urelas | c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Size

413KB
MD5

b9f8bd887d225686446883ff875ccb90
SHA1

67090bd9de9213f1c08a0f400dd12925cf05daba
SHA256

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8b
SHA512

f33bf21f154ed5de651558ba377b993bae2e9bb376f0723320ccca8a7825a9fadfbd657b906e8c276311c097882a3fdce4ea83b2ab4e2274b0132ab34a9ccdfe
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODso:hU7M5ijWh0XOW4sEfeOT

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	upfep.exe
2032	adwos.exe

Loads dropped DLL 3 IoCs

pid	Process
2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
2964	upfep.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adwos.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe
2032	adwos.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2964	2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	28
PID 2408 wrote to memory of 2964	2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	28
PID 2408 wrote to memory of 2964	2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	28
PID 2408 wrote to memory of 2964	2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	28
PID 2408 wrote to memory of 2684	2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	29
PID 2408 wrote to memory of 2684	2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	29
PID 2408 wrote to memory of 2684	2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	29
PID 2408 wrote to memory of 2684	2408	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	29
PID 2964 wrote to memory of 2032	2964	upfep.exe	33
PID 2964 wrote to memory of 2032	2964	upfep.exe	33
PID 2964 wrote to memory of 2032	2964	upfep.exe	33
PID 2964 wrote to memory of 2032	2964	upfep.exe	33

C:\Users\Admin\AppData\Local\Temp\c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
"C:\Users\Admin\AppData\Local\Temp\c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\upfep.exe
  "C:\Users\Admin\AppData\Local\Temp\upfep.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\adwos.exe
    "C:\Users\Admin\AppData\Local\Temp\adwos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ef67289238daad92202b4c1fe4097f4f

SHA1
f71429724fe3c800d9b15077a0c28ebfed067caa

SHA256
35ca3054a3a03ae562b1270445ee4a7851c04364248f84b4feb4cd77f6502659

SHA512
500c3849490cce085e27ca20d7d46394789d0b39e64aa56f72772704bcd3820c431b02607e13fcbf966a11765c2d9281e9f7e0db9a88304363a3a5b9dc505ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5e88efba38716e6f4b8794d4151782ed

SHA1
5095f8c5ce2e3dd623824cd35f86f22a83ba5042

SHA256
8b313690353075b796a804d5533eaf6ac8b697e20672fdac222a335301541a13

SHA512
7e81f32c62b01820ffa642eeb02f374d977b9b7abf1f9ce9171e74af418aeeb0b160891c0b964309ab32693eb45cab89c83c885f48cc16bc862ebf9b7cce4f8b

Download Submit
\Users\Admin\AppData\Local\Temp\adwos.exe

Filesize
212KB

MD5
50077805c2949b715dfdd01dad11d7e5

SHA1
7b573227b56f320c42fd580e3b445392d43ae8dc

SHA256
84c083e70f3d2c4715b414fa98bec0f56bd3b811e9f3b2e955c7ed7745b21006

SHA512
e8eea000eb407f68e588ac36b90dadf0633b8bdd78d5c85e9be6a46e07b5c9ac32b8f165dd04294e0c7e4d717bc50ff14064d0b621c6f3c54abdc369c1dcfbae

Download Submit
\Users\Admin\AppData\Local\Temp\upfep.exe

Filesize
413KB

MD5
bbb015eaab2b7b980fcc01f3cc2cbbab

SHA1
8585833c3b2c57fdc7eea2c04e26fd02be01c7e3

SHA256
365a2273735af7680387dc09e5f67489d93bf5a89704f79abb5780e42085d8b6

SHA512
18b71c3fb890d87c32aca53191cf7158e99f6f84585c558985962eff4d9dc144b4fac3e569cb8a08e55291194fa1d59af6930c36b3fd42cd59d3e6d30f7e8f48

Download Submit
memory/2032-32-0x0000000001370000-0x0000000001404000-memory.dmp

Filesize
592KB

Download
memory/2032-34-0x0000000001370000-0x0000000001404000-memory.dmp

Filesize
592KB

Download
memory/2032-40-0x0000000001370000-0x0000000001404000-memory.dmp

Filesize
592KB

Download
memory/2032-39-0x0000000001370000-0x0000000001404000-memory.dmp

Filesize
592KB

Download
memory/2032-31-0x0000000001370000-0x0000000001404000-memory.dmp

Filesize
592KB

Download
memory/2032-38-0x0000000001370000-0x0000000001404000-memory.dmp

Filesize
592KB

Download
memory/2032-33-0x0000000001370000-0x0000000001404000-memory.dmp

Filesize
592KB

Download
memory/2032-37-0x0000000001370000-0x0000000001404000-memory.dmp

Filesize
592KB

Download
memory/2032-36-0x0000000001370000-0x0000000001404000-memory.dmp

Filesize
592KB

Download
memory/2408-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2408-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2408-11-0x0000000002BE0000-0x0000000002C45000-memory.dmp

Filesize
404KB

Download
memory/2964-30-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2964-23-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download