urelas | d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe
Size

418KB
MD5

8c79692099276ba6e895bb1ede9f2db9
SHA1

80dec5740cc71b6209d784aa12a5f887e1f96a16
SHA256

d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f
SHA512

79e666209f8c70374ab21bc9df2f61af4fbe9d2b28617a0218096ddeab79bc7f2b547a7449c1332c52eb1cc9d2c6e27ba245960a6649e5f38f9b4857da30e49d
SSDEEP

6144:TzU7blK2P2iCWhWapKRaRXOkN4Swel6f3IsIZOmoi:vU7M1ijWh0XOW4sEf4Os

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-32.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1336	jykat.exe
1628	feezw.exe

Loads dropped DLL 3 IoCs

pid	Process
2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe
2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe
1336	jykat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe
1628	feezw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1336	2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe	28
PID 2028 wrote to memory of 1336	2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe	28
PID 2028 wrote to memory of 1336	2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe	28
PID 2028 wrote to memory of 1336	2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe	28
PID 2028 wrote to memory of 2588	2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe	29
PID 2028 wrote to memory of 2588	2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe	29
PID 2028 wrote to memory of 2588	2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe	29
PID 2028 wrote to memory of 2588	2028	d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe	29
PID 1336 wrote to memory of 1628	1336	jykat.exe	33
PID 1336 wrote to memory of 1628	1336	jykat.exe	33
PID 1336 wrote to memory of 1628	1336	jykat.exe	33
PID 1336 wrote to memory of 1628	1336	jykat.exe	33

C:\Users\Admin\AppData\Local\Temp\d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe
"C:\Users\Admin\AppData\Local\Temp\d6d204f30cf1a593d0a9cb6c20c7bc4b5a2afc492e202f0a652e74c3831d199f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\jykat.exe
  "C:\Users\Admin\AppData\Local\Temp\jykat.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\feezw.exe
    "C:\Users\Admin\AppData\Local\Temp\feezw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
802345fe9fdb7133619630725b5b4d0a

SHA1
92e8ed9caaea8237cbb097823ea54bcef25d6a34

SHA256
48012362a1bf903b8669d2c4ceb534c1c6ad3c05b3fc499950cf689e79387532

SHA512
65bbc7abdeac8389625f00e93611bcb9d9bad85f68a3ff2a47c350e1936934d475285028a30161f41a4d62020139c4e53cb6b36ca03d53c0685123af3bfd5385

Download Submit
C:\Users\Admin\AppData\Local\Temp\feezw.exe

Filesize
212KB

MD5
96288d1a8a3b4b4ddc3837db922eb435

SHA1
98dc43ea9f1277caab670aebc62f208337884c43

SHA256
62f0a20e6d57c86299d933e5dfe95d60db4f0f1de50fec3a1c21400405a8c75f

SHA512
d548a4c02e4de7bec840f7f96b8ab42b8213a61a95631f0648a72ba5fa1f957961fc2821648e10d9d42a7788be94f8c3a8601c8275023e55a2756bfe08e44703

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d4e4b198e13f9c41f0af8bd5bf9d265a

SHA1
f9ca4be11d60f5a3acab12cb29f2abfc7574a170

SHA256
13265fcb3a067067daae0f6219d609b0e8fdc4253d77e64f7d4ab29e2e7a9c94

SHA512
f4a45f7f2b1f9cc1096d16cb27e2c9b4b0789ded4cc3562076de3abfd9b4ed08b0a3b50af4e03678c53d91aa29ee7a6087b0880626a40df0ea6d6b2eaee7adac

Download Submit
\Users\Admin\AppData\Local\Temp\jykat.exe

Filesize
418KB

MD5
06456aaf41577b99c85c35fdc2f0f2af

SHA1
1692441e51ea92dedbf91a7436770c467ea24899

SHA256
19652d72fd38f42cc9c9376f3bafea02b20578c0ff4d2d19289d6af57ec1ecbe

SHA512
df05ce1d20323b9d2e534c79f207893ba15895d02ac39aa7fee81ca55af147a8e790b6262d6e4da7dc1180a5ba30ab8595a053db43132bfbccdf23ac3c1d4b16

Download Submit
memory/1336-30-0x00000000031F0000-0x0000000003284000-memory.dmp

Filesize
592KB

Download
memory/1336-14-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/1336-31-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/1628-34-0x00000000011F0000-0x0000000001284000-memory.dmp

Filesize
592KB

Download
memory/1628-36-0x00000000011F0000-0x0000000001284000-memory.dmp

Filesize
592KB

Download
memory/1628-35-0x00000000011F0000-0x0000000001284000-memory.dmp

Filesize
592KB

Download
memory/1628-38-0x00000000011F0000-0x0000000001284000-memory.dmp

Filesize
592KB

Download
memory/1628-39-0x00000000011F0000-0x0000000001284000-memory.dmp

Filesize
592KB

Download
memory/1628-40-0x00000000011F0000-0x0000000001284000-memory.dmp

Filesize
592KB

Download
memory/1628-41-0x00000000011F0000-0x0000000001284000-memory.dmp

Filesize
592KB

Download
memory/1628-42-0x00000000011F0000-0x0000000001284000-memory.dmp

Filesize
592KB

Download
memory/2028-0-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/2028-22-0x0000000000400000-0x0000000000465A6E-memory.dmp

Filesize
406KB

Download
memory/2028-12-0x0000000002C70000-0x0000000002CD6000-memory.dmp

Filesize
408KB

Download
memory/2028-6-0x0000000002C70000-0x0000000002CD6000-memory.dmp

Filesize
408KB

Download