urelas | 36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe
Size

382KB
MD5

db0996f32b46445f7db4fc868c4f5f8b
SHA1

58d740d6f70363e02e46351338af5944c900b953
SHA256

36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724
SHA512

bcacd8a415661c6c0e64bbcc598923764eb554a756588bcf629a49006c9f88168de1614634c797640d052e59fe165b982ebe0eef0f40280e3cbb1c96dc3a608b
SSDEEP

6144:GKMvNQn2DlydH3L9KyGdZIoH5j9u7Q2N0Idgm3wIypgIkz:MV22DlydH3hydZI45P2WUgm37th

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000300000000070d-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	extiw.exe

Executes dropped EXE 2 IoCs

pid	Process
5076	extiw.exe
2144	xozux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe
2144	xozux.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 5076	4248	36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe	91
PID 4248 wrote to memory of 5076	4248	36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe	91
PID 4248 wrote to memory of 5076	4248	36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe	91
PID 4248 wrote to memory of 2488	4248	36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe	92
PID 4248 wrote to memory of 2488	4248	36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe	92
PID 4248 wrote to memory of 2488	4248	36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe	92
PID 5076 wrote to memory of 2144	5076	extiw.exe	103
PID 5076 wrote to memory of 2144	5076	extiw.exe	103
PID 5076 wrote to memory of 2144	5076	extiw.exe	103

C:\Users\Admin\AppData\Local\Temp\36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe
"C:\Users\Admin\AppData\Local\Temp\36fd7d061598bee1c95fa3c157b817ae21f1bfe4d608dcdd6404fc7af0688724.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\extiw.exe
  "C:\Users\Admin\AppData\Local\Temp\extiw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\xozux.exe
    "C:\Users\Admin\AppData\Local\Temp\xozux.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
2a47cc75bbc5d0780a34e3c869c995aa

SHA1
a8267980a2714f34b676d11c7a7440d61679f902

SHA256
1fe3581d165bc12f85eb9048c748ad9d83a12f306fab092631ca6385f4105730

SHA512
a7456bccfabb4c2812d6121f479916fa0c3d82bfe044e3ab5a1d693a952338af460ecf98755663013f950854e6e23e2e770be6b1922348dea3bc011e0d29bff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\extiw.exe

Filesize
382KB

MD5
f5a8e1de2f58bb721b7a7d66c450322b

SHA1
7da5f3b2db32e2aaf2743cb8855847ff221cdae8

SHA256
5cda78b7b9c9c56da524354d93ed90b736b62e3114b0ff30a033a8668854cb76

SHA512
e10626011898facc34c9e0d76340eaeabdc9794b02f7070786cc9ecb12de65fd6181272e6d8ef4cce35bfcef269ceb59ddb4fdfd69d0625e0a1ec391457325de

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
850fd8f253630a0ecef9df01ae372a9f

SHA1
61bd59543ee84f0fd543998c6f2fede0386bef1b

SHA256
0a6dc1916d2869dafae71e11040a33409190ac0090c3a88f0ead8204329c25f0

SHA512
f47afa836fcb1620451157b5c67717b32133e3af3b1424a059f653a8802b7e94d53ad6a3d18a86591d8cbcbd3a7e67ca0e5555c17f8a5917d8e2967537ece147

Download Submit
C:\Users\Admin\AppData\Local\Temp\xozux.exe

Filesize
209KB

MD5
3c5a7d257d03b58f7b4f9629ab128c44

SHA1
dae7860645d6b1dc83a5063419a1d02bb61d7e14

SHA256
56629c8b97a4bcc8d9d18d59055c4968e5fab47e1e6e3ed8af508a51912a5885

SHA512
c162cc00d1053d0da4949184d20e831441b8128e598dfa9707f5ac83a9f536daae5255bdb75104e22763938939fbd65aaf27e4da2514bd26c0265e886bf344a9

Download Submit
memory/2144-27-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2144-26-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2144-28-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2144-29-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2144-31-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2144-32-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2144-33-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2144-34-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2144-35-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/4248-14-0x0000000000710000-0x0000000000774000-memory.dmp

Filesize
400KB

Download
memory/4248-0-0x0000000000710000-0x0000000000774000-memory.dmp

Filesize
400KB

Download
memory/5076-10-0x0000000000D20000-0x0000000000D84000-memory.dmp

Filesize
400KB

Download
memory/5076-24-0x0000000000D20000-0x0000000000D84000-memory.dmp

Filesize
400KB

Download