urelas | fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe
Size

332KB
MD5

d7bec197c8269cec9ea1905b570e5460
SHA1

8f10fc96f5e1c8bbed1fa5a609acf0377dca5c33
SHA256

fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1
SHA512

6fb568547dd2f76dc1c21ad14fcb3a95ef6d34f226a5450eeca3d3782b0dd416ed1794323a104e1c110dc6dfe8ffa3f63bbe10e92180e052e24119577574978a
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisq:Nd7rpL43btmQ58Z27zw39gY2FeZhmzX

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x0002000000022188-31.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exekukoz.exevubure.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	kukoz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	vubure.exe

Executes dropped EXE 3 IoCs

Processes:

kukoz.exevubure.exevejuu.exe

pid	Process
2356	kukoz.exe
4280	vubure.exe
4836	vejuu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kukoz.execmd.exevubure.exevejuu.execmd.exefc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kukoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vubure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vejuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

vejuu.exe

pid	Process
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe
4836	vejuu.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exekukoz.exevubure.exe

description	pid	Process	procid_target
PID 464 wrote to memory of 2356	464	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	84
PID 464 wrote to memory of 2356	464	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	84
PID 464 wrote to memory of 2356	464	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	84
PID 464 wrote to memory of 2096	464	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	85
PID 464 wrote to memory of 2096	464	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	85
PID 464 wrote to memory of 2096	464	fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe	85
PID 2356 wrote to memory of 4280	2356	kukoz.exe	87
PID 2356 wrote to memory of 4280	2356	kukoz.exe	87
PID 2356 wrote to memory of 4280	2356	kukoz.exe	87
PID 4280 wrote to memory of 4836	4280	vubure.exe	107
PID 4280 wrote to memory of 4836	4280	vubure.exe	107
PID 4280 wrote to memory of 4836	4280	vubure.exe	107
PID 4280 wrote to memory of 1216	4280	vubure.exe	108
PID 4280 wrote to memory of 1216	4280	vubure.exe	108
PID 4280 wrote to memory of 1216	4280	vubure.exe	108

C:\Users\Admin\AppData\Local\Temp\fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe
"C:\Users\Admin\AppData\Local\Temp\fc2a8dce0c6f439b115915224de2c6fcb3ecf44e853095ab70142c6e06b052b1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464
- C:\Users\Admin\AppData\Local\Temp\kukoz.exe
  "C:\Users\Admin\AppData\Local\Temp\kukoz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\vubure.exe
    "C:\Users\Admin\AppData\Local\Temp\vubure.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\vejuu.exe
      "C:\Users\Admin\AppData\Local\Temp\vejuu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
caba5c078ab6a832599e73c3ac7d8541

SHA1
ef59c67870f1ba8cde708437fb274c8fb24c2994

SHA256
09ab3d80cf337bed882e14aae7d6b211e3416a0cc314602c0bd5d3afa42e7dd8

SHA512
44a0953cfe8e2e859b900c055eaa063423455bc14ba0743692c655929d85aa2fac8985688dcf14e31b0109dea946f678706dcb026c2d1a82cd7ceb1f0b47f503

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
bf638f960b44c23b7778c8805b7a7a28

SHA1
37bcfac6b30443d839750d33d6238bc791ac0b78

SHA256
571a8614bcd9778788d6a2f631f950531b2686141f9a4862025078265acd7067

SHA512
dc8f56656529ad22e3672bca101ca40606db941ebfc46e7f195ef6394c929ca1cbf1b02a46cb1124273c099095a3f913a40777931da2475804b7f42480d4340c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
756877b3c34f46d5115b79e5dbe9d8fc

SHA1
4789907b75a018f9607fc65629a246bdd72ebcfd

SHA256
65daa88562d8e5975c8fb1e8d4ea348b859ae36638b96f70b0b8e1d7bf49916f

SHA512
6b2facf06a3db2e7efca90d1ef67973b69407e7a1061a824ebd25923dec58b31b993813158537d153f081a60f2eb3749652dd8bada91879659c8e39d811bd8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\kukoz.exe

Filesize
332KB

MD5
494f2599f2df5960cc1496f8dcd51e60

SHA1
52242b9c7f667534a47148bcf706fc3219260562

SHA256
c0388123451b37a8970b45f907f36b197ee2a78f5d9c70773e51ea53c8a35b61

SHA512
3f61887fba09762bbfecb88d122c615c49cf583a73bedd1b8154f06045ca22ce8309747f1b10148de2f38d68a5b2de0a906a458f50e327d8b111d56bf3206e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vejuu.exe

Filesize
136KB

MD5
5a076e6b15dc4747bde5b0751f9e9c47

SHA1
f66c1488261ea90c3a0245c313f88d5a2ea4fbc3

SHA256
4ac4b2723470ba6645bf470181d417ecc7ea95edc8bdaf4e58e948b7a2b5bb70

SHA512
d75f0dd111e5337b4ad633543b58f8d73262e0fc9c6d3711a03e22db0400114b156f86ea95739fefa19e891320278390e8cc636ad01d80f231b85264de2e6e89

Download Submit
memory/464-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/464-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2356-23-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4280-42-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4280-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4836-41-0x0000000000170000-0x00000000001FC000-memory.dmp

Filesize
560KB

Download
memory/4836-40-0x0000000000170000-0x00000000001FC000-memory.dmp

Filesize
560KB

Download
memory/4836-39-0x0000000000170000-0x00000000001FC000-memory.dmp

Filesize
560KB

Download
memory/4836-35-0x0000000000170000-0x00000000001FC000-memory.dmp

Filesize
560KB

Download
memory/4836-44-0x0000000000170000-0x00000000001FC000-memory.dmp

Filesize
560KB

Download
memory/4836-45-0x0000000000170000-0x00000000001FC000-memory.dmp

Filesize
560KB

Download
memory/4836-46-0x0000000000170000-0x00000000001FC000-memory.dmp

Filesize
560KB

Download