urelas | 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babb

Analysis

max time kernel
150s
max time network
82s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
Size

409KB
MD5

dd27974b04f29dd7b43ce92dae43cd90
SHA1

21ba560271aac3e1d2548a68594ad848918b92d9
SHA256

36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babb
SHA512

f29513f26c39141026d72cc15eb649d6b041aaa99d907ac7054836a8325bc0fa07b1152d687dff2d2d47031b9c7d404bc7fe7d12cad69822974daf6b0d9697eb
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOY+:eU7M5ijWh0XOW4sEfeOz

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a00000001756e-28.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2856	huict.exe
2920	nerie.exe

Loads dropped DLL 3 IoCs

pid	Process
2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
2856	huict.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huict.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nerie.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe
2920	nerie.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2856	2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	29
PID 2904 wrote to memory of 2856	2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	29
PID 2904 wrote to memory of 2856	2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	29
PID 2904 wrote to memory of 2856	2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	29
PID 2904 wrote to memory of 2840	2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	30
PID 2904 wrote to memory of 2840	2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	30
PID 2904 wrote to memory of 2840	2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	30
PID 2904 wrote to memory of 2840	2904	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	30
PID 2856 wrote to memory of 2920	2856	huict.exe	32
PID 2856 wrote to memory of 2920	2856	huict.exe	32
PID 2856 wrote to memory of 2920	2856	huict.exe	32
PID 2856 wrote to memory of 2920	2856	huict.exe	32

C:\Users\Admin\AppData\Local\Temp\36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
"C:\Users\Admin\AppData\Local\Temp\36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\huict.exe
  "C:\Users\Admin\AppData\Local\Temp\huict.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\nerie.exe
    "C:\Users\Admin\AppData\Local\Temp\nerie.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0d4514c1d29cc90e6c386266520c81d5

SHA1
505a6c72c47b3044379da558211a2fff546da277

SHA256
4721a3f937f6452d73c2fc4e49a28d93a5b3275d8d6375f1ce7dd96fc4beadb4

SHA512
a0a6df796d9a10800e57f65b3c4a2248315e9b838e6d0f568c2ee7e13c15fcdd4e2b150acf9d46da1e919429fe442a419825e63ae9e3d5ac59297b83fe0db571

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
596d82114aed5765bcf8d985b0a3626d

SHA1
c49a920df9f372cb3cff3403458ddce418f5dd3d

SHA256
f83273d5b3b223ff7f6becb26a8523312438d448777d7a669ba48f8599a1fa29

SHA512
fdf99282a5cc251af860dc57453f089430479b80e444f0dd32b217a48dce36bd951ef74454faaabc913d003b2ab0f226367fd07a1a02501662b231d7c2ea69ad

Download Submit
\Users\Admin\AppData\Local\Temp\huict.exe

Filesize
409KB

MD5
5dfe734bd1bab038165540c8359de4b2

SHA1
4f70df5026d67367295c2e68804de981928202b3

SHA256
3d13e7549e60bc198ce98a92436d20b83f3802e27cbb15df2db5d9f943d0e7d0

SHA512
fc5e1b31c4fd53f02e00b249126bb4a508f28dec0611e2928b5d602f53f16caf56e3b8435a001a37fc3f28e4941910530e64b8b76d2f8b9b7cb270db2d090f3c

Download Submit
\Users\Admin\AppData\Local\Temp\nerie.exe

Filesize
212KB

MD5
9b20b7ab8b0bad2db157e52f4a77ec21

SHA1
36f71321bf4f7736cc13fb1838db2adfcbe19561

SHA256
24036ccc950688dc302820e52d371e1d0f75f777e548348478e4aefc488c38ad

SHA512
60da1fec119eecf6e383c50d4e01dcb76d435457058378940a5b4bbcfacd46c64092ac1bc01ed7e7deab1437f597fad20bc9c8cddb387049032637c866e1e533

Download Submit
memory/2856-25-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2856-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2856-33-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2856-31-0x0000000003600000-0x0000000003694000-memory.dmp

Filesize
592KB

Download
memory/2904-22-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2904-11-0x0000000002510000-0x0000000002575000-memory.dmp

Filesize
404KB

Download
memory/2904-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2904-12-0x0000000002510000-0x0000000002575000-memory.dmp

Filesize
404KB

Download
memory/2920-36-0x0000000000AB0000-0x0000000000B44000-memory.dmp

Filesize
592KB

Download
memory/2920-35-0x0000000000AB0000-0x0000000000B44000-memory.dmp

Filesize
592KB

Download
memory/2920-34-0x0000000000AB0000-0x0000000000B44000-memory.dmp

Filesize
592KB

Download
memory/2920-38-0x0000000000AB0000-0x0000000000B44000-memory.dmp

Filesize
592KB

Download
memory/2920-39-0x0000000000AB0000-0x0000000000B44000-memory.dmp

Filesize
592KB

Download
memory/2920-40-0x0000000000AB0000-0x0000000000B44000-memory.dmp

Filesize
592KB

Download
memory/2920-41-0x0000000000AB0000-0x0000000000B44000-memory.dmp

Filesize
592KB

Download
memory/2920-42-0x0000000000AB0000-0x0000000000B44000-memory.dmp

Filesize
592KB

Download