urelas | 6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20af

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/10/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe
Size

331KB
MD5

9fd6537818e61391607138374af578f0
SHA1

0d1cbc6e7e8adc370f2d39905eba9a6dd5b70fbd
SHA256

6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20af
SHA512

986c0471660ed5be9512cc7a87f726f70354fde4268fc41f4fcc1edba74c1a80d1a257a0741cef96e248e8db1c8999e3cb6d034af74ea1b53b8dcafbba9ca1be
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisG:Nd7rpL43btmQ58Z27zw39gY2FeZhmzr

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0017000000018657-43.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2084	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2444	eciwz.exe
2848	qywefe.exe
904	tiykv.exe

Loads dropped DLL 5 IoCs

pid	Process
1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe
1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe
2444	eciwz.exe
2444	eciwz.exe
2848	qywefe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tiykv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eciwz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qywefe.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe
904	tiykv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2444	1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	30
PID 1752 wrote to memory of 2444	1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	30
PID 1752 wrote to memory of 2444	1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	30
PID 1752 wrote to memory of 2444	1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	30
PID 1752 wrote to memory of 2084	1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	31
PID 1752 wrote to memory of 2084	1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	31
PID 1752 wrote to memory of 2084	1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	31
PID 1752 wrote to memory of 2084	1752	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	31
PID 2444 wrote to memory of 2848	2444	eciwz.exe	33
PID 2444 wrote to memory of 2848	2444	eciwz.exe	33
PID 2444 wrote to memory of 2848	2444	eciwz.exe	33
PID 2444 wrote to memory of 2848	2444	eciwz.exe	33
PID 2848 wrote to memory of 904	2848	qywefe.exe	35
PID 2848 wrote to memory of 904	2848	qywefe.exe	35
PID 2848 wrote to memory of 904	2848	qywefe.exe	35
PID 2848 wrote to memory of 904	2848	qywefe.exe	35
PID 2848 wrote to memory of 2116	2848	qywefe.exe	36
PID 2848 wrote to memory of 2116	2848	qywefe.exe	36
PID 2848 wrote to memory of 2116	2848	qywefe.exe	36
PID 2848 wrote to memory of 2116	2848	qywefe.exe	36

C:\Users\Admin\AppData\Local\Temp\6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe
"C:\Users\Admin\AppData\Local\Temp\6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\eciwz.exe
  "C:\Users\Admin\AppData\Local\Temp\eciwz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\qywefe.exe
    "C:\Users\Admin\AppData\Local\Temp\qywefe.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\tiykv.exe
      "C:\Users\Admin\AppData\Local\Temp\tiykv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
ca4a1efc7a2c911355dc2f0e2719cb68

SHA1
f0d23db9b9754cd31d6ff6377164ddc7229e27f6

SHA256
e2c50f2e8d7215b2afc969b4d0a81d140b4c4c255ec4b5bb8dd260cfc586a3ef

SHA512
1a39440954d59bf2e73f23d817222f630a5da07afb94bda74484be69facec2c10a236d525599617c1de7b33987b80ef268552d12fcd4175b9feea1dcf8d5d387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
210b11d05e8e71faf029208830417902

SHA1
fa65247446f79995f25cc394b23606c9337637e7

SHA256
f5d1e4e94463abe06d47e999b465c5cfee3581729c5c4ba47bc2c4df0ba4020a

SHA512
3a815320425aeaed4e76bb2590e2f433e92d1461a6d2acdcafc4919bee89e4a2f9520d45c2da36bd45679c1f478d1e8360258a1d5c69832ff328cfc5d37b2805

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
313fef6ae83a49a7876ce7dbc25dde07

SHA1
11b360c0bfa4f0c89ff627bd235019988daa844f

SHA256
a91e7bcaa9e2b80b862ace08b971f4777919e8ef8a6169828f00b9b94e80dc6f

SHA512
005b6d05e9f1d0fd550310b2e3657aa81deb1111555cb45347660d1800c228db2f35aa6fb17cff7444cf06510c7cfe38b97c724c02164f6e1053627a3a546493

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiykv.exe

Filesize
136KB

MD5
e5b86d5b241bac81836134438ff23fb8

SHA1
4675e503c8a8e3274a801311627fa9e1a82ec1fd

SHA256
1233ca586311de6ff9787810f54abdc7c5d14a1b66941748208e352eaf147817

SHA512
43a232700e25c9b738c68ef69b67d32c48c58c3762eab794de392cf16303cccd12629af9400b39f7c80d0940f43ddbf666e915326b5acace97564287d37ca0d0

Download Submit
\Users\Admin\AppData\Local\Temp\eciwz.exe

Filesize
331KB

MD5
3a7349d3aef4bbef3103ff44ceed390b

SHA1
cb94a24f80e797115155113a931883c0b3e6f69a

SHA256
562cf01406b5d74df297a972f7c184497489063e713ccd76c95c338d3121d879

SHA512
0b059c12fe520f75006b5fa719907f4db74d22e7f76a76de3b7b2485a0abd26d3184339ee8225cf0213f2e79fe9617835cc632da65f3378b106f1b133d15f3e1

Download Submit
memory/904-46-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/904-45-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/904-60-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/904-59-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/904-48-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/904-47-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/904-61-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/904-64-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/904-63-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/904-62-0x0000000000200000-0x000000000028C000-memory.dmp

Filesize
560KB

Download
memory/1752-20-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1752-2-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1752-11-0x0000000002460000-0x00000000024B8000-memory.dmp

Filesize
352KB

Download
memory/2444-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2848-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2848-56-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2848-44-0x0000000003C80000-0x0000000003D0C000-memory.dmp

Filesize
560KB

Download
memory/2848-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download