urelas | 6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20af

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe
Size

331KB
MD5

9fd6537818e61391607138374af578f0
SHA1

0d1cbc6e7e8adc370f2d39905eba9a6dd5b70fbd
SHA256

6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20af
SHA512

986c0471660ed5be9512cc7a87f726f70354fde4268fc41f4fcc1edba74c1a80d1a257a0741cef96e248e8db1c8999e3cb6d034af74ea1b53b8dcafbba9ca1be
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisG:Nd7rpL43btmQ58Z27zw39gY2FeZhmzr

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023cc1-32.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	yjdee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cigiuj.exe

Executes dropped EXE 3 IoCs

pid	Process
992	yjdee.exe
2820	cigiuj.exe
4228	nyxay.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cigiuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyxay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yjdee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe
4228	nyxay.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 992	1828	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	85
PID 1828 wrote to memory of 992	1828	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	85
PID 1828 wrote to memory of 992	1828	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	85
PID 1828 wrote to memory of 2596	1828	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	86
PID 1828 wrote to memory of 2596	1828	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	86
PID 1828 wrote to memory of 2596	1828	6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe	86
PID 992 wrote to memory of 2820	992	yjdee.exe	88
PID 992 wrote to memory of 2820	992	yjdee.exe	88
PID 992 wrote to memory of 2820	992	yjdee.exe	88
PID 2820 wrote to memory of 4228	2820	cigiuj.exe	108
PID 2820 wrote to memory of 4228	2820	cigiuj.exe	108
PID 2820 wrote to memory of 4228	2820	cigiuj.exe	108
PID 2820 wrote to memory of 2948	2820	cigiuj.exe	109
PID 2820 wrote to memory of 2948	2820	cigiuj.exe	109
PID 2820 wrote to memory of 2948	2820	cigiuj.exe	109

C:\Users\Admin\AppData\Local\Temp\6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe
"C:\Users\Admin\AppData\Local\Temp\6802f9f362859b8a09160f8f3e6b5ba2f51784cc6e401988a97b1c479d1e20afN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\yjdee.exe
  "C:\Users\Admin\AppData\Local\Temp\yjdee.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Users\Admin\AppData\Local\Temp\cigiuj.exe
    "C:\Users\Admin\AppData\Local\Temp\cigiuj.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\nyxay.exe
      "C:\Users\Admin\AppData\Local\Temp\nyxay.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
ca4a1efc7a2c911355dc2f0e2719cb68

SHA1
f0d23db9b9754cd31d6ff6377164ddc7229e27f6

SHA256
e2c50f2e8d7215b2afc969b4d0a81d140b4c4c255ec4b5bb8dd260cfc586a3ef

SHA512
1a39440954d59bf2e73f23d817222f630a5da07afb94bda74484be69facec2c10a236d525599617c1de7b33987b80ef268552d12fcd4175b9feea1dcf8d5d387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
1e1dbdfe4f8f712ceb7fe41c2f30c17b

SHA1
0d26d7081f8662bff755be8086f857ee056dbb83

SHA256
8a19343215b904ceba1acd2c9fb64d548ca10deededb5ab089b1c56da5396146

SHA512
d8a1b9b3a524dda450e02b5d05587d620884607e0f62a44567a1ce79f7659e76fbae3db7e4a1b07b42a9e1d3bc6e46e3b940550ca08fdb72df8ac55b1d4ee72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9de79264b3f4423fbdab2bfa0a885049

SHA1
a36141cb1e3d364f98ba4dcd72dbf7b74ec2c640

SHA256
84156747d2bc478834078b90a66c47339a01c9e5e15313f24d4ab2e2ae6309cf

SHA512
3359d95492fb918aaffaeb0309a03b2f97366474e003cc05e2a8c0aef9b7dd5ef9bf03d2cde4e5f027ccba986e591f5f9a6f591fc7be5411f343c7311ef92980

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyxay.exe

Filesize
136KB

MD5
c28a7e1b810fa57653e557c6a43370ac

SHA1
5629e7a99126466a565dc0e4d1c92f379d1f5660

SHA256
822b30013ad381eaade581b3709f692cc7a40f79db582fe36485d6bc397f7609

SHA512
6304e12ee74449c428144df39d9a468f7e2077efeab227abb5f9ea7eff9eff7613991e1ab1e70329d761a489b5eeae0563797151761fa36fe9fc293d56a9d026

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjdee.exe

Filesize
331KB

MD5
37e1e62841d44544a35287ba81b293d1

SHA1
e7201d71bd8da481199a8c3b9c511eb45fa4604d

SHA256
353900a4da2a94e5f70a62ddaef3f84c4f715156efbb9cfe5a9666796ab473fc

SHA512
50fd8f9c6cdfeb08b3bd89e58fe10e2157db016ec4cf2c1a5e5c4034db2d49459ad1109d439fbffdb11b744552fcc692650f31215cd275da7cb0b1f96bc971b8

Download Submit
memory/992-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1828-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1828-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2820-43-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2820-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2820-26-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4228-39-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download
memory/4228-42-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download
memory/4228-38-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download
memory/4228-40-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download
memory/4228-45-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download
memory/4228-46-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download
memory/4228-47-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download
memory/4228-48-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download
memory/4228-49-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download
memory/4228-50-0x0000000000390000-0x000000000041C000-memory.dmp

Filesize
560KB

Download