urelas | 39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe
Size

401KB
MD5

11734828f928becb6e9c2394eaea3da7
SHA1

d094132e3dac9f4d8f91866d4b4cd2a25dd82cfc
SHA256

39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8
SHA512

c45771184caaff0cefcc2281c6400130dce9e7bad05175e4f1e12a4d35159f6eedc0d25b180e99d1513915a020ad5d8c95b47d11e72fad0c126799182817138f
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOc:oU7M5ijWh0XOW4sEfeOc

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x000d000000016d46-28.dat	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2724	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ohput.exekyvoc.exe

pid	Process
2768	ohput.exe
1328	kyvoc.exe

Loads dropped DLL 3 IoCs

Processes:

39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exeohput.exe

pid	Process
1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe
1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe
2768	ohput.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exeohput.execmd.exekyvoc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohput.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyvoc.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

kyvoc.exe

pid	Process
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe
1328	kyvoc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exeohput.exe

description	pid	Process	procid_target
PID 1400 wrote to memory of 2768	1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	31
PID 1400 wrote to memory of 2768	1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	31
PID 1400 wrote to memory of 2768	1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	31
PID 1400 wrote to memory of 2768	1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	31
PID 1400 wrote to memory of 2724	1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	32
PID 1400 wrote to memory of 2724	1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	32
PID 1400 wrote to memory of 2724	1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	32
PID 1400 wrote to memory of 2724	1400	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	32
PID 2768 wrote to memory of 1328	2768	ohput.exe	35
PID 2768 wrote to memory of 1328	2768	ohput.exe	35
PID 2768 wrote to memory of 1328	2768	ohput.exe	35
PID 2768 wrote to memory of 1328	2768	ohput.exe	35

C:\Users\Admin\AppData\Local\Temp\39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe
"C:\Users\Admin\AppData\Local\Temp\39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\ohput.exe
  "C:\Users\Admin\AppData\Local\Temp\ohput.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\kyvoc.exe
    "C:\Users\Admin\AppData\Local\Temp\kyvoc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
84798bc2371d82a490ac6c0718e12d56

SHA1
b1aedc1784c2e70f8cb29521e1b9408407f3590c

SHA256
3a50e680f754c817f54df366aa265501df5c2a833cfc4e981584e2161aab1919

SHA512
9215059f7e0b2b8ffe108bd64147578193fb85969c72ebaa5f10dcc6bdc4ca32847dfef410fe57626c6e674518700b7a2a13a7f6aa825657316ad63e03399890

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
490008d9ee3b0d2a3d713939454da3e7

SHA1
0680b7b07a49c0452ba63ca3a206767fe84a47db

SHA256
e574883c3f2677f7225a7e112038a841e4e56d5bd8e0f65e7d67b456f0af465c

SHA512
c0257ab0e0124c7d07a6fad2b5041aa91c67074b4976b3aa5e5496f5dd34c247c3c1221434bb0e38f07830012a1ce2d486b28367844e12e849d2401bb17dfab0

Download Submit
\Users\Admin\AppData\Local\Temp\kyvoc.exe

Filesize
212KB

MD5
64b751f7a885e575b454fd7177c23604

SHA1
221fe0c190b5afa9dc58bea2bcd9ed9a1ca12887

SHA256
91f1618cea3061b2d233091dd9c9203f5cd6010570160c8d8c6852d9b22c8360

SHA512
8555ee3495364a5d8c5c54b8138824038b3945b1b8c7c296f3ac56da6897c4dfd46d5a0bc5b6752b437d7acafb3ef78879334044b55eb8b87080b4e4495f2be1

Download Submit
\Users\Admin\AppData\Local\Temp\ohput.exe

Filesize
401KB

MD5
7b6cd37573eb30fac2ad195bf3a84c40

SHA1
4c8977d1dcb1e43e555927ba0d4159075a8f358f

SHA256
825a6bf96aa1c9e4332c2da27c9a5ecd47fc7dea6788420e25df685fca0fe0ae

SHA512
3b17f653308b06042c656810ab858ad81916af3f0f8f238041687ba9810fdb97b392f8817a6b09662642a8849e1dc2fa6b8c0ec3029b93ac16ed4c6132654ff2

Download Submit
memory/1328-39-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/1328-40-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/1328-34-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/1328-35-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/1328-37-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/1328-43-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/1328-42-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/1328-36-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/1328-41-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/1400-22-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1400-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1400-20-0x00000000024A0000-0x0000000002505000-memory.dmp

Filesize
404KB

Download
memory/1400-19-0x00000000024A0000-0x0000000002505000-memory.dmp

Filesize
404KB

Download
memory/2768-31-0x0000000003500000-0x0000000003594000-memory.dmp

Filesize
592KB

Download
memory/2768-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2768-33-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2768-25-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download