccfce1

SHA1
58b34997d264cf0f99380aa9e91378edac2f9591

SHA256
08ae40514aa786730727bfec5ebb3e0ce069ede167548ca045fb80cf1c404b6d

SHA512
39b957d124b43f87fd247f572679be53ee07029740b4e62c536edb7109117ac37c0e0cd88d48a26d8431b77505aad5e4a8836a538d732558c7b9eeb4763c3c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\cexyw.exe

Filesize
457KB

MD5
f8286c8597b10ded0fd5a5ca70662c45

SHA1
5f2b901be3387b498d655164fd019481dbca737b

SHA256
a7163b32f2dcc621dc52977c5e82339c744861f534387bb0a1c5b63d8140db3e

SHA512
5b50185ddf04cb20ba4ea41b90d0309837ba606f33601842ea501c8db3f17e903ccf68fd4f4bb9360ac04e587b74e4149a27b5131d779d6573625543a5063f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a4a33c505bacc9775b9880179e1ac7c5

SHA1
bf28fd5e2c766051fcade8a14058e9ad694e8cea

SHA256
f714e8f9f7332b89643bafca9451df36eca4c192218e58d482d04984329011b5

SHA512
f5cab973c0cee226de5666f082b73672ccb483ff7c797c12baec293ac1c0057e34b41fdd25d840e5b92b9dc9e31dbfe49ee9a0ee36f205b22abf4cc70be29e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyqoj.exe

Filesize
225KB

MD5
abbd74c644668fb7abe7249d1027b628

SHA1
deb6e524277f2920cf21f1ef7c6b9531f2dc3557

SHA256
82d2d667f224e1b83c226a7cf3cf9710cfda3b98aa89f1a632771d907b37fa0b

SHA512
eccdbd7196e978e26e157dc4aab3a37bfd03117ce6d13d2244a9d096174388d649ebdd4f5d0ed0794068da7a4407ea71f9b80c4160e44462dd78c19a63683527

Download Submit
memory/4208-31-0x00000000001F0000-0x0000000000270000-memory.dmp

Filesize
512KB

Download
memory/4208-15-0x00000000001F0000-0x0000000000270000-memory.dmp

Filesize
512KB

Download
memory/4208-20-0x00000000001F0000-0x0000000000270000-memory.dmp

Filesize
512KB

Download
memory/4616-17-0x00000000006E0000-0x0000000000760000-memory.dmp

Filesize
512KB

Download
memory/4616-1-0x00000000006E0000-0x0000000000760000-memory.dmp

Filesize
512KB

Download
memory/4616-4-0x00000000006E0000-0x0000000000760000-memory.dmp

Filesize
512KB

Download
memory/4616-0-0x00000000006E0000-0x0000000000760000-memory.dmp

Filesize
512KB

Download
memory/4956-30-0x00000000002A0000-0x000000000033E000-memory.dmp

Filesize
632KB

Download
memory/4956-32-0x00000000002A0000-0x000000000033E000-memory.dmp

Filesize
632KB

Download
memory/4956-29-0x00000000002A0000-0x000000000033E000-memory.dmp

Filesize
632KB

Download
memory/4956-33-0x00000000002A0000-0x000000000033E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing