urelas | 1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe
Size

331KB
MD5

33d66e47f873aa8a6ddc6da6d5630212
SHA1

780251de7807badffa9d2dde5f9a6044f2b2bc4b
SHA256

1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59
SHA512

73eb904eef513d38f2681b74f5862ffbff678fb5cb994ea6920bf275fa1e7421b43280bb252ff9848c3f80ffd99d7fb646b5df6c0cf16add1c1ecc05f9f8d25c
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisz:Nd7rpL43btmQ58Z27zw39gY2FeZh4pi

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000016dc8-55.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2080	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1996	xyobt.exe
2776	xupoku.exe
1512	rydyh.exe

Loads dropped DLL 5 IoCs

pid	Process
2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe
2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe
1996	xyobt.exe
1996	xyobt.exe
2776	xupoku.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyobt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xupoku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rydyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe
1512	rydyh.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1996	2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	31
PID 2308 wrote to memory of 1996	2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	31
PID 2308 wrote to memory of 1996	2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	31
PID 2308 wrote to memory of 1996	2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	31
PID 2308 wrote to memory of 2080	2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	32
PID 2308 wrote to memory of 2080	2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	32
PID 2308 wrote to memory of 2080	2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	32
PID 2308 wrote to memory of 2080	2308	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	32
PID 1996 wrote to memory of 2776	1996	xyobt.exe	33
PID 1996 wrote to memory of 2776	1996	xyobt.exe	33
PID 1996 wrote to memory of 2776	1996	xyobt.exe	33
PID 1996 wrote to memory of 2776	1996	xyobt.exe	33
PID 2776 wrote to memory of 1512	2776	xupoku.exe	36
PID 2776 wrote to memory of 1512	2776	xupoku.exe	36
PID 2776 wrote to memory of 1512	2776	xupoku.exe	36
PID 2776 wrote to memory of 1512	2776	xupoku.exe	36
PID 2776 wrote to memory of 2792	2776	xupoku.exe	37
PID 2776 wrote to memory of 2792	2776	xupoku.exe	37
PID 2776 wrote to memory of 2792	2776	xupoku.exe	37
PID 2776 wrote to memory of 2792	2776	xupoku.exe	37

C:\Users\Admin\AppData\Local\Temp\1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe
"C:\Users\Admin\AppData\Local\Temp\1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\xyobt.exe
  "C:\Users\Admin\AppData\Local\Temp\xyobt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\xupoku.exe
    "C:\Users\Admin\AppData\Local\Temp\xupoku.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\rydyh.exe
      "C:\Users\Admin\AppData\Local\Temp\rydyh.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
c5f3c712ca83af71f86d67454cb7d800

SHA1
18cb647c77d7e94c2efec7db827d66f566ed7076

SHA256
8079dc5083ba4bb8ada407789dbbf99440a10ffeaf1690c101c86a96fece1c12

SHA512
e1b22c06e6ad24f2f97758bc980da15ea32614a282de7dbab8d55f534d67867408d727abb4341ac6a01c6149db00dfd31e6a19780ff42663d5ac4701c99ab5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c7993af3df0c6acbe4fe23a3847eebe4

SHA1
33670ca6bc12f7363a9dba9d92fa47eafa99a324

SHA256
a053a00baa5e4e8503f0e0cbc635e531914bc7fd0dd0550a3e9ba196f6d1d387

SHA512
8a3fb0092022d749ddd59c2c3a384b2afc4996dbb9bffe907a52d1d43e48fdbbe4b37c1703d8f826d68df925529a20725e31411f5e33c3b0656472b09c7960da

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3ba7ce98387e3f2075e0a2852b9b47e3

SHA1
16e1302855e41e50db057fd3fdac5976bbd017e6

SHA256
c2b5dd987c4e741c601e34cc0dcbf7e2e9ad5a27ce8e8d54dc42ee11f579618c

SHA512
80da0c41bf6c019bc27815de43baf54aa58dbe7a93715f2fcfa9ebbe348e67220a602894d3775178f9eafde85282e39166ea91e342aef7d979228e1466693c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\rydyh.exe

Filesize
136KB

MD5
a12c925f102b15897218227d2ae78053

SHA1
33e33f13a1e54c5e7b198c4cb6114ec541ebe23b

SHA256
bc68efb585956a983433f24b2baea41684b242bacda4d7fe9646e76494c449c7

SHA512
65dbc7f55e3b73100941f11a8bafb45279ba0b3007678978ddc5ae937447b31a62147080a681f7ba1c8598012c92d50fd19ec55092cdb946929cd512ec994b77

Download Submit
\Users\Admin\AppData\Local\Temp\xyobt.exe

Filesize
331KB

MD5
b336142dee0143d11ae13925569c44ee

SHA1
f21a7683c54ee68cc39443d2f100ee6467caffd7

SHA256
3de99480f9c4be89711eec6d9368d91f3bc451768eb77c4e296740323731faa7

SHA512
837f6e055b2c3a345aedf9c00e59a40fd2bb95b363cd5178085c5c852b132847c85ab21124be78b2af64c4c4c2d4741ac1e56b038b041ee94b0b4de651893f9c

Download Submit
memory/1512-64-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1512-65-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1512-63-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1512-66-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1512-62-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1512-59-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1512-58-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1512-57-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1512-67-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1512-56-0x0000000001080000-0x000000000110C000-memory.dmp

Filesize
560KB

Download
memory/1996-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1996-37-0x0000000002030000-0x0000000002088000-memory.dmp

Filesize
352KB

Download
memory/1996-16-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1996-34-0x0000000002030000-0x0000000002088000-memory.dmp

Filesize
352KB

Download
memory/2308-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2308-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2308-6-0x0000000002AA0000-0x0000000002AF8000-memory.dmp

Filesize
352KB

Download
memory/2776-54-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2776-53-0x0000000002F10000-0x0000000002F9C000-memory.dmp

Filesize
560KB

Download
memory/2776-38-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2776-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download