urelas | 7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe
Size

427KB
MD5

9f5a76606f02cc96ed2530eb6ba13c7f
SHA1

40e448fe4bba1f92069e518706a0433417a07c37
SHA256

7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5
SHA512

c39c57ed0dea297553a659187fd72c89a70dcd68b20830c89a22851919081e3a5c72ca7aeeeb1844116dd70783a179e7224188fcd96ecd5a5cec440bd24e89cb
SSDEEP

6144:EKbwhNxUjDVMytD2NkWuRk/oBmodd+sAaTmQo2fkKv:vANxU3VH1t19MsAlpXG

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000707-20.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	vidoi.exe

Executes dropped EXE 2 IoCs

pid	Process
2008	vidoi.exe
2588	quvau.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vidoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quvau.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe
2588	quvau.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2008	4060	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	87
PID 4060 wrote to memory of 2008	4060	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	87
PID 4060 wrote to memory of 2008	4060	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	87
PID 4060 wrote to memory of 3912	4060	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	88
PID 4060 wrote to memory of 3912	4060	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	88
PID 4060 wrote to memory of 3912	4060	7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe	88
PID 2008 wrote to memory of 2588	2008	vidoi.exe	107
PID 2008 wrote to memory of 2588	2008	vidoi.exe	107
PID 2008 wrote to memory of 2588	2008	vidoi.exe	107

C:\Users\Admin\AppData\Local\Temp\7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe
"C:\Users\Admin\AppData\Local\Temp\7c6cbbd4cc596f17474662240ca740a05593f42401575b27fda1b2c19a12aff5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\vidoi.exe
  "C:\Users\Admin\AppData\Local\Temp\vidoi.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\quvau.exe
    "C:\Users\Admin\AppData\Local\Temp\quvau.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8f00f73dc2327194b161ef418fc93c13

SHA1
17b54cb67ce70cf225e7807ee1dc5eaf5c1412bc

SHA256
0069ed5fe201679710c34e0ba7dc99358b5fefe1f6ed1fe3f446ea044e9f1e7b

SHA512
b67f29190dd78ab220832fd9a7f4a1a7ad801593d29da13bf9ad5c5dea1a645aacf25bfb25e3dbd1b9ae1e7c0e5e9ed16950897ce755e2fd6e397a2b1cb03b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
dafe6a2ddea3edd25abe5eef948442a6

SHA1
a2ff34e776488ca22d932a887d5dcd34c9cd40f7

SHA256
26ec69670b06f9564a2450cf432bda0c6ceb9044bd4f182ad03bd06dd43c84b4

SHA512
2b1d40b33ec7e8985b47ca6e0369bd6b18ef73c7df971cde553b88aa65f347968379ac9a1d7ee4be831c14b9d078dcf7475d20afd61c18099ddbd2e807fbffae

Download Submit
C:\Users\Admin\AppData\Local\Temp\quvau.exe

Filesize
216KB

MD5
6a53f151a2089d67586e89f319de319b

SHA1
43f2fbc98089be9cc739cb92c0c873765db21254

SHA256
803384ca3c8afde66fa4bdcd53662c3c0bfcd2687cea90d78dd87a1a12626c4f

SHA512
086639194e53d32429a2488224d10ac59bcfd1dd0429dd2a7553b7b04b42c5b76623d5e43a4f129c3609c02978d8d90ec1e2079bdf50017d833e2f3f524aa63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vidoi.exe

Filesize
427KB

MD5
48fc3d5825031e74b20236fd0687fc93

SHA1
f3377af05462b9079bef780ae9493ca64328d8eb

SHA256
f98dbb7baa1f35306611ab561c9df23cc78674126e90632fb2079e561714ba16

SHA512
65bc55d2a85407049ea8baa3862a316fc6cb916c897d1f928c923cbb96c6735fabe08c2710ea754859c74740195be5da4a33273c9c5ff45eb4995dd972d56728

Download Submit
memory/2008-26-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2008-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2588-24-0x0000000000200000-0x00000000002A2000-memory.dmp

Filesize
648KB

Download
memory/2588-27-0x0000000000200000-0x00000000002A2000-memory.dmp

Filesize
648KB

Download
memory/2588-29-0x0000000000200000-0x00000000002A2000-memory.dmp

Filesize
648KB

Download
memory/2588-28-0x0000000000200000-0x00000000002A2000-memory.dmp

Filesize
648KB

Download
memory/2588-31-0x0000000000200000-0x00000000002A2000-memory.dmp

Filesize
648KB

Download
memory/2588-32-0x0000000000200000-0x00000000002A2000-memory.dmp

Filesize
648KB

Download
memory/2588-33-0x0000000000200000-0x00000000002A2000-memory.dmp

Filesize
648KB

Download
memory/2588-34-0x0000000000200000-0x00000000002A2000-memory.dmp

Filesize
648KB

Download
memory/2588-35-0x0000000000200000-0x00000000002A2000-memory.dmp

Filesize
648KB

Download
memory/4060-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4060-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download