urelas | 39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe
Size

401KB
MD5

11734828f928becb6e9c2394eaea3da7
SHA1

d094132e3dac9f4d8f91866d4b4cd2a25dd82cfc
SHA256

39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8
SHA512

c45771184caaff0cefcc2281c6400130dce9e7bad05175e4f1e12a4d35159f6eedc0d25b180e99d1513915a020ad5d8c95b47d11e72fad0c126799182817138f
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOc:oU7M5ijWh0XOW4sEfeOc

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023ab0-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exebutus.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	butus.exe

Executes dropped EXE 2 IoCs

Processes:

butus.exemovym.exe

pid	Process
1364	butus.exe
536	movym.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

movym.exe39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exebutus.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	movym.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

movym.exe

pid	Process
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe
536	movym.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exebutus.exe

description	pid	Process	procid_target
PID 4924 wrote to memory of 1364	4924	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	90
PID 4924 wrote to memory of 1364	4924	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	90
PID 4924 wrote to memory of 1364	4924	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	90
PID 4924 wrote to memory of 1252	4924	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	91
PID 4924 wrote to memory of 1252	4924	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	91
PID 4924 wrote to memory of 1252	4924	39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe	91
PID 1364 wrote to memory of 536	1364	butus.exe	112
PID 1364 wrote to memory of 536	1364	butus.exe	112
PID 1364 wrote to memory of 536	1364	butus.exe	112

C:\Users\Admin\AppData\Local\Temp\39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe
"C:\Users\Admin\AppData\Local\Temp\39230e59da5c5d0b1a3bb9095d20c2d154ccd05722aab860e9bc7bea1e770dd8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\butus.exe
  "C:\Users\Admin\AppData\Local\Temp\butus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\movym.exe
    "C:\Users\Admin\AppData\Local\Temp\movym.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
84798bc2371d82a490ac6c0718e12d56

SHA1
b1aedc1784c2e70f8cb29521e1b9408407f3590c

SHA256
3a50e680f754c817f54df366aa265501df5c2a833cfc4e981584e2161aab1919

SHA512
9215059f7e0b2b8ffe108bd64147578193fb85969c72ebaa5f10dcc6bdc4ca32847dfef410fe57626c6e674518700b7a2a13a7f6aa825657316ad63e03399890

Download Submit
C:\Users\Admin\AppData\Local\Temp\butus.exe

Filesize
401KB

MD5
bc5cac13095fda98d8322dc452fd06c1

SHA1
f5787c559a883f74362a0a69452bbfa935c29ebb

SHA256
961a791e0cb09be7412df4f6895197f1547bc6487cbbfec92261f32e9976ea38

SHA512
8a96845882258b7e0bd0a2007f8eff3cde53604ca763a8d15340a9644eb3d211059d5afa7b71359601c29195f4742f59e5d37d401741e84cc17b713fd2b4f899

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
48dd8def284e1986788c927b4fed72ca

SHA1
43b99ebd0a3ec0b5d61e43c608c634b67e681520

SHA256
167f264473d4005ab5c92ad74f1539537ed3f2dc0d5fa1017f94d9882ce353f3

SHA512
2fd516f7d66baa06ffef3efa26ce60a3d889053b3a94bd3aa5f05f6c9a1cb153221599083107d53f5be50185c2a9e7ba1802082cd112c879a74c4b3169ad3dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\movym.exe

Filesize
212KB

MD5
61169d7a683cb0520851159243c6f2e7

SHA1
d8202be0ef9c5c298693527b6d6b259fc9954b57

SHA256
c904d13dbae900d53963dac579cb6d1caa94ddc57578d1416d456215ce8d0126

SHA512
b0369cb85a5d6677a74a73661330f195b4db549c7bb795c0f070d1e8acadd939d39e90aff296e6c9c64db0a7be6c80bf45dde59f480bd076e152c5fcd1e20ff5

Download Submit
memory/536-26-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/536-28-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/536-36-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/536-35-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/536-27-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/536-29-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/536-34-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/536-33-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/536-32-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/1364-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1364-30-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1364-17-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4924-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4924-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download