urelas | b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe
Size

331KB
MD5

a19061efa0ec169b8185848b9cd64970
SHA1

a66e713f8e8a839ea26521c0bd919f3bcd3b9c34
SHA256

b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9
SHA512

dca58cabf92c1eb225c87a7f377aae5a52cc081779567a5d042c2c174a3bc15d520df8e45afd5f5d051437dbb3a59e4a2a4b4f82f5c8154b0470687804883b8d
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisn:Nd7rpL43btmQ58Z27zw39gY2FeZh4A

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x0002000000021f52-31.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

koxazi.exeb4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exedyawv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	koxazi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dyawv.exe

Executes dropped EXE 3 IoCs

Processes:

dyawv.exekoxazi.execihor.exe

pid	Process
1228	dyawv.exe
2328	koxazi.exe
4152	cihor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exedyawv.execmd.exekoxazi.execihor.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyawv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koxazi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cihor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

cihor.exe

pid	Process
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe
4152	cihor.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exedyawv.exekoxazi.exe

description	pid	Process	procid_target
PID 4972 wrote to memory of 1228	4972	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	85
PID 4972 wrote to memory of 1228	4972	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	85
PID 4972 wrote to memory of 1228	4972	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	85
PID 4972 wrote to memory of 2624	4972	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	86
PID 4972 wrote to memory of 2624	4972	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	86
PID 4972 wrote to memory of 2624	4972	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	86
PID 1228 wrote to memory of 2328	1228	dyawv.exe	88
PID 1228 wrote to memory of 2328	1228	dyawv.exe	88
PID 1228 wrote to memory of 2328	1228	dyawv.exe	88
PID 2328 wrote to memory of 4152	2328	koxazi.exe	99
PID 2328 wrote to memory of 4152	2328	koxazi.exe	99
PID 2328 wrote to memory of 4152	2328	koxazi.exe	99
PID 2328 wrote to memory of 4292	2328	koxazi.exe	100
PID 2328 wrote to memory of 4292	2328	koxazi.exe	100
PID 2328 wrote to memory of 4292	2328	koxazi.exe	100

C:\Users\Admin\AppData\Local\Temp\b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe
"C:\Users\Admin\AppData\Local\Temp\b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\dyawv.exe
  "C:\Users\Admin\AppData\Local\Temp\dyawv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\koxazi.exe
    "C:\Users\Admin\AppData\Local\Temp\koxazi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\cihor.exe
      "C:\Users\Admin\AppData\Local\Temp\cihor.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
5e89e6d675c60a47ed8e6a7e0a424109

SHA1
4bfa84c0181591fb336eaea476094a9e385abb17

SHA256
33396f80da0f4e3789ef789a5ea42c7d1db0554140c9a2881aca5f0abff707c1

SHA512
f406c55180a85b96498cd746ecfefa94fb50bc96cdc17492e5bd5356da6ce1cbac2b164890092929e36939cce37533b7e2072711acf913ada48d7311e650776e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4097b979b5512c8fdd8b096745e22999

SHA1
47a22c99366ca85dfe3692cf819c376c4028e297

SHA256
98138d4b1a6a35308899d9245b59f5babd9d2ca6cccfd453a32d5a10156276f8

SHA512
33eb3891e8034c8a00b2aaeb0caf32f4cc204abd89f1998d1f1dc2bd26b0050413220bb3f94b00db1062a412a2a57c10e1fe666a4af307c420d9c6f65bd75338

Download Submit
C:\Users\Admin\AppData\Local\Temp\cihor.exe

Filesize
136KB

MD5
00ef217cc7583245bdc2f85a921f55ff

SHA1
41d9b45537aad032b66ec9cebc43f60a3e68e5bc

SHA256
30179ad40a8b1b4363db78632b357244fb0ad95a161692300f1edb2ac9f8db70

SHA512
88962a0bb683018bef8f8b44c957b326264f33d62fb69c025f4f78418da6cad0b86426a634b6e6a0afbeb0e057db2a76b86f303876ecff8cdd327c8ccb4f9065

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyawv.exe

Filesize
331KB

MD5
fcc104be554a9b8d7f226156a285539e

SHA1
0a01cfbc7eed64cd92d07fbffec95fc9c881850c

SHA256
9c25ff4e01a0a2e005952c51e4bde98d4fa2b42a4b517d882ac30e455190ca69

SHA512
1eccf900a504e5accd889855b98fa6c376c5be8f46e959e09781d940e79068aa60370877719f7626221b5a597c70b320f6ab55ca52e158a019648fcc3d295917

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aa87927a75c3b6f098a2ffb283ecbc56

SHA1
20dca9d6ba7fc0b7361110816eff536125f5b799

SHA256
bdbc547723fa2377809526fcd71673f8ff909c7b1ddac8c07482b9cca7c5df9a

SHA512
218c0e39d51418da460ac70ab059dff5ef15e14e50c399fb6c4d572cf996ef3b2b02991552b184ba0574ae25e40382aee63297dd07d0a5229ddc8b6cd31b9a0d

Download Submit
memory/1228-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2328-42-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2328-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4152-38-0x0000000000100000-0x000000000018C000-memory.dmp

Filesize
560KB

Download
memory/4152-41-0x0000000000100000-0x000000000018C000-memory.dmp

Filesize
560KB

Download
memory/4152-39-0x0000000000100000-0x000000000018C000-memory.dmp

Filesize
560KB

Download
memory/4152-37-0x0000000000100000-0x000000000018C000-memory.dmp

Filesize
560KB

Download
memory/4152-44-0x0000000000100000-0x000000000018C000-memory.dmp

Filesize
560KB

Download
memory/4152-45-0x0000000000100000-0x000000000018C000-memory.dmp

Filesize
560KB

Download
memory/4152-46-0x0000000000100000-0x000000000018C000-memory.dmp

Filesize
560KB

Download
memory/4972-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4972-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download