urelas | c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8b

General

Target

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Size

413KB
MD5

b9f8bd887d225686446883ff875ccb90
SHA1

67090bd9de9213f1c08a0f400dd12925cf05daba
SHA256

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8b
SHA512

f33bf21f154ed5de651558ba377b993bae2e9bb376f0723320ccca8a7825a9fadfbd657b906e8c276311c097882a3fdce4ea83b2ab4e2274b0132ab34a9ccdfe
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODso:hU7M5ijWh0XOW4sEfeOT

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0010000000023a14-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	zusym.exe

Executes dropped EXE 2 IoCs

pid	Process
1524	zusym.exe
1844	xiovk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zusym.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiovk.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe
1844	xiovk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1524	2396	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	88
PID 2396 wrote to memory of 1524	2396	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	88
PID 2396 wrote to memory of 1524	2396	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	88
PID 2396 wrote to memory of 4860	2396	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	89
PID 2396 wrote to memory of 4860	2396	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	89
PID 2396 wrote to memory of 4860	2396	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	89
PID 1524 wrote to memory of 1844	1524	zusym.exe	109
PID 1524 wrote to memory of 1844	1524	zusym.exe	109
PID 1524 wrote to memory of 1844	1524	zusym.exe	109

C:\Users\Admin\AppData\Local\Temp\c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
"C:\Users\Admin\AppData\Local\Temp\c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\zusym.exe
  "C:\Users\Admin\AppData\Local\Temp\zusym.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\xiovk.exe
    "C:\Users\Admin\AppData\Local\Temp\xiovk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ef67289238daad92202b4c1fe4097f4f

SHA1
f71429724fe3c800d9b15077a0c28ebfed067caa

SHA256
35ca3054a3a03ae562b1270445ee4a7851c04364248f84b4feb4cd77f6502659

SHA512
500c3849490cce085e27ca20d7d46394789d0b39e64aa56f72772704bcd3820c431b02607e13fcbf966a11765c2d9281e9f7e0db9a88304363a3a5b9dc505ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5777b78bed312e8eb4d8d5defc902edc

SHA1
b737771b82c0df37722ee84e1a877e9b0f846b34

SHA256
5d0500870394a135e448808128e0467278277e25137078afde326f715a4e78d3

SHA512
47e195e5fcd2eaf6d5d74298c46e39aecf7aa08c5d42c9e6a997611e498d8fda193f8159a74675704b510373a56f4f68ce6c3d6b92541587d5e4e27da4bce818

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiovk.exe

Filesize
212KB

MD5
4b323f1debf89abf5f9bf77224ec6c9e

SHA1
9f5fbba8a0bac181e189eb4322e505982fd1b016

SHA256
42eb58f6cf501c988649cfe0f0814db7a7132777f3271ec6155b2dcdc2a2189d

SHA512
5dbcc49c21f03ed6dbbc002d033b28d6d2c3ef190954b0e4dada665fc9a41b1776c012f85059774f525fcfe4f7e132ced80f2454f09b00f710b125ac4a66c70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zusym.exe

Filesize
413KB

MD5
baf2e990d8573763fc564c958e78aeaf

SHA1
82cf2c18e493077609b6e2063f9d0cc39d3a1e4f

SHA256
d0bed5d290d924745b90a59735acc8bea667d2b775a704decfd6d0191db9377f

SHA512
f8e64a61b7293bbfba750e1dc54554e633bd1055c7165994b3090c3295aa5c22fe7f10da4be81ec3c61a6f2d08180b53b3754b91512e8257fee19499830375e5

Download Submit
memory/1524-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1524-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1844-25-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/1844-28-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/1844-26-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/1844-27-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/1844-31-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/1844-32-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/2396-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2396-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing