urelas | 2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe
Size

331KB
MD5

9f46a88a877c640281978c2126dcfca0
SHA1

8af546d624e3b68876b0144b4425180c4b9b6de0
SHA256

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9
SHA512

cde030696653d34a6bf44dd92ea964094a14b1bd95b8b411e4b83c5bd60045b64dab0910e445764081c92c202b695176f1343243fb52b170c2b6cfee1d5d09c3
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisa:Nd7rpL43btmQ58Z27zw39gY2FeZh4pd

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0002000000021eaa-31.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	vogyh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	iglifu.exe

Executes dropped EXE 3 IoCs

pid	Process
2652	vogyh.exe
4308	iglifu.exe
2320	sanis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vogyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iglifu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sanis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe
2320	sanis.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2652	2108	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	83
PID 2108 wrote to memory of 2652	2108	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	83
PID 2108 wrote to memory of 2652	2108	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	83
PID 2108 wrote to memory of 2236	2108	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	84
PID 2108 wrote to memory of 2236	2108	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	84
PID 2108 wrote to memory of 2236	2108	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe	84
PID 2652 wrote to memory of 4308	2652	vogyh.exe	86
PID 2652 wrote to memory of 4308	2652	vogyh.exe	86
PID 2652 wrote to memory of 4308	2652	vogyh.exe	86
PID 4308 wrote to memory of 2320	4308	iglifu.exe	106
PID 4308 wrote to memory of 2320	4308	iglifu.exe	106
PID 4308 wrote to memory of 2320	4308	iglifu.exe	106
PID 4308 wrote to memory of 2856	4308	iglifu.exe	107
PID 4308 wrote to memory of 2856	4308	iglifu.exe	107
PID 4308 wrote to memory of 2856	4308	iglifu.exe	107

C:\Users\Admin\AppData\Local\Temp\2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe
"C:\Users\Admin\AppData\Local\Temp\2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\vogyh.exe
  "C:\Users\Admin\AppData\Local\Temp\vogyh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\iglifu.exe
    "C:\Users\Admin\AppData\Local\Temp\iglifu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\sanis.exe
      "C:\Users\Admin\AppData\Local\Temp\sanis.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
e00d1cb186bcb0ed8fe9ed6c09a1adeb

SHA1
b9fbf702be49595621ffd40fc46ed1c666787f5a

SHA256
3bf78b9f4f094830c15ec00a5192cb8c13c6e54012380e67129c04550bce0859

SHA512
3f4598d9603cd09e9bc650967072434236f7a86315c8e4b668063e2ed363f3c81e202323c788357ae8e9b17c7439a660e4de12dea90b7d94e47c48838830485a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
86cca4db67545ca89fd1372ecf2c71da

SHA1
b6155e4c36e29c6fddec853f2f67d8a8823f90c9

SHA256
09fd1e5840466d050a721b8e771c31a8dfc8d0ff37e0b97a222c5e431b9131a4

SHA512
535e9a154840e9a3a41e29bd6b92c8edab476336d3f7e89eff64cfb4ad220eee028a73124fc741a9e70c1290fbc96aa8373a5638e297d333e61a02311ce21a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
82c72b908fe630a54a1d978650e30d4d

SHA1
9ef4830e9f0af5fd610a321704c38133141d9e49

SHA256
d354c08121b4044af837e7b3317edf1d994f5c3c10b15f7c4d55df47e6f6be36

SHA512
ec42c362b9f63b8ecc371d5dd5513c3f9463f3a30bf3a334a12dda324828ab89088db1b98795c3796d0f6e774870cc469dd3d8b948583f0f794379c692ec5920

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanis.exe

Filesize
136KB

MD5
44b0cdab64aaee9d2841e78d4408004a

SHA1
97560766995e1280dc17f7f5cb4c44e31875bfbb

SHA256
8b9f0bc638bcd98aae4af3a31ced9ba708c19adf4badc821cccb3e4f62ff44a9

SHA512
3e7e6f0e19999d8bb85648029785b30082ae6c2735c420948f47fef8146538a2869127116ed8ea407716d143e7f2dc60f6c2d7381ff6a4274d0e8c234d6c9c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vogyh.exe

Filesize
331KB

MD5
0e58c1c275c1bfe71ef65ffadb07065f

SHA1
cddeba580766270e826c21895016b6b6f498677e

SHA256
d53470ce22fcd3449f7051cf18591a39ca02c8eb00a7ef17eeb23cd428cf5077

SHA512
c608adc832abf31f4128ae7d0ab96aa9a63bdc88dee9803119462cdab9e5f185022263e5312927415700571f0d05c280205f2560d32584079c92b186c8f2b5ef

Download Submit
memory/2108-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2108-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2320-35-0x00000000004A0000-0x000000000052C000-memory.dmp

Filesize
560KB

Download
memory/2320-42-0x00000000004A0000-0x000000000052C000-memory.dmp

Filesize
560KB

Download
memory/2320-40-0x00000000004A0000-0x000000000052C000-memory.dmp

Filesize
560KB

Download
memory/2320-41-0x00000000004A0000-0x000000000052C000-memory.dmp

Filesize
560KB

Download
memory/2320-44-0x00000000004A0000-0x000000000052C000-memory.dmp

Filesize
560KB

Download
memory/2320-45-0x00000000004A0000-0x000000000052C000-memory.dmp

Filesize
560KB

Download
memory/2320-46-0x00000000004A0000-0x000000000052C000-memory.dmp

Filesize
560KB

Download
memory/2652-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4308-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4308-39-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download