urelas | 34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ec

General

Target

34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
Size

458KB
MD5

7b71458e7c0196c106b3ce6556ab2540
SHA1

15cd146a05f89369da87a21e5516e88cde8feaac
SHA256

34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ec
SHA512

ded897a6123f6e50d2f769cf281d7ced4849c487bc774ce8e0897399c02077b50da5f6af0c6546aba8dede43ccf7f66d414b6bd85c90d96e0ed8afd05ba2d3a5
SSDEEP

6144:l+89tuc2/zrVhVa2H6jkEgAnLjCyl5afu/KQw3hwglo8uBqjnv6D3WwhD5RzC913:lJYH6jkEgAnieafuzQTlhuwv6Dd9C9GA

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-28.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2528	fuofz.exe
2792	opreg.exe

Loads dropped DLL 2 IoCs

pid	Process
1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
2528	fuofz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuofz.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
2528	fuofz.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe
2792	opreg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2528	1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	28
PID 1580 wrote to memory of 2528	1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	28
PID 1580 wrote to memory of 2528	1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	28
PID 1580 wrote to memory of 2528	1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	28
PID 1580 wrote to memory of 2892	1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	29
PID 1580 wrote to memory of 2892	1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	29
PID 1580 wrote to memory of 2892	1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	29
PID 1580 wrote to memory of 2892	1580	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	29
PID 2528 wrote to memory of 2792	2528	fuofz.exe	33
PID 2528 wrote to memory of 2792	2528	fuofz.exe	33
PID 2528 wrote to memory of 2792	2528	fuofz.exe	33
PID 2528 wrote to memory of 2792	2528	fuofz.exe	33

C:\Users\Admin\AppData\Local\Temp\34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
"C:\Users\Admin\AppData\Local\Temp\34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\fuofz.exe
  "C:\Users\Admin\AppData\Local\Temp\fuofz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\opreg.exe
    "C:\Users\Admin\AppData\Local\Temp\opreg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
342B

MD5
4ac14fdfed1c0674d27be8a154997e86

SHA1
16373514bd202bff735f379dff2adc34cce49ede

SHA256
e75a346975f8c96f4d7ddf91aded24da4a399fdf711874259a32b9a85c79a388

SHA512
6803ee94ee0ff686bed5ab290a5a4b453770e30edba5fc87dabb23a4b7ee80c4c8ae11ab97dec7c38e82911b9ae3abff0d5b4bd6d5d69ee9fc0eb3384bcea706

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ceda3abaa9e72b5f76cc04226f2c349e

SHA1
e46c490a697f59cab31c395323317d9cdb45b3d1

SHA256
273e5cb65ff944f8b593ec9edec0c0cb611c2eb5c7b43213c040f0814055d554

SHA512
04a5fb7346353a5dafa8314507125a3f91e2f11a22e4996b2a151a29144105a3d00f52ae8684a83dd0fc468c0b758d8193c18c9bf0d0dda07f2e190b17f55bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\opreg.exe

Filesize
211KB

MD5
bf8f4177ddd85affa9951a92134dc208

SHA1
6f22f678fcc0e660abfeca39761698ff581b2c64

SHA256
c9900810e92e600443c748f0b5fa19bb4afd458dd87130ea8b37f3e92bf4b800

SHA512
9b93689ec3d260b2fa65d51f837b698d524b1dd13ba4e587e0d4bbda941eee1ac4d2d1a677990764a4bc66ef40fdba427dcbf915bc11c649fe96c00346055aed

Download Submit
\Users\Admin\AppData\Local\Temp\fuofz.exe

Filesize
458KB

MD5
94c70f6d454c65262dd34a628f5d7be9

SHA1
21372b235a4157a9a9fdbe40972326845e04bea3

SHA256
a5e54a9cf377323b06053647b0b784c516c86ef1eb4c9b5160342688888d707c

SHA512
e361d750982bb1f73b189a02c0c868973df2ad7fadda46c7cbacbe35bbe91705e0fa400e925b39457ad0fe3ed41718ad9e92de9c7edd8e5a92ba613f45cbb135

Download Submit
memory/1580-0-0x0000000000EF0000-0x0000000000F6A000-memory.dmp

Filesize
488KB

Download
memory/1580-5-0x0000000000910000-0x000000000098A000-memory.dmp

Filesize
488KB

Download
memory/1580-18-0x0000000000EF0000-0x0000000000F6A000-memory.dmp

Filesize
488KB

Download
memory/2528-27-0x00000000031C0000-0x0000000003254000-memory.dmp

Filesize
592KB

Download
memory/2528-10-0x0000000000C20000-0x0000000000C9A000-memory.dmp

Filesize
488KB

Download
memory/2528-26-0x0000000000C20000-0x0000000000C9A000-memory.dmp

Filesize
488KB

Download
memory/2792-29-0x0000000000ED0000-0x0000000000F64000-memory.dmp

Filesize
592KB

Download
memory/2792-31-0x0000000000ED0000-0x0000000000F64000-memory.dmp

Filesize
592KB

Download
memory/2792-30-0x0000000000ED0000-0x0000000000F64000-memory.dmp

Filesize
592KB

Download
memory/2792-32-0x0000000000ED0000-0x0000000000F64000-memory.dmp

Filesize
592KB

Download
memory/2792-34-0x0000000000ED0000-0x0000000000F64000-memory.dmp

Filesize
592KB

Download
memory/2792-35-0x0000000000ED0000-0x0000000000F64000-memory.dmp

Filesize
592KB

Download
memory/2792-36-0x0000000000ED0000-0x0000000000F64000-memory.dmp

Filesize
592KB

Download
memory/2792-37-0x0000000000ED0000-0x0000000000F64000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing