urelas | f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273

General

Target

f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe
Size

332KB
MD5

5c4df1da18e57a71efdf938e40d62efd
SHA1

cf6f8ada5a361b75ab2a82ec0856363f26e4fbda
SHA256

f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273
SHA512

866633d215a632f5b91511077c9efb3085fe818168d7d0fdb472b9bcb229392e9dcbca302b0dbdd16e20d27619514dea28e63e551d680a0d6fec142ed6632d41
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisq:Nd7rpL43btmQ58Z27zw39gY2FeZhmz3

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\revyw.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1992 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

jejyi.exewoifgy.exerevyw.exe

pid process

2060 jejyi.exe
2364 woifgy.exe
1344 revyw.exe

pid	process
1992	cmd.exe

pid	process
2060	jejyi.exe
2364	woifgy.exe
1344	revyw.exe

Loads dropped DLL 5 IoCs

Processes:

f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exejejyi.exewoifgy.exe

pid	process
2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe
2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe
2060	jejyi.exe
2060	jejyi.exe
2364	woifgy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

woifgy.execmd.exerevyw.exef2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exejejyi.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woifgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	revyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jejyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

revyw.exe

pid	process
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe
1344	revyw.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exejejyi.exewoifgy.exe

description	pid	process	target process
PID 2580 wrote to memory of 2060	2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	jejyi.exe
PID 2580 wrote to memory of 2060	2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	jejyi.exe
PID 2580 wrote to memory of 2060	2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	jejyi.exe
PID 2580 wrote to memory of 2060	2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	jejyi.exe
PID 2580 wrote to memory of 1992	2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	cmd.exe
PID 2580 wrote to memory of 1992	2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	cmd.exe
PID 2580 wrote to memory of 1992	2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	cmd.exe
PID 2580 wrote to memory of 1992	2580	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	cmd.exe
PID 2060 wrote to memory of 2364	2060	jejyi.exe	woifgy.exe
PID 2060 wrote to memory of 2364	2060	jejyi.exe	woifgy.exe
PID 2060 wrote to memory of 2364	2060	jejyi.exe	woifgy.exe
PID 2060 wrote to memory of 2364	2060	jejyi.exe	woifgy.exe
PID 2364 wrote to memory of 1344	2364	woifgy.exe	revyw.exe
PID 2364 wrote to memory of 1344	2364	woifgy.exe	revyw.exe
PID 2364 wrote to memory of 1344	2364	woifgy.exe	revyw.exe
PID 2364 wrote to memory of 1344	2364	woifgy.exe	revyw.exe
PID 2364 wrote to memory of 1424	2364	woifgy.exe	cmd.exe
PID 2364 wrote to memory of 1424	2364	woifgy.exe	cmd.exe
PID 2364 wrote to memory of 1424	2364	woifgy.exe	cmd.exe
PID 2364 wrote to memory of 1424	2364	woifgy.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe
"C:\Users\Admin\AppData\Local\Temp\f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\jejyi.exe
  "C:\Users\Admin\AppData\Local\Temp\jejyi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\woifgy.exe
    "C:\Users\Admin\AppData\Local\Temp\woifgy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\revyw.exe
      "C:\Users\Admin\AppData\Local\Temp\revyw.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1344
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
47dc7a732156b403ca0a12d9d5bee20f

SHA1
3e0ae0b28a40825edf05e7fab0b82e30186efeb1

SHA256
32de4e314c03eea206a03270e0880fa0d093978b808ef2118c75f891f9803890

SHA512
5585243b21f28f8373435f0d438585f8145fc9e8e83ba361f51e488a2b7999c8208125b9a984072d363b94467db29d0594ce50b5e035e5e388244b2b80b68693

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9711d59aaa882382e6ab219b6127826c

SHA1
176320806b155cb83cfba25656fa881cf2223a1d

SHA256
693996b7924fcf5990fad0648d2a2002cc91069cd6425fea6764374df1981c09

SHA512
a8b4a5b186accc1de0f443d8e713e5f4908078f6346c0a5bb418de4497fd71e4dbb0a436c630ca1d7669ab61db863c826294aeaeece43367716bc692ca0b88f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
483113a796a1f65170a908cc60afdde5

SHA1
86f72a30cdb7e3bb05f6f1210627849cacfa1177

SHA256
be097ec1ecf335fd6538f633bddd6138ce676443d40cc9b772cc2667f48758f2

SHA512
de572303c4010a9ce25f4657b63d082810b4bd66a2a13dae21373632ab07c18636c732ff55480363b97dc0bca7ecb1cc8e563f9f953a7f9f9d74239420c1dcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jejyi.exe

Filesize
332KB

MD5
c0ae4e0ebe42883afd4f9fb32df80acd

SHA1
e8f86eb435e6358e625270fc10f1b67cfc6e6475

SHA256
55c6cdae432e4a28980fe518745d7dd874c70c1aaa083b6f24c8d70e86ad7484

SHA512
1a9238a18d2d4dd7279da91b8d55b58ad3095c9f6f51b8962b8d8bd811a115c07d75303a8f9e7161ce035c1bea47673d42fb4df763b30bed9341f097cab3f5f7

Download Submit
\Users\Admin\AppData\Local\Temp\revyw.exe

Filesize
136KB

MD5
c3feb6429a1d4ae693f50094cfd8c1cb

SHA1
1ad3ae4d3fdb8329d227300f82f168b60660a6eb

SHA256
87d033bfc4c33be2f461d6f4e8842b652d245335541e57dac56bc9e4718b824f

SHA512
f577fe3e39479f8d9942cd136db2b77914d63d556e78e6f09171463135c69cc4c9acfb789453ec5f7e78712dcb03ff94897dbfb532da3ccef6b7eaeca385749b

Download Submit
memory/1344-58-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/1344-57-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/1344-63-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/1344-62-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/1344-61-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/1344-55-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/1344-56-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/2060-23-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2060-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2364-54-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2364-43-0x0000000003AE0000-0x0000000003B6C000-memory.dmp

Filesize
560KB

Download
memory/2364-37-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2364-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2580-20-0x0000000001EE0000-0x0000000001F38000-memory.dmp

Filesize
352KB

Download
memory/2580-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2580-22-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2580-19-0x0000000001EE0000-0x0000000001F38000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads