urelas | e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36

General

Target

e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe
Size

401KB
MD5

dc9bddf92d9dd574c9b94a80f3482a30
SHA1

e0fcfa8ab2e8ca54764cca5bf400ed37fc3cf168
SHA256

e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36
SHA512

f4223f56c558b0ce6a3d49fbfeff0694885e83b41ba8f18cef9f5c4351402081b3f1c05292d66a370c1b74e16f02c192bf2eb141d06824bc1a667bc1a1fb46c6
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOU:oU7M5ijWh0XOW4sEfeOU

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x00090000000174b4-28.dat	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1612	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ykinr.exeviovy.exe

pid	Process
348	ykinr.exe
1156	viovy.exe

Loads dropped DLL 3 IoCs

Processes:

e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exeykinr.exe

pid	Process
3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe
3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe
348	ykinr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exeykinr.execmd.exeviovy.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykinr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viovy.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

viovy.exe

pid	Process
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe
1156	viovy.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exeykinr.exe

description	pid	Process	procid_target
PID 3068 wrote to memory of 348	3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe	30
PID 3068 wrote to memory of 348	3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe	30
PID 3068 wrote to memory of 348	3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe	30
PID 3068 wrote to memory of 348	3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe	30
PID 3068 wrote to memory of 1612	3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe	31
PID 3068 wrote to memory of 1612	3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe	31
PID 3068 wrote to memory of 1612	3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe	31
PID 3068 wrote to memory of 1612	3068	e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe	31
PID 348 wrote to memory of 1156	348	ykinr.exe	34
PID 348 wrote to memory of 1156	348	ykinr.exe	34
PID 348 wrote to memory of 1156	348	ykinr.exe	34
PID 348 wrote to memory of 1156	348	ykinr.exe	34

C:\Users\Admin\AppData\Local\Temp\e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe
"C:\Users\Admin\AppData\Local\Temp\e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\ykinr.exe
  "C:\Users\Admin\AppData\Local\Temp\ykinr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Users\Admin\AppData\Local\Temp\viovy.exe
    "C:\Users\Admin\AppData\Local\Temp\viovy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
dee891aa3595ef9bad67be25b4351ae1

SHA1
7fc2ae7256c930fbafd984921a8fa023ac815b0d

SHA256
45b83f3f7901c9d4330dae2373a670442d836f3d92ad2d92aa46f48e6bb36820

SHA512
d1c74dd568fd528ff01308b1f3227464d1a6052d0a7ebfaf412f6b469671c98d88d927937d6e8109fd2a2f327ce16d07da68085e4c304010f15724e1819c4f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d3ed0e2440f2db67aca9ee4b86073070

SHA1
87d7d52e54bdfe05229999a81212198f175694a7

SHA256
c05b272b5e051561f7beef7668fa563b50d613bd8083894f54dbbe8188e036e2

SHA512
b661a96f96028b64bcc761295ce08324edc26b85805ccadb5270348cb2d8ba16958437a0fdff1cd071d9f18a0a485cc598bce81b8820abc3b7ea392869e2e99f

Download Submit
\Users\Admin\AppData\Local\Temp\viovy.exe

Filesize
212KB

MD5
72a1305498cc1bbbbb968e3c282b1f75

SHA1
bf2b7e77a7c81d0cdd4d70c8cffc286bf77f7d45

SHA256
12f80ee6e07c13ae8123cea4ffcbf66a6a612438253ffe3e87560c5433543bfe

SHA512
9bf76835e351dfb4bab37b3ec2faa8c4c9e059dbd3de0100b37a65299afbd7800ef951fcbc003163abc15f537756221a9a871f24acb1d02241afc39e282dfa65

Download Submit
\Users\Admin\AppData\Local\Temp\ykinr.exe

Filesize
401KB

MD5
efce378d09ea08646273b72dd4929647

SHA1
f4193c294a518ffd3f4506565b9a0579952f5994

SHA256
1284be07c985a0e0c0590301b76dcf4788588e740e8b9a7d3648ac8f782d21b5

SHA512
14c2ff75cb268c133a70ba4b6b198fd03fe8b8b9380d4ee98df5d30bd015e5a572fd21fa70afba578ccc7b0bd4d5edae4afab2eb474a9f196dfa1a0661fcc69f

Download Submit
memory/348-25-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/348-22-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/348-32-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1156-33-0x0000000000CC0000-0x0000000000D54000-memory.dmp

Filesize
592KB

Download
memory/1156-34-0x0000000000CC0000-0x0000000000D54000-memory.dmp

Filesize
592KB

Download
memory/1156-36-0x0000000000CC0000-0x0000000000D54000-memory.dmp

Filesize
592KB

Download
memory/1156-35-0x0000000000CC0000-0x0000000000D54000-memory.dmp

Filesize
592KB

Download
memory/1156-38-0x0000000000CC0000-0x0000000000D54000-memory.dmp

Filesize
592KB

Download
memory/1156-39-0x0000000000CC0000-0x0000000000D54000-memory.dmp

Filesize
592KB

Download
memory/3068-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3068-11-0x00000000023B0000-0x0000000002415000-memory.dmp

Filesize
404KB

Download
memory/3068-19-0x00000000023B0000-0x0000000002415000-memory.dmp

Filesize
404KB

Download
memory/3068-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads