urelas | 2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9

General

Target

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe
Size

331KB
MD5

9f46a88a877c640281978c2126dcfca0
SHA1

8af546d624e3b68876b0144b4425180c4b9b6de0
SHA256

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9
SHA512

cde030696653d34a6bf44dd92ea964094a14b1bd95b8b411e4b83c5bd60045b64dab0910e445764081c92c202b695176f1343243fb52b170c2b6cfee1d5d09c3
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisa:Nd7rpL43btmQ58Z27zw39gY2FeZh4pd

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\olfob.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2488 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

nucua.exerokozo.exeolfob.exe

pid process

2400 nucua.exe
2968 rokozo.exe
2016 olfob.exe

pid	process
2488	cmd.exe

pid	process
2400	nucua.exe
2968	rokozo.exe
2016	olfob.exe

Loads dropped DLL 5 IoCs

Processes:

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exenucua.exerokozo.exe

pid	process
1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe
1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe
2400	nucua.exe
2400	nucua.exe
2968	rokozo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

olfob.execmd.exe2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exenucua.execmd.exerokozo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olfob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nucua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rokozo.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

olfob.exe

pid	process
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe
2016	olfob.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exenucua.exerokozo.exe

description	pid	process	target process
PID 1048 wrote to memory of 2400	1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	nucua.exe
PID 1048 wrote to memory of 2400	1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	nucua.exe
PID 1048 wrote to memory of 2400	1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	nucua.exe
PID 1048 wrote to memory of 2400	1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	nucua.exe
PID 1048 wrote to memory of 2488	1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	cmd.exe
PID 1048 wrote to memory of 2488	1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	cmd.exe
PID 1048 wrote to memory of 2488	1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	cmd.exe
PID 1048 wrote to memory of 2488	1048	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	cmd.exe
PID 2400 wrote to memory of 2968	2400	nucua.exe	rokozo.exe
PID 2400 wrote to memory of 2968	2400	nucua.exe	rokozo.exe
PID 2400 wrote to memory of 2968	2400	nucua.exe	rokozo.exe
PID 2400 wrote to memory of 2968	2400	nucua.exe	rokozo.exe
PID 2968 wrote to memory of 2016	2968	rokozo.exe	olfob.exe
PID 2968 wrote to memory of 2016	2968	rokozo.exe	olfob.exe
PID 2968 wrote to memory of 2016	2968	rokozo.exe	olfob.exe
PID 2968 wrote to memory of 2016	2968	rokozo.exe	olfob.exe
PID 2968 wrote to memory of 2460	2968	rokozo.exe	cmd.exe
PID 2968 wrote to memory of 2460	2968	rokozo.exe	cmd.exe
PID 2968 wrote to memory of 2460	2968	rokozo.exe	cmd.exe
PID 2968 wrote to memory of 2460	2968	rokozo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe
"C:\Users\Admin\AppData\Local\Temp\2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\nucua.exe
  "C:\Users\Admin\AppData\Local\Temp\nucua.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\rokozo.exe
    "C:\Users\Admin\AppData\Local\Temp\rokozo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\olfob.exe
      "C:\Users\Admin\AppData\Local\Temp\olfob.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
86cca4db67545ca89fd1372ecf2c71da

SHA1
b6155e4c36e29c6fddec853f2f67d8a8823f90c9

SHA256
09fd1e5840466d050a721b8e771c31a8dfc8d0ff37e0b97a222c5e431b9131a4

SHA512
535e9a154840e9a3a41e29bd6b92c8edab476336d3f7e89eff64cfb4ad220eee028a73124fc741a9e70c1290fbc96aa8373a5638e297d333e61a02311ce21a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a363601761f9d6f5fb581075c54c5592

SHA1
5782c466dfb0882265be74731070b353e587abc8

SHA256
1674a99f7c0b440c7059d361c97adeab3f20c2ef0d48f7cb54e22351e99f072b

SHA512
129b6475e7305c602e417da25c17f5847f038431639e771299aa4862585f2721b9dab04c4c0a953f61b2934c6bf00e31a23ac65c315c50edd610c510c4b71197

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
98637b4f081f00f078ad615f4d7a5852

SHA1
2aecebbbc21a91860882bcca01e6f5e6ceddb0ad

SHA256
17a9739dc4f65932d20a10ddc99f99ed41d57a24e6f7043828dda0a77e5012e5

SHA512
4a01bfe3bcbc165e7e1bb87309efefb83d3b7c5c0cfcc84910c3cd93180c8d1fa47d562ea23690c279241987b125cbad0492bd0d640694b1c9323c9727e63ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nucua.exe

Filesize
331KB

MD5
c45918327ab5dba9846b9adc38f5f64f

SHA1
f0d7b49a3403cb6703c59ccb6fc040054261ee81

SHA256
eb2729eecee509b67aa670c1f4832ba27ac7285831e14dd46bf342d8b3ca7b81

SHA512
5fcc01346825ce2ed469ee364a8630a7753afdc6a477768b9778aef80a6ce7f036cd3e047236eef927c57147afa3069637a550d7b71324a53774d4d727774462

Download Submit
\Users\Admin\AppData\Local\Temp\olfob.exe

Filesize
136KB

MD5
3d96232078754c3cbc0be6a80e03de26

SHA1
a8c2832f70879aac50d6188984927f9f5ba9bd21

SHA256
945cdf4338ad7699cc7e448da7c88e859542a6e798de32cbd8f9a76d54165d62

SHA512
c016bca5c747097d0337cea4637fa0e28a3c3b2469ed7949a1022a9a5bc55bac215eb4447656045b2b5e229adff06801cda3c4ed603aff4cad120ecdc0e79dfd

Download Submit
memory/1048-22-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1048-1-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1048-20-0x00000000024A0000-0x00000000024F8000-memory.dmp

Filesize
352KB

Download
memory/2016-50-0x0000000000CC0000-0x0000000000D4C000-memory.dmp

Filesize
560KB

Download
memory/2016-61-0x0000000000CC0000-0x0000000000D4C000-memory.dmp

Filesize
560KB

Download
memory/2016-63-0x0000000000CC0000-0x0000000000D4C000-memory.dmp

Filesize
560KB

Download
memory/2016-62-0x0000000000CC0000-0x0000000000D4C000-memory.dmp

Filesize
560KB

Download
memory/2016-49-0x0000000000CC0000-0x0000000000D4C000-memory.dmp

Filesize
560KB

Download
memory/2016-48-0x0000000000CC0000-0x0000000000D4C000-memory.dmp

Filesize
560KB

Download
memory/2400-33-0x00000000036B0000-0x0000000003708000-memory.dmp

Filesize
352KB

Download
memory/2400-34-0x00000000036B0000-0x0000000003708000-memory.dmp

Filesize
352KB

Download
memory/2400-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2400-21-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2968-37-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2968-44-0x0000000002E20000-0x0000000002EAC000-memory.dmp

Filesize
560KB

Download
memory/2968-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2968-38-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads