urelas | fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1

General

Target

fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe
Size

332KB
MD5

d7bec197c8269cec9ea1905b570e5460
SHA1

8f10fc96f5e1c8bbed1fa5a609acf0377dca5c33
SHA256

fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1
SHA512

6fb568547dd2f76dc1c21ad14fcb3a95ef6d34f226a5450eeca3d3782b0dd416ed1794323a104e1c110dc6dfe8ffa3f63bbe10e92180e052e24119577574978a
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisq:Nd7rpL43btmQ58Z27zw39gY2FeZhmzX

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\luaqv.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2168 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

sowyn.exeoqsiva.exeluaqv.exe

pid process

1052 sowyn.exe
2748 oqsiva.exe
704 luaqv.exe

pid	process
2168	cmd.exe

pid	process
1052	sowyn.exe
2748	oqsiva.exe
704	luaqv.exe

Loads dropped DLL 5 IoCs

Processes:

fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exesowyn.exeoqsiva.exe

pid	process
548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe
548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe
1052	sowyn.exe
1052	sowyn.exe
2748	oqsiva.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

luaqv.execmd.exefc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exesowyn.execmd.exeoqsiva.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luaqv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sowyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oqsiva.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

luaqv.exe

pid	process
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe
704	luaqv.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exesowyn.exeoqsiva.exe

description	pid	process	target process
PID 548 wrote to memory of 1052	548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	sowyn.exe
PID 548 wrote to memory of 1052	548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	sowyn.exe
PID 548 wrote to memory of 1052	548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	sowyn.exe
PID 548 wrote to memory of 1052	548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	sowyn.exe
PID 548 wrote to memory of 2168	548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	cmd.exe
PID 548 wrote to memory of 2168	548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	cmd.exe
PID 548 wrote to memory of 2168	548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	cmd.exe
PID 548 wrote to memory of 2168	548	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	cmd.exe
PID 1052 wrote to memory of 2748	1052	sowyn.exe	oqsiva.exe
PID 1052 wrote to memory of 2748	1052	sowyn.exe	oqsiva.exe
PID 1052 wrote to memory of 2748	1052	sowyn.exe	oqsiva.exe
PID 1052 wrote to memory of 2748	1052	sowyn.exe	oqsiva.exe
PID 2748 wrote to memory of 704	2748	oqsiva.exe	luaqv.exe
PID 2748 wrote to memory of 704	2748	oqsiva.exe	luaqv.exe
PID 2748 wrote to memory of 704	2748	oqsiva.exe	luaqv.exe
PID 2748 wrote to memory of 704	2748	oqsiva.exe	luaqv.exe
PID 2748 wrote to memory of 1268	2748	oqsiva.exe	cmd.exe
PID 2748 wrote to memory of 1268	2748	oqsiva.exe	cmd.exe
PID 2748 wrote to memory of 1268	2748	oqsiva.exe	cmd.exe
PID 2748 wrote to memory of 1268	2748	oqsiva.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe
"C:\Users\Admin\AppData\Local\Temp\fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\sowyn.exe
  "C:\Users\Admin\AppData\Local\Temp\sowyn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\oqsiva.exe
    "C:\Users\Admin\AppData\Local\Temp\oqsiva.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\luaqv.exe
      "C:\Users\Admin\AppData\Local\Temp\luaqv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
bf638f960b44c23b7778c8805b7a7a28

SHA1
37bcfac6b30443d839750d33d6238bc791ac0b78

SHA256
571a8614bcd9778788d6a2f631f950531b2686141f9a4862025078265acd7067

SHA512
dc8f56656529ad22e3672bca101ca40606db941ebfc46e7f195ef6394c929ca1cbf1b02a46cb1124273c099095a3f913a40777931da2475804b7f42480d4340c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
dbc28b8ead427eecff90ad5c2b286725

SHA1
842de407e4769f541d6b8ff676bbe88a77ad3f77

SHA256
eab23681e4205ebc6c6cfcdc4501c660759ac4855b4abbb18ef1e4c26d518735

SHA512
f46d22bb4ede0f39d0d6d05cc820c6c9b6f29ed6a4608c55f06e44f4a30f05fc3a792b3db64c0c53cab3f12f0e40e71604f8dea94d683a669629cc6aa8d0d112

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f1e92b78a2d738db2ee753671371f36d

SHA1
e09f703c5acdb41b60aaa4372e6d5666d8f71564

SHA256
b74276955e89cb19e26c44a2fc629e77784b5cac5a98e84e8ea5bb8155eac154

SHA512
efb6dac717cf65b034b3db692a521e626539eabbfcf9ba2c7e5af7db50576f00b12a7ecdb2bee2c6ad7e8ce3b6920a9ac54aab181cb64409460e301a72498139

Download Submit
\Users\Admin\AppData\Local\Temp\luaqv.exe

Filesize
136KB

MD5
a468729630d4281ab15862c7e649192c

SHA1
ea23d1d0dc787001917a3e3b2763b572d40f296f

SHA256
5bc13be5aa5b42c5ac9963040d2e5386c5813eeb899d4b82a3c3afbdd5f64c96

SHA512
5dfca96ebae4b9771dccb7f90bcc757331f901942399032d0882c2a23da6185da789d334d8f9f89deec61f05ca0b7061fd281ba31a6d2ec84e74c293672ec08d

Download Submit
\Users\Admin\AppData\Local\Temp\sowyn.exe

Filesize
332KB

MD5
4c78d4e96cc1b7e65e4e6d84abfe1bfd

SHA1
546995c1ecd6d96236d4f9d3e0f28f5af430b866

SHA256
b8e85cb3ac064fcbb785535afba4ea587c64c3af49d723c835f5768c3455bade

SHA512
c14825a1cc4c06ebd85608e7260fe9a91fe5dc789066ba6cfcdf56c0cb09e73132f70987cac3685919ee2e3d64ae4077f82262215c6b14a8f1e7d8993ffcdae9

Download Submit
memory/548-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/548-23-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/548-11-0x0000000002BA0000-0x0000000002BF8000-memory.dmp

Filesize
352KB

Download
memory/704-45-0x00000000012A0000-0x000000000132C000-memory.dmp

Filesize
560KB

Download
memory/704-46-0x00000000012A0000-0x000000000132C000-memory.dmp

Filesize
560KB

Download
memory/704-44-0x00000000012A0000-0x000000000132C000-memory.dmp

Filesize
560KB

Download
memory/704-57-0x00000000012A0000-0x000000000132C000-memory.dmp

Filesize
560KB

Download
memory/704-58-0x00000000012A0000-0x000000000132C000-memory.dmp

Filesize
560KB

Download
memory/704-59-0x00000000012A0000-0x000000000132C000-memory.dmp

Filesize
560KB

Download
memory/1052-32-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2748-40-0x0000000003D50000-0x0000000003DDC000-memory.dmp

Filesize
560KB

Download
memory/2748-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2748-54-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads