urelas | 36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3

General

Target

36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe
Size

331KB
MD5

a77e24c20018b1ab66b58aa944c5de9c
SHA1

154763d2824785ac6e3167ecc4cd74ebe457c8ef
SHA256

36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3
SHA512

10b0ee9b0378525cb0a23637a08c6b548009c11c12b7123302e514fd180734fcfb35454dabfd9042f35348983f07600e5bcf211e2f019d9b358159124a0fcd30
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisd:Nd7rpL43btmQ58Z27zw39gY2FeZh4w

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x0009000000017488-40.dat	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2284	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

nomik.exeqagovu.exexucee.exe

pid	Process
2208	nomik.exe
2816	qagovu.exe
1600	xucee.exe

Loads dropped DLL 5 IoCs

Processes:

36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exenomik.exeqagovu.exe

pid	Process
2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe
2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe
2208	nomik.exe
2208	nomik.exe
2816	qagovu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeqagovu.exexucee.execmd.exe36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exenomik.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qagovu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xucee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nomik.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

xucee.exe

pid	Process
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe
1600	xucee.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exenomik.exeqagovu.exe

description	pid	Process	procid_target
PID 2384 wrote to memory of 2208	2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	30
PID 2384 wrote to memory of 2208	2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	30
PID 2384 wrote to memory of 2208	2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	30
PID 2384 wrote to memory of 2208	2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	30
PID 2384 wrote to memory of 2284	2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	31
PID 2384 wrote to memory of 2284	2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	31
PID 2384 wrote to memory of 2284	2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	31
PID 2384 wrote to memory of 2284	2384	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	31
PID 2208 wrote to memory of 2816	2208	nomik.exe	33
PID 2208 wrote to memory of 2816	2208	nomik.exe	33
PID 2208 wrote to memory of 2816	2208	nomik.exe	33
PID 2208 wrote to memory of 2816	2208	nomik.exe	33
PID 2816 wrote to memory of 1600	2816	qagovu.exe	35
PID 2816 wrote to memory of 1600	2816	qagovu.exe	35
PID 2816 wrote to memory of 1600	2816	qagovu.exe	35
PID 2816 wrote to memory of 1600	2816	qagovu.exe	35
PID 2816 wrote to memory of 1012	2816	qagovu.exe	36
PID 2816 wrote to memory of 1012	2816	qagovu.exe	36
PID 2816 wrote to memory of 1012	2816	qagovu.exe	36
PID 2816 wrote to memory of 1012	2816	qagovu.exe	36

C:\Users\Admin\AppData\Local\Temp\36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe
"C:\Users\Admin\AppData\Local\Temp\36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\nomik.exe
  "C:\Users\Admin\AppData\Local\Temp\nomik.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\qagovu.exe
    "C:\Users\Admin\AppData\Local\Temp\qagovu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\xucee.exe
      "C:\Users\Admin\AppData\Local\Temp\xucee.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
4af5ce80e4190625e8325667743a9939

SHA1
8ffa27c1fb739f081671d7dd1b3ce76b4a965049

SHA256
9123c988cf2e0216092aef20db377731649c28dd50dc116041dad06df741ca70

SHA512
e2347bfdac92a02539098c44c90d35ae6c885b7b3ad219dcc802d73f12ace5599df111dd003aed534373f8b012f92c705ca10f74f4ef87710235909736ca9fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d23ca23a39da9be5a2d33e7620b89106

SHA1
eb59110ce6b5e224c9aae9cc7d05ec0c7eeeb9ee

SHA256
dcd144d629daf79d0254fb0a7008a8e29743cef285466141ee04afb11890c969

SHA512
82eb535b1da742c37702b87195e8a7a1032e284b7e829a6670324217f2c3b3cfe19496556e88f6ba64dd385fe921fd54353e2b5d1ecd86fad925dd690984e1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aaeb2eb340ee842c518d2779e29862a4

SHA1
05628ead7f070244961148af94fed626b2c0a249

SHA256
181664e74287eacdf06f33a6eeed3fe81364fabd71b206cee25bf1b399c28a67

SHA512
c62f779bc4ef4755c7dca4ee9a620c6eefac79670d2cc232ccf2e8a2cd3792ff39152eee700bd8fc87206ac2b4d5c1fb3cf1fd53053983f40d095894ca89f08a

Download Submit
\Users\Admin\AppData\Local\Temp\nomik.exe

Filesize
331KB

MD5
3452b6c0e423777f5b17eceacccc973e

SHA1
a9f8acc6ba42301fe74397f3ab9b4a060d8cdb11

SHA256
db45a5f60aac846e6c4d25cdf8aa321e816f942b81802223527b5a932be48487

SHA512
ae9e1c3a50932b01f734c24bde0ebf123360973ad54fb12961f3728640c210e2394f4021d857b2a93c2cebf8c87576e8d62c58a4671adb5faa99de530dfd6228

Download Submit
\Users\Admin\AppData\Local\Temp\xucee.exe

Filesize
136KB

MD5
ae1d50771528fbae974d7bb8112d916b

SHA1
d8d2b968fada0e8dcb32c25a217272fcc582ed55

SHA256
a7bdc23853982e1f06d85e304b6a0c82b15784cd77018f34e7b2b81ad22ae288

SHA512
3a545dcb9fc8bcdd7680178fef265332f21adbf13ca5a4c553d4c23de88d8a0ac45b141a0524aa61f3cb5f0fce667d73970850b5f90339525e5f555299dacfd3

Download Submit
memory/1600-56-0x00000000011C0000-0x000000000124C000-memory.dmp

Filesize
560KB

Download
memory/1600-55-0x00000000011C0000-0x000000000124C000-memory.dmp

Filesize
560KB

Download
memory/1600-62-0x00000000011C0000-0x000000000124C000-memory.dmp

Filesize
560KB

Download
memory/1600-61-0x00000000011C0000-0x000000000124C000-memory.dmp

Filesize
560KB

Download
memory/1600-60-0x00000000011C0000-0x000000000124C000-memory.dmp

Filesize
560KB

Download
memory/1600-53-0x00000000011C0000-0x000000000124C000-memory.dmp

Filesize
560KB

Download
memory/1600-57-0x00000000011C0000-0x000000000124C000-memory.dmp

Filesize
560KB

Download
memory/2208-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2208-21-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2384-1-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2384-20-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2384-18-0x00000000024C0000-0x0000000002518000-memory.dmp

Filesize
352KB

Download
memory/2816-54-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2816-51-0x0000000003090000-0x000000000311C000-memory.dmp

Filesize
560KB

Download
memory/2816-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2816-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads