urelas | 43d080a43009395ba1e85c202bf12804fc5ab128e79cfeeab7f359a1235a303f

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5363b7cc15bc76f5097a2836e8c8bc0c.exe
Size

412KB
MD5

5363b7cc15bc76f5097a2836e8c8bc0c
SHA1

61a82c0b1cb95e875ab06ee7a4dc08098f204a8d
SHA256

43d080a43009395ba1e85c202bf12804fc5ab128e79cfeeab7f359a1235a303f
SHA512

215235b086985dc420353ddb9a23407acd111851b05cfcd63ad7a80c15f1e6a78792fe010b11ff336b3ac2d4f87b4ae2bc132f6a20be926b4232a2f34b7b5535
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODgs:oU7M5ijWh0XOW4sEfeO8s

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000f00000000f680-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2464	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1064	ceboi.exe
1488	soxod.exe

Loads dropped DLL 3 IoCs

pid	Process
2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe
2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe
1064	ceboi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe
1488	soxod.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1064	2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe	28
PID 2696 wrote to memory of 1064	2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe	28
PID 2696 wrote to memory of 1064	2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe	28
PID 2696 wrote to memory of 1064	2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe	28
PID 2696 wrote to memory of 2464	2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe	29
PID 2696 wrote to memory of 2464	2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe	29
PID 2696 wrote to memory of 2464	2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe	29
PID 2696 wrote to memory of 2464	2696	5363b7cc15bc76f5097a2836e8c8bc0c.exe	29
PID 1064 wrote to memory of 1488	1064	ceboi.exe	33
PID 1064 wrote to memory of 1488	1064	ceboi.exe	33
PID 1064 wrote to memory of 1488	1064	ceboi.exe	33
PID 1064 wrote to memory of 1488	1064	ceboi.exe	33

C:\Users\Admin\AppData\Local\Temp\5363b7cc15bc76f5097a2836e8c8bc0c.exe
"C:\Users\Admin\AppData\Local\Temp\5363b7cc15bc76f5097a2836e8c8bc0c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\ceboi.exe
  "C:\Users\Admin\AppData\Local\Temp\ceboi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\soxod.exe
    "C:\Users\Admin\AppData\Local\Temp\soxod.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
5c8c644dd14b15c274f17148997925a7

SHA1
2c98525c3cf577985df0bbcbfe1e6755564a3846

SHA256
a271df78c3e50b046fa7f9ead16c52238584282385052018c6348bc0a4b61588

SHA512
83e2a976b1fb5b99dc130661a45d83506ea58d94ee1d07a027b904f8f3955078815dbbb1102a910261a5960f9b00193f7e317e73b5f335c68d2dba1fd8b374da

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
961dbfb970de5a32fdbf660a8a1d53c3

SHA1
cea2e841f68b49296149b2def0d842b56f691f51

SHA256
141a0458869e26148868cf8a1cc30d383fe0cae886e60997885a40e40ef22622

SHA512
10390766a5fbd37479072aee5d758e24ef79ec4ffcf7016dc0608fe584e3d5540f946edec3402e27b44d1075aea4ef906583fb07ce7bda075485c65fb1d3ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\ceboi.exe

Filesize
412KB

MD5
aab040fc7f94910bdedac0e63880e3cb

SHA1
d76ca4e805df0b47bc37aaaf91f00d2b1085ecf4

SHA256
8eb647e6b6394ad640c8059b58ae8a556642540e9a709e391b69ae79d617e8dd

SHA512
88cde7a63646dec4f536c2dcb6dcb24b1579fca65c520834a60bea7a0391a5c98f9e89bcf723f8ab6e0889309e4eb736b61b1a6385f0582799fe8ff18877c168

Download Submit
\Users\Admin\AppData\Local\Temp\soxod.exe

Filesize
212KB

MD5
b38a83c06f16944e91054345c183fdf9

SHA1
ee22941ea082f30cb2fdbb1022a5ddeb2fe3df07

SHA256
8f443823e1a4ad6a9ccffb7e2e5e391ae665b5231d391c0ba4ba2a777c3c7adf

SHA512
7b575e1fb450cf192b877ec9dc20ad7f7c79c91edb4b08e8127aa96971aaba20cb39ce5508946fa922dd2441165addfa99df776df11d1db189d1b246e30b81d6

Download Submit
memory/1064-29-0x0000000003220000-0x00000000032B4000-memory.dmp

Filesize
592KB

Download
memory/1064-30-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1064-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1488-35-0x0000000000E70000-0x0000000000F04000-memory.dmp

Filesize
592KB

Download
memory/1488-34-0x0000000000E70000-0x0000000000F04000-memory.dmp

Filesize
592KB

Download
memory/1488-33-0x0000000000E70000-0x0000000000F04000-memory.dmp

Filesize
592KB

Download
memory/1488-37-0x0000000000E70000-0x0000000000F04000-memory.dmp

Filesize
592KB

Download
memory/1488-38-0x0000000000E70000-0x0000000000F04000-memory.dmp

Filesize
592KB

Download
memory/1488-39-0x0000000000E70000-0x0000000000F04000-memory.dmp

Filesize
592KB

Download
memory/1488-40-0x0000000000E70000-0x0000000000F04000-memory.dmp

Filesize
592KB

Download
memory/1488-41-0x0000000000E70000-0x0000000000F04000-memory.dmp

Filesize
592KB

Download
memory/2696-12-0x0000000002570000-0x00000000025D5000-memory.dmp

Filesize
404KB

Download
memory/2696-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2696-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download