urelas | c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8b

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Size

413KB
MD5

b9f8bd887d225686446883ff875ccb90
SHA1

67090bd9de9213f1c08a0f400dd12925cf05daba
SHA256

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8b
SHA512

f33bf21f154ed5de651558ba377b993bae2e9bb376f0723320ccca8a7825a9fadfbd657b906e8c276311c097882a3fdce4ea83b2ab4e2274b0132ab34a9ccdfe
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODso:hU7M5ijWh0XOW4sEfeOT

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x000c00000001e581-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exekoadb.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	koadb.exe

Executes dropped EXE 2 IoCs

Processes:

koadb.exeepytz.exe

pid	Process
3300	koadb.exe
3968	epytz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exekoadb.execmd.exeepytz.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epytz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

epytz.exe

pid	Process
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe
3968	epytz.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exekoadb.exe

description	pid	Process	procid_target
PID 3800 wrote to memory of 3300	3800	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	88
PID 3800 wrote to memory of 3300	3800	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	88
PID 3800 wrote to memory of 3300	3800	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	88
PID 3800 wrote to memory of 1896	3800	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	89
PID 3800 wrote to memory of 1896	3800	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	89
PID 3800 wrote to memory of 1896	3800	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	89
PID 3300 wrote to memory of 3968	3300	koadb.exe	107
PID 3300 wrote to memory of 3968	3300	koadb.exe	107
PID 3300 wrote to memory of 3968	3300	koadb.exe	107

C:\Users\Admin\AppData\Local\Temp\c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
"C:\Users\Admin\AppData\Local\Temp\c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\koadb.exe
  "C:\Users\Admin\AppData\Local\Temp\koadb.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\epytz.exe
    "C:\Users\Admin\AppData\Local\Temp\epytz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ef67289238daad92202b4c1fe4097f4f

SHA1
f71429724fe3c800d9b15077a0c28ebfed067caa

SHA256
35ca3054a3a03ae562b1270445ee4a7851c04364248f84b4feb4cd77f6502659

SHA512
500c3849490cce085e27ca20d7d46394789d0b39e64aa56f72772704bcd3820c431b02607e13fcbf966a11765c2d9281e9f7e0db9a88304363a3a5b9dc505ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\epytz.exe

Filesize
212KB

MD5
72515e462f1fc145ec64d672e8c75d37

SHA1
7886d462ce5cf69e5f1e820cd902f5e3ad422997

SHA256
e3705a61b27bca591671d197026a4af0edb4adc2a2df55782ca58164b863b69c

SHA512
5c0eff46095498709db586b9f11832093844cda16589df61d2d257542c445c969236534384704ff133256555ad57b211d6dd8f9ed97ec9e6a3eb89f63f33488f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
db26479c625dfe137097a64f8a459bce

SHA1
ad17dc4585a23a499fde177b48417f4e5387e3a6

SHA256
744ab4c7f426b448e38385befb05994cf19d480f678b0b9721fade8715506871

SHA512
6c770ff2471cf60ecaa0c67282210847c8ac371e66c4135fc6d1c80512a1cd925e99f9bee94868500426c6909549f6c5fc02e21df7e47820f512b3f4768fa934

Download Submit
C:\Users\Admin\AppData\Local\Temp\koadb.exe

Filesize
413KB

MD5
e40fcbcbfbf6611dd21c7b99991e5b8d

SHA1
58ed56d9cfca2607765ea66237abbb83e62b677c

SHA256
f3fc9d227db04d823fa3674c96e14eff12fea399eabe63bb14955c40b854607b

SHA512
b2c58db09e6475a2e69408cdd06ece94a728e740d83964fcc70e0c3206bc4287dcb88213015a486676f75ef628dffc6b4aea4fa2838ff159b59e4341208ba321

Download Submit
memory/3300-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3300-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3800-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3800-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3968-28-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download
memory/3968-27-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download
memory/3968-26-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download
memory/3968-25-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download
memory/3968-31-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download
memory/3968-32-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download
memory/3968-33-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download
memory/3968-34-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download
memory/3968-35-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download