urelas | c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e805c0b8a34c6295ec6e7d02c0f0539.exe
Size

342KB
MD5

1e805c0b8a34c6295ec6e7d02c0f0539
SHA1

79ab51cb5f5b2b4141eb1a3ec88ee45aca06d027
SHA256

c696b1ba3409aa799769815a4bcc1da27e52e80b8fc2731d6e1713ff52be9160
SHA512

38a508d1100e91f4845b6933dfc432d4c8ef658da1d2bc817cc7dfb3e4e17c4386fb4685e8a3ffb4cc6a312853b81ee49be8c97e0758ab68aabd445f286dadea
SSDEEP

6144:Nd7rpL43btmQ58Z27zw39gY2FeZhrL8Jt:X7dL4AZ0U9gY2Fhz

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0036000000015659-40.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1832	zezij.exe
2592	hysiav.exe
1708	qewec.exe

Loads dropped DLL 5 IoCs

pid	Process
1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe
1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe
1832	zezij.exe
1832	zezij.exe
2592	hysiav.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe
1708	qewec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1832	1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe	28
PID 1948 wrote to memory of 1832	1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe	28
PID 1948 wrote to memory of 1832	1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe	28
PID 1948 wrote to memory of 1832	1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe	28
PID 1948 wrote to memory of 2544	1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe	29
PID 1948 wrote to memory of 2544	1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe	29
PID 1948 wrote to memory of 2544	1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe	29
PID 1948 wrote to memory of 2544	1948	1e805c0b8a34c6295ec6e7d02c0f0539.exe	29
PID 1832 wrote to memory of 2592	1832	zezij.exe	31
PID 1832 wrote to memory of 2592	1832	zezij.exe	31
PID 1832 wrote to memory of 2592	1832	zezij.exe	31
PID 1832 wrote to memory of 2592	1832	zezij.exe	31
PID 2592 wrote to memory of 1708	2592	hysiav.exe	34
PID 2592 wrote to memory of 1708	2592	hysiav.exe	34
PID 2592 wrote to memory of 1708	2592	hysiav.exe	34
PID 2592 wrote to memory of 1708	2592	hysiav.exe	34
PID 2592 wrote to memory of 2956	2592	hysiav.exe	35
PID 2592 wrote to memory of 2956	2592	hysiav.exe	35
PID 2592 wrote to memory of 2956	2592	hysiav.exe	35
PID 2592 wrote to memory of 2956	2592	hysiav.exe	35

C:\Users\Admin\AppData\Local\Temp\1e805c0b8a34c6295ec6e7d02c0f0539.exe
"C:\Users\Admin\AppData\Local\Temp\1e805c0b8a34c6295ec6e7d02c0f0539.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\zezij.exe
  "C:\Users\Admin\AppData\Local\Temp\zezij.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\hysiav.exe
    "C:\Users\Admin\AppData\Local\Temp\hysiav.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\qewec.exe
      "C:\Users\Admin\AppData\Local\Temp\qewec.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7113dd443969d0a944936ebb823ba9d1

SHA1
32577bef0fbc66dd7ccb8d718a3c584887e1e583

SHA256
d8661955ada07189fe9078c1367d9f64c0abfc4dad8c91d3fedc1016117a7ff3

SHA512
acdbb05cc800970d5f830a62854d33f61c794389b9c4e6d506abbab9d3d245a216e3a5df6ec0496689a23291d3e65e0ac130c07a3ca3f65dfd16b27ef9467756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
2b304a44c6cca72085cf0b05f7aa3795

SHA1
32000767f611829ec66aead42dccf9a2d601d972

SHA256
4b74b0bed07c35ac6fbe5c275f96a8f06b81a1f32d93e2390ae1f1c2e7cf71e8

SHA512
40aac327cbc311cd1a3d33c6fd6f6666a255a2eda96dcaeef406ee7a5bc6bdaef8cf870266c351484c2c7fa3c294c40bb11c28ba616458a2e4ee0c5432000d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7405eb2d433688448c29968972c6039d

SHA1
8f872058d5fd6b03193421575aed11ee4834c8a8

SHA256
ae3b9a4480ce069e691c370c0cff44614e37cf1faf0f5ae19de54a19ee45bdb8

SHA512
4bdbc043344451b01c5e1093d9ba19c6128a0ef68b4ecb4cd6fa6cce79b517d36afd9af3af68bd2f9c439ff53733b63c2e0b5ff21b7871d2abb6d0ae80e9cbc5

Download Submit
\Users\Admin\AppData\Local\Temp\qewec.exe

Filesize
136KB

MD5
dc4572622027f01c03d8a532555c8c8d

SHA1
a2476799f205c45e6646edffdf64c22d36abf45a

SHA256
fb4267a5a8d477a25d683eee734c2c702725cf7b440a99940590102f38008096

SHA512
d38dfacb156bb6ceabb7528730ed53191ddde6e9a7340ba21c4abf869db492e34ffd7ba52c55ec5d8857e70963640d78f75f41626cf974b01b39faccfc9e45a2

Download Submit
\Users\Admin\AppData\Local\Temp\zezij.exe

Filesize
342KB

MD5
445f98d22d31ba45131774acb0762859

SHA1
90ece893df4aecbe6242d7702a5e3264e15843aa

SHA256
f7ea67232a333441919e47b4c8bff5649d4fe8b0e72c3cecb96d226dde2a42b8

SHA512
6cee6e74bfd836b26d9fcc8a0b9cf43fa1049f0e89c30f5039636a401e8eae75bf38c89a304fc167d67bf8b01b144e46b37fb65ab071b75e8dcaecd16fb95c34

Download Submit
memory/1708-56-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1708-59-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1708-64-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1708-63-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1708-62-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1708-54-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1708-55-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1708-61-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1708-60-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1832-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-12-0x0000000002AD0000-0x0000000002B28000-memory.dmp

Filesize
352KB

Download
memory/1948-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-8-0x0000000002AD0000-0x0000000002B28000-memory.dmp

Filesize
352KB

Download
memory/1948-20-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-53-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download