urelas | 2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9

General

Target

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe
Size

331KB
MD5

9f46a88a877c640281978c2126dcfca0
SHA1

8af546d624e3b68876b0144b4425180c4b9b6de0
SHA256

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9
SHA512

cde030696653d34a6bf44dd92ea964094a14b1bd95b8b411e4b83c5bd60045b64dab0910e445764081c92c202b695176f1343243fb52b170c2b6cfee1d5d09c3
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisa:Nd7rpL43btmQ58Z27zw39gY2FeZh4pd

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wojor.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2180 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

keziq.exewaygop.exewojor.exe

pid process

1776 keziq.exe
2768 waygop.exe
2936 wojor.exe

pid	process
2180	cmd.exe

pid	process
1776	keziq.exe
2768	waygop.exe
2936	wojor.exe

Loads dropped DLL 5 IoCs

Processes:

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exekeziq.exewaygop.exe

pid	process
1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe
1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe
1776	keziq.exe
1776	keziq.exe
2768	waygop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exekeziq.exewaygop.execmd.exewojor.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keziq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waygop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wojor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

wojor.exe

pid	process
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe
2936	wojor.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exekeziq.exewaygop.exe

description	pid	process	target process
PID 1732 wrote to memory of 1776	1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	keziq.exe
PID 1732 wrote to memory of 1776	1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	keziq.exe
PID 1732 wrote to memory of 1776	1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	keziq.exe
PID 1732 wrote to memory of 1776	1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	keziq.exe
PID 1732 wrote to memory of 2180	1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	cmd.exe
PID 1732 wrote to memory of 2180	1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	cmd.exe
PID 1732 wrote to memory of 2180	1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	cmd.exe
PID 1732 wrote to memory of 2180	1732	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	cmd.exe
PID 1776 wrote to memory of 2768	1776	keziq.exe	waygop.exe
PID 1776 wrote to memory of 2768	1776	keziq.exe	waygop.exe
PID 1776 wrote to memory of 2768	1776	keziq.exe	waygop.exe
PID 1776 wrote to memory of 2768	1776	keziq.exe	waygop.exe
PID 2768 wrote to memory of 2936	2768	waygop.exe	wojor.exe
PID 2768 wrote to memory of 2936	2768	waygop.exe	wojor.exe
PID 2768 wrote to memory of 2936	2768	waygop.exe	wojor.exe
PID 2768 wrote to memory of 2936	2768	waygop.exe	wojor.exe
PID 2768 wrote to memory of 2568	2768	waygop.exe	cmd.exe
PID 2768 wrote to memory of 2568	2768	waygop.exe	cmd.exe
PID 2768 wrote to memory of 2568	2768	waygop.exe	cmd.exe
PID 2768 wrote to memory of 2568	2768	waygop.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe
"C:\Users\Admin\AppData\Local\Temp\2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\keziq.exe
  "C:\Users\Admin\AppData\Local\Temp\keziq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\waygop.exe
    "C:\Users\Admin\AppData\Local\Temp\waygop.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\wojor.exe
      "C:\Users\Admin\AppData\Local\Temp\wojor.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
d77a30cc72ba151d144f6bb92066f587

SHA1
cbeadc5ce60eb98b851a71503c397333e0eed6b4

SHA256
556f59a530c8e33bdd312884026fdefd390e091b67a0dd843542f2fa0b682b69

SHA512
b2b30fd16f693df0e7e9319b2f9476b6d583f96920b58b2a045689934451bb1eb1a4ed00700d85ff757e1d366e9af0244bb2f2beb1da7d1ff2f9ddab2d5488c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3f56f219c434c10c21aee79e1638f972

SHA1
c4a229b1ba0416accd744973e209ece5baddd56a

SHA256
356ead859d9b95078d28d7cde1aeb77a9b897a11d5b49ab573e493e2d89db22f

SHA512
8b3ad426b470481c46f68c292a3d345cbf3460d51b35a661b03220d5681480be2e4fffbb2cf7dc4931eab8d62f79f8ec9991cbfe9c4f7ef35edfb302c71e037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9e732c9005f4ac9f6b1046bf1636f68e

SHA1
04c1f6bf7e7f0b12475b43fd40092ffedf6a4619

SHA256
f5c5c7c02d8e9bfdfe04d13fbf9a0f73731e73e694595f70508fcb39844d77cb

SHA512
27d80df36ad015389f95cfe9d9ec094c703273d6ecf0fcdca74fa19f39c149514f8a22c366b28615ec6aba08814e33493b37da62fd184101a551c245a78ec80f

Download Submit
\Users\Admin\AppData\Local\Temp\keziq.exe

Filesize
331KB

MD5
1c76f4f8f85e14a3304c125183dcddce

SHA1
cc605bee482ef861d59a384a92773b9fde530b86

SHA256
d091241b7c10abdb98532bac9e38ac9b99fed802745902d07fbd5e137239d21d

SHA512
776e1b9f613c4d1bc97bc772f9479abb3d3e6ee27e2e582c5d1a59070cfbf771404b42e92d81f418ffa9e12548d7992c32698c856a49565a9e38d4ddae91dfd1

Download Submit
\Users\Admin\AppData\Local\Temp\wojor.exe

Filesize
136KB

MD5
5497c5c981b269ff0485469f60e3b254

SHA1
19f3dd3de750f4fc394e2109474a429d5854f4a5

SHA256
f5f679ae11a8ba73b41672e5536c8e0aa4c61dc3f3568ee9781380df8d44f250

SHA512
7d1008da0f41912671cb4c021daee05b9cdcbbcdf7788b67c041f52e8b86636e473dd84ef34f1f04c81859b38f37b2a684dde4d0d777baf9e7290c7e1d5bc319

Download Submit
memory/1732-22-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1732-19-0x0000000002690000-0x00000000026E8000-memory.dmp

Filesize
352KB

Download
memory/1732-2-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1776-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1776-20-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2768-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2768-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2768-57-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2768-52-0x0000000003070000-0x00000000030FC000-memory.dmp

Filesize
560KB

Download
memory/2936-56-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/2936-53-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/2936-54-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/2936-55-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/2936-60-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/2936-61-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/2936-62-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/2936-63-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/2936-64-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/2936-65-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads