urelas | 03ab57357de3b46523fbb9d061e6d1fe79fbca1158c8de37664da659c90aa088

General

Target

a9924cfd3a9eb9696e6a774efab3ca10N.exe
Size

1.8MB
MD5

a9924cfd3a9eb9696e6a774efab3ca10
SHA1

e73359d508659e40d61439eb1512a771111f8bea
SHA256

03ab57357de3b46523fbb9d061e6d1fe79fbca1158c8de37664da659c90aa088
SHA512

c65f152d44846c75d8af3574a858870a078aeef23416fdabddf6a9c1b2f74442feed14c4f8abbd7ac0ca949fa2e7fc945ee9beb860a39c42323c1ed89ed692d9
SSDEEP

49152:ID3ZrSCi2SbXcJZKFRFW9mimvuhmQDh1n/noFPvSmZtimZU3uvrJT:qgCi2CXnFRFW9mimvuh1DcFSmZtxZU3y

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kijun.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a9924cfd3a9eb9696e6a774efab3ca10N.exevuves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	a9924cfd3a9eb9696e6a774efab3ca10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	vuves.exe

Executes dropped EXE 2 IoCs

Processes:

vuves.exekijun.exe

pid process

3608 vuves.exe
3972 kijun.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3608	vuves.exe
3972	kijun.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a9924cfd3a9eb9696e6a774efab3ca10N.exevuves.execmd.exekijun.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9924cfd3a9eb9696e6a774efab3ca10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuves.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kijun.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

kijun.exe

pid	process
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe
3972	kijun.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a9924cfd3a9eb9696e6a774efab3ca10N.exevuves.exe

description	pid	process	target process
PID 1880 wrote to memory of 3608	1880	a9924cfd3a9eb9696e6a774efab3ca10N.exe	vuves.exe
PID 1880 wrote to memory of 3608	1880	a9924cfd3a9eb9696e6a774efab3ca10N.exe	vuves.exe
PID 1880 wrote to memory of 3608	1880	a9924cfd3a9eb9696e6a774efab3ca10N.exe	vuves.exe
PID 1880 wrote to memory of 1940	1880	a9924cfd3a9eb9696e6a774efab3ca10N.exe	cmd.exe
PID 1880 wrote to memory of 1940	1880	a9924cfd3a9eb9696e6a774efab3ca10N.exe	cmd.exe
PID 1880 wrote to memory of 1940	1880	a9924cfd3a9eb9696e6a774efab3ca10N.exe	cmd.exe
PID 3608 wrote to memory of 3972	3608	vuves.exe	kijun.exe
PID 3608 wrote to memory of 3972	3608	vuves.exe	kijun.exe
PID 3608 wrote to memory of 3972	3608	vuves.exe	kijun.exe

C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe
"C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\vuves.exe
  "C:\Users\Admin\AppData\Local\Temp\vuves.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\kijun.exe
    "C:\Users\Admin\AppData\Local\Temp\kijun.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
278B

MD5
f4e8084f3a12fa955e6eab09955e87b3

SHA1
af17fbea88d60d6959e2e2714651c21f6c4726d9

SHA256
1e9e90365f77e3cea2c074d22270608ebe8807b741de3d0f3826e8abe2f095e3

SHA512
5e93d47e88daa7af3da27db90c8d674f388535f57a77135b14e0666027c0b39847146769d272be0bcf6660927919119edfb26a410d106da9c3baf3fc10bcc585

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cada88b80c1779b8a384e43080ea1118

SHA1
a32e9b3d80f224f8e67815a3e51502cc6b7040dc

SHA256
80fc4906ef97fd34800f00fb1bdb8d4288517807e54fdd74d1900ce45ad53c65

SHA512
d9f388c3b2669a73c65eaad681fbf157b20edfeb064a125b42716752a59129ebb4a6715acb830e2c3bd6de274ba90ecaf5adda4098e6d9f40aa02a7bd22f0869

Download Submit
C:\Users\Admin\AppData\Local\Temp\kijun.exe

Filesize
210KB

MD5
fdb8acaa851ff97dd36de77173c820aa

SHA1
e69d05075dc6f445e5b078dd25addaa91b6b8262

SHA256
2688485ef975c019b008c6b5ec2fd8ec7f3686cf295d704101daf346084b2252

SHA512
8d2aa0685888a6f17441aa36644d6f146de680d466b2b9247fa3a0fe2d324adef4af2e6ac1aedbed223f6997a0c83b3b3cb11d4c6507bcf215e9a9e254d7d0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuves.exe

Filesize
1.8MB

MD5
c53127170a56f20a11ad245f6b15ddd4

SHA1
e4c51c5d35b6d8d6e188e1021d81baaaa98edc3d

SHA256
e86098f4d27529e041e7e08a0c8851749a672569e2489bde3db25bd75a8e5ff8

SHA512
3f582cd93a52f27921eeb89a82264c44b2e82b3e9dbd4577682b13f7d835b1d3467e6ef80ba6549bd93f38f024abd68e4474928791d8abf68e19d44435154eca

Download Submit
memory/1880-14-0x00000000001A0000-0x000000000036E000-memory.dmp

Filesize
1.8MB

Download
memory/1880-0-0x00000000001A0000-0x000000000036E000-memory.dmp

Filesize
1.8MB

Download
memory/3608-12-0x0000000000300000-0x00000000004CE000-memory.dmp

Filesize
1.8MB

Download
memory/3608-28-0x0000000000300000-0x00000000004CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-29-0x0000000000D00000-0x0000000000D93000-memory.dmp

Filesize
588KB

Download
memory/3972-27-0x0000000000D00000-0x0000000000D93000-memory.dmp

Filesize
588KB

Download
memory/3972-26-0x0000000000D00000-0x0000000000D93000-memory.dmp

Filesize
588KB

Download
memory/3972-25-0x0000000000D00000-0x0000000000D93000-memory.dmp

Filesize
588KB

Download
memory/3972-31-0x0000000000D00000-0x0000000000D93000-memory.dmp

Filesize
588KB

Download
memory/3972-32-0x0000000000D00000-0x0000000000D93000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads