urelas | 18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61b

General

Target

18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe
Size

353KB
MD5

59a1e5e298fb37eb0f8cd60a60503310
SHA1

9838038dc6cd8436aa970c3770158736771f8b7e
SHA256

18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61b
SHA512

33c1c884dd05b4c9feabd12b26e9e668b6d04be0ba2f196f113749dcdd6da74f591d19fb0f30593da35a38c987e299d038e7580c95254905c4cee31c3e02f74f
SSDEEP

6144:n1KY1Atydsa9tJKNjyulRZIXE/b3MXyxX5DJ7NfY/E8L+0dHqTxBK8x+7iN3p9:nx+ydx9tSNlTIU/b37dJ75WEe+eKTxB3

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\sander.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2832 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

sander.exe

pid process

3008 sander.exe
Loads dropped DLL 1 IoCs

Processes:

18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe

pid process

2912 18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2832	cmd.exe

pid	process
3008	sander.exe

pid	process
2912	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.execmd.exesander.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe

description	pid	process	target process
PID 2912 wrote to memory of 3008	2912	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe	sander.exe
PID 2912 wrote to memory of 3008	2912	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe	sander.exe
PID 2912 wrote to memory of 3008	2912	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe	sander.exe
PID 2912 wrote to memory of 3008	2912	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe	sander.exe
PID 2912 wrote to memory of 2832	2912	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe	cmd.exe
PID 2912 wrote to memory of 2832	2912	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe	cmd.exe
PID 2912 wrote to memory of 2832	2912	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe	cmd.exe
PID 2912 wrote to memory of 2832	2912	18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe
"C:\Users\Admin\AppData\Local\Temp\18193e28a0cd76747a843fe84b315e5f059a2d7feadf5a9b47169b07706fa61bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
343B

MD5
41c8060c4e3f2ba1f321db448e6291e6

SHA1
0964473f3602ea958848c282cdf625581ee3e7cc

SHA256
ebeff2de2578859eec180528348ebc1ded06a6f9d5cc4284b83ee67f5ee9694e

SHA512
7b5fd13e60c43c19fbfb58e3d1060a0bcad18260718932f9dc14000a340eced4a986259de331fdec1eac2796184a0e7fa27fa0a7c621439afcac8fc5203b9f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
145cec05d8d704ff7aa3d812b1aff628

SHA1
097ae09965ed3804359803708b8af87b5b90fcbb

SHA256
66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea

SHA512
1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

Download Submit
\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
353KB

MD5
94e9c3cc1dfedf4693440de23aa21f8e

SHA1
de681d6e82da054b2b9b69db04d325c5f24c32e2

SHA256
67e201864b3032ad6627867a15e966d43a0591c2bd29ade9afebdeba85d41935

SHA512
9118716a2886b1837cc1fe01b53f73f5ecdee0e653835b052a970e765a0c1ed0cdae882444382dd47178abe8c8ea7cc282c72f94952b5e54b3fba02a2c6867ff

Download Submit
memory/2912-26-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/2912-1-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/2912-4-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/2912-3-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/2912-2-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/2912-10-0x00000000006C0000-0x0000000000742000-memory.dmp

Filesize
520KB

Download
memory/2912-0-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/3008-24-0x0000000000880000-0x0000000000902000-memory.dmp

Filesize
520KB

Download
memory/3008-16-0x0000000000880000-0x0000000000902000-memory.dmp

Filesize
520KB

Download
memory/3008-15-0x0000000000880000-0x0000000000902000-memory.dmp

Filesize
520KB

Download
memory/3008-14-0x0000000000880000-0x0000000000902000-memory.dmp

Filesize
520KB

Download
memory/3008-17-0x0000000000880000-0x0000000000902000-memory.dmp

Filesize
520KB

Download
memory/3008-29-0x0000000000880000-0x0000000000902000-memory.dmp

Filesize
520KB

Download
memory/3008-35-0x0000000000880000-0x0000000000902000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads