urelas | 213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe
Size

629KB
MD5

852c786fe915770ff65d506086e4bf35
SHA1

c47e365f60694b91426dd12d50df82cf96afd732
SHA256

213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e
SHA512

469b5daf40b28366b11268f7ab96f7a1379f9e34ab150db4902301ad4779d890d09933527e45b6c88888979ef53c99d96178d2abe99a2824633a4d6e1ac9ca33
SSDEEP

12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsx:5UowYcOW4a2YcOW4Q

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000400000000072f-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	neleh.exe

Executes dropped EXE 2 IoCs

pid	Process
5044	neleh.exe
4516	siuvy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neleh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siuvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe
4516	siuvy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 5044	4728	213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe	87
PID 4728 wrote to memory of 5044	4728	213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe	87
PID 4728 wrote to memory of 5044	4728	213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe	87
PID 4728 wrote to memory of 4376	4728	213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe	88
PID 4728 wrote to memory of 4376	4728	213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe	88
PID 4728 wrote to memory of 4376	4728	213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe	88
PID 5044 wrote to memory of 4516	5044	neleh.exe	106
PID 5044 wrote to memory of 4516	5044	neleh.exe	106
PID 5044 wrote to memory of 4516	5044	neleh.exe	106

C:\Users\Admin\AppData\Local\Temp\213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe
"C:\Users\Admin\AppData\Local\Temp\213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Local\Temp\neleh.exe
  "C:\Users\Admin\AppData\Local\Temp\neleh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\siuvy.exe
    "C:\Users\Admin\AppData\Local\Temp\siuvy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
f6f67b02a0fee1cbac2651a91befa5e1

SHA1
f768ee445010c870da40c425824995553e98e8a1

SHA256
4386dcf6a59d8cf5fd16af36f29321bdedccdf8781babf4033498446c76539d2

SHA512
d4c6d1f58b2d8e8ca58b4650a3ada7f871cbf17dbcd64912ffaf3a91ecc22e0d86c0f2240e4f8a082062cf17fc4e75b1efee41f5b24759ba509eae25d6b07a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
747578224d89bd90332a4bceb7ad494e

SHA1
1a6295224c17739fce8387c7560e34f825e6f266

SHA256
442b3d001d771b4d05ec7060ea09e49c7cf0adb477b61fd540a4758e1d8b1d4d

SHA512
0747e08a09ca43a4b3f0cf5fcaed12af4bd8c4dd6ff4fd809ce663d23f29cdbee930e4a402d66a13cebfb2a8faf9f64c5759900bf649da52a455ca0957e57bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\neleh.exe

Filesize
629KB

MD5
538924984ded92c205a237d4639cab81

SHA1
a30eec3ddcf04312a8d6809da3ce10544d42a75f

SHA256
4172074a92f3541520644ab073ca5d67e698d1a1ca1380e8df70509798a32b1b

SHA512
8963ae2f959df7a41a4948158156998b57587bc5d83ec8ac1e78e9f4a841284262adc5988ec8941fa087093aec233cb6e9bbae0a24bc36cc9152654ca547c548

Download Submit
C:\Users\Admin\AppData\Local\Temp\siuvy.exe

Filesize
212KB

MD5
5c671da0b70e92698a2f30cd60f2f2e0

SHA1
231eda2356ebeed1612e806095ebb2163e7330d2

SHA256
f31d74b660625e8804709c49715a964bd421eb4304a09d3fbdc71b706e4153f7

SHA512
53a67a3f53e0681f58f8757be30809c33c08162d8d624b3cee885132db9c2e4b15781f0cec846b3f63870f4b1fd429e61bfea462cff5d592afbb679c865b3a2d

Download Submit
memory/4516-31-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/4516-28-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/4516-27-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/4516-26-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/4516-25-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/4516-32-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/4516-33-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/4516-34-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/4516-35-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/4728-13-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4728-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5044-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5044-29-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download