urelas | 4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3

General

Target

4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe
Size

412KB
MD5

5368154c00258fc3ff4cdcde198728d8
SHA1

739a2fce2fe90bb4dd07de1c1805057b4702c90f
SHA256

4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3
SHA512

d0404546c4606183ce442ad27a3d4971fea9e98443f90a8a34a2e6e2c2baedfdabcbbe74287e1e24c964166c81095e59b5fc90efd094fa7a11257bbad468ea1e
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODgb:oU7M5ijWh0XOW4sEfeO8b

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tiywe.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2752 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

woanr.exetiywe.exe

pid process

316 woanr.exe
1772 tiywe.exe

pid	process
2752	cmd.exe

pid	process
316	woanr.exe
1772	tiywe.exe

Loads dropped DLL 3 IoCs

Processes:

4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exewoanr.exe

pid	process
1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe
1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe
316	woanr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

tiywe.exe

pid	process
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe
1772	tiywe.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exewoanr.exe

description	pid	process	target process
PID 1832 wrote to memory of 316	1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	woanr.exe
PID 1832 wrote to memory of 316	1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	woanr.exe
PID 1832 wrote to memory of 316	1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	woanr.exe
PID 1832 wrote to memory of 316	1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	woanr.exe
PID 1832 wrote to memory of 2752	1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	cmd.exe
PID 1832 wrote to memory of 2752	1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	cmd.exe
PID 1832 wrote to memory of 2752	1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	cmd.exe
PID 1832 wrote to memory of 2752	1832	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	cmd.exe
PID 316 wrote to memory of 1772	316	woanr.exe	tiywe.exe
PID 316 wrote to memory of 1772	316	woanr.exe	tiywe.exe
PID 316 wrote to memory of 1772	316	woanr.exe	tiywe.exe
PID 316 wrote to memory of 1772	316	woanr.exe	tiywe.exe

C:\Users\Admin\AppData\Local\Temp\4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe
"C:\Users\Admin\AppData\Local\Temp\4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\woanr.exe
  "C:\Users\Admin\AppData\Local\Temp\woanr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\tiywe.exe
    "C:\Users\Admin\AppData\Local\Temp\tiywe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
f5bd7a59ba3abf60edc51a0422614a48

SHA1
b7c1ec084994d4688b98033444dd8da8ae24ab97

SHA256
edeb4a37e910f9dcc92fb47dece92553d45f8addf35b0618e8cb4fec56b9ac63

SHA512
2fd82bc0efff667fd12a66676c11b3bd4d254613dfe7805aad1eb5d6196c47b75d686e1de6f170fbbbfd2b96e2a811786b2ba30c8b1c7912a4918e56f635790f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ef94a015e4a843a1b1ae942a03694650

SHA1
a9ee94a17f4190e78e1115d9985edf05346d26a4

SHA256
da00536dbc46b21b5d45bfe4f1d58198eaf92000686e8b3cbf83b43564368041

SHA512
80a6b0f3ae167d3da87e05580b78896ab2f0dd965df7dacc91570988c43cd0427e8391b30ab1ab561100f4fc60a8159b19190d332066ae0056507b7c65610b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiywe.exe

Filesize
212KB

MD5
9fed0370ea27d0c4133c578499a7cdd2

SHA1
dce34ccd65eb8acb9cc39dbc4e943a537cbc8c52

SHA256
3a2bed971fdb13369e4a80897a6eac9c5dad8865d0580de34d4fd5304e4db0ba

SHA512
118e2bb41f4aa0ef0dad3b6b4bad1fe2770455941ac70135933367fa4ae3eec26aa36b7cb4528c99e3769ffec1449f3991da290ff093a3b9e313bf88ef7ece8d

Download Submit
\Users\Admin\AppData\Local\Temp\woanr.exe

Filesize
412KB

MD5
7ebebb0af7c42dde9627b99c3f8d7c71

SHA1
aa58bb3347bcfef69a2914a47747df7f262b86cf

SHA256
adc07c3fcf0f5c5bccb8ef9462c06e74a9a4c9480b77332069c5a19ec6e30726

SHA512
c4bd7b977717999b941922967a50acc161554451885f182a1c1fc372f0911f30a6a7ae430e2e8c609ee04bd756a231b2c69eb2708f32ff1e84f438eb204f7392

Download Submit
memory/316-31-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/316-30-0x0000000003B20000-0x0000000003BB4000-memory.dmp

Filesize
592KB

Download
memory/316-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1772-33-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1772-36-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1772-34-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1772-35-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1772-38-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1772-39-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1772-40-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1772-41-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1772-42-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1832-12-0x0000000002BF0000-0x0000000002C55000-memory.dmp

Filesize
404KB

Download
memory/1832-22-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1832-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1832-11-0x0000000002BF0000-0x0000000002C55000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads