urelas | 34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ec

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
Size

458KB
MD5

7b71458e7c0196c106b3ce6556ab2540
SHA1

15cd146a05f89369da87a21e5516e88cde8feaac
SHA256

34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ec
SHA512

ded897a6123f6e50d2f769cf281d7ced4849c487bc774ce8e0897399c02077b50da5f6af0c6546aba8dede43ccf7f66d414b6bd85c90d96e0ed8afd05ba2d3a5
SSDEEP

6144:l+89tuc2/zrVhVa2H6jkEgAnLjCyl5afu/KQw3hwglo8uBqjnv6D3WwhD5RzC913:lJYH6jkEgAnieafuzQTlhuwv6Dd9C9GA

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x000800000001e786-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exejecum.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	jecum.exe

Executes dropped EXE 2 IoCs

Processes:

jecum.exedyvoj.exe

pid	Process
548	jecum.exe
1580	dyvoj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exejecum.execmd.exedyvoj.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jecum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyvoj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exejecum.exedyvoj.exe

pid	Process
2444	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
2444	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
548	jecum.exe
548	jecum.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe
1580	dyvoj.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exejecum.exe

description	pid	Process	procid_target
PID 2444 wrote to memory of 548	2444	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	87
PID 2444 wrote to memory of 548	2444	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	87
PID 2444 wrote to memory of 548	2444	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	87
PID 2444 wrote to memory of 4444	2444	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	88
PID 2444 wrote to memory of 4444	2444	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	88
PID 2444 wrote to memory of 4444	2444	34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe	88
PID 548 wrote to memory of 1580	548	jecum.exe	106
PID 548 wrote to memory of 1580	548	jecum.exe	106
PID 548 wrote to memory of 1580	548	jecum.exe	106

C:\Users\Admin\AppData\Local\Temp\34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe
"C:\Users\Admin\AppData\Local\Temp\34ac579ac3b0a05af8fe93d96337a12e38b4b55066f46b57d2d6833b8168a0ecN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\jecum.exe
  "C:\Users\Admin\AppData\Local\Temp\jecum.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\dyvoj.exe
    "C:\Users\Admin\AppData\Local\Temp\dyvoj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
342B

MD5
4ac14fdfed1c0674d27be8a154997e86

SHA1
16373514bd202bff735f379dff2adc34cce49ede

SHA256
e75a346975f8c96f4d7ddf91aded24da4a399fdf711874259a32b9a85c79a388

SHA512
6803ee94ee0ff686bed5ab290a5a4b453770e30edba5fc87dabb23a4b7ee80c4c8ae11ab97dec7c38e82911b9ae3abff0d5b4bd6d5d69ee9fc0eb3384bcea706

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyvoj.exe

Filesize
211KB

MD5
be9dd0c0483d246ce24e4012082061df

SHA1
6a10834efda71995c8c4215b5756f115ada84b92

SHA256
2c24f382c0951181bda20392da95d891b0efc2fc0da06fcacf9bed774dbee39d

SHA512
11a0130da1e7b01a942c13adce1dc8d542e5b66aa8b786aea4e8ba36a7a893aa41fb60eecc24fa7e777622f7b9c97bbf698159e3c415021dba10dcfd7ec91685

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1724675e93232e72e9ba3e80a57c420c

SHA1
7ffd0e26066ad45c63a8919246ed48af05a4e43e

SHA256
ab09a835b85d991dd02b679910afecc40509ffac5cf90a045e1b9902d504a3d8

SHA512
dbcf746bc20a72c8c9967b2a8898e92329d862ca01dfa14dcfdf9ce580b5627ef8645cb6544012e9fa500328becd0ae9dacddd481f702c6af9fde635973c4b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jecum.exe

Filesize
458KB

MD5
e5da5bdc521b579d6b06a5a4a303ef4e

SHA1
cf6a59b6be334eab0a98882ef0a6da6b2fa84b09

SHA256
7a7b4f2b43bff83531304a44c726fa73100ffb30b68d0ed06219791df14d8166

SHA512
89c99ce504a408d3ff3d67f147d9f6bcda0b876d651295f9ec3a7d743f1fc761196e2407835d29b2d74a81d14970555c5f6f16b316f6f324693070cf9188d095

Download Submit
memory/548-10-0x0000000000EF0000-0x0000000000F6A000-memory.dmp

Filesize
488KB

Download
memory/548-29-0x0000000000EF0000-0x0000000000F6A000-memory.dmp

Filesize
488KB

Download
memory/1580-28-0x00000000000F0000-0x0000000000184000-memory.dmp

Filesize
592KB

Download
memory/1580-26-0x00000000000F0000-0x0000000000184000-memory.dmp

Filesize
592KB

Download
memory/1580-25-0x00000000000F0000-0x0000000000184000-memory.dmp

Filesize
592KB

Download
memory/1580-27-0x00000000000F0000-0x0000000000184000-memory.dmp

Filesize
592KB

Download
memory/1580-31-0x00000000000F0000-0x0000000000184000-memory.dmp

Filesize
592KB

Download
memory/1580-32-0x00000000000F0000-0x0000000000184000-memory.dmp

Filesize
592KB

Download
memory/1580-33-0x00000000000F0000-0x0000000000184000-memory.dmp

Filesize
592KB

Download
memory/1580-34-0x00000000000F0000-0x0000000000184000-memory.dmp

Filesize
592KB

Download
memory/2444-14-0x0000000000F70000-0x0000000000FEA000-memory.dmp

Filesize
488KB

Download
memory/2444-0-0x0000000000F70000-0x0000000000FEA000-memory.dmp

Filesize
488KB

Download