urelas | 7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5

General

Target

7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe
Size

427KB
MD5

9f5a76606f02cc96ed2530eb6ba13c7f
SHA1

40e448fe4bba1f92069e518706a0433417a07c37
SHA256

7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5
SHA512

c39c57ed0dea297553a659187fd72c89a70dcd68b20830c89a22851919081e3a5c72ca7aeeeb1844116dd70783a179e7224188fcd96ecd5a5cec440bd24e89cb
SSDEEP

6144:EKbwhNxUjDVMytD2NkWuRk/oBmodd+sAaTmQo2fkKv:vANxU3VH1t19MsAlpXG

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000709-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	axdyv.exe

Executes dropped EXE 2 IoCs

pid	Process
4152	axdyv.exe
4224	juepn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axdyv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	juepn.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe
4224	juepn.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 4152	3984	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	87
PID 3984 wrote to memory of 4152	3984	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	87
PID 3984 wrote to memory of 4152	3984	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	87
PID 3984 wrote to memory of 3296	3984	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	88
PID 3984 wrote to memory of 3296	3984	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	88
PID 3984 wrote to memory of 3296	3984	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	88
PID 4152 wrote to memory of 4224	4152	axdyv.exe	106
PID 4152 wrote to memory of 4224	4152	axdyv.exe	106
PID 4152 wrote to memory of 4224	4152	axdyv.exe	106

C:\Users\Admin\AppData\Local\Temp\7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe
"C:\Users\Admin\AppData\Local\Temp\7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\axdyv.exe
  "C:\Users\Admin\AppData\Local\Temp\axdyv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\juepn.exe
    "C:\Users\Admin\AppData\Local\Temp\juepn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8f00f73dc2327194b161ef418fc93c13

SHA1
17b54cb67ce70cf225e7807ee1dc5eaf5c1412bc

SHA256
0069ed5fe201679710c34e0ba7dc99358b5fefe1f6ed1fe3f446ea044e9f1e7b

SHA512
b67f29190dd78ab220832fd9a7f4a1a7ad801593d29da13bf9ad5c5dea1a645aacf25bfb25e3dbd1b9ae1e7c0e5e9ed16950897ce755e2fd6e397a2b1cb03b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\axdyv.exe

Filesize
427KB

MD5
5109ea214e83a6b1c0f860b417e388c3

SHA1
dc1da5a9681e15ea2123c7996e279c0a35c43071

SHA256
a2059522e687c40ff0fd7fdccd54ef9f668fc1709accdc9df62a01ab8f8cf1d6

SHA512
7a5a21c25e3cc8b8df3b3c004989446b8f8ab74abbb0f43203763e86fb535d2be1bd385df0087c4a4811819eb4c47f94cf7f210114f39652b9b6c18cc83cba21

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5616fb1125a4813030c0317cd90291d8

SHA1
33a056f227427b6d8b335d93fd3de33a65ad7fdb

SHA256
ec75aa34a286875eb3df6fb062f5a220e775c872930932e03d35268a43522eea

SHA512
a8e7b6e6230a9a6f351976dfd74e46527b2ca27c7afe27c1ac0dc06ad9e7053641b9b31b02b07b4294e81f583e88fd328804d9eef35a31c99043f0a01ae006d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\juepn.exe

Filesize
216KB

MD5
1e6bc9d49d5cf7a7df3da2049fc07c98

SHA1
a37d9f69f324360b5ff0ea6e0b75612f40bcafce

SHA256
3224a3d1fe6833bc31b6e57086fa25afe8401e4d43d5315fe3fd18fde4379449

SHA512
f143d1543820db7da2774a8b1e29645eb4a664b8753983fd1e033da508b1847cbdaf88a42fba695047e4ba21cc59addf7992344abc1481a6bbcac2aa1931c7de

Download Submit
memory/3984-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3984-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4152-17-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4152-12-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4152-27-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4224-25-0x00000000003C0000-0x0000000000462000-memory.dmp

Filesize
648KB

Download
memory/4224-29-0x00000000003C0000-0x0000000000462000-memory.dmp

Filesize
648KB

Download
memory/4224-28-0x00000000003C0000-0x0000000000462000-memory.dmp

Filesize
648KB

Download
memory/4224-30-0x00000000003C0000-0x0000000000462000-memory.dmp

Filesize
648KB

Download
memory/4224-32-0x00000000003C0000-0x0000000000462000-memory.dmp

Filesize
648KB

Download
memory/4224-33-0x00000000003C0000-0x0000000000462000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing