urelas | 1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe
Size

331KB
MD5

33d66e47f873aa8a6ddc6da6d5630212
SHA1

780251de7807badffa9d2dde5f9a6044f2b2bc4b
SHA256

1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59
SHA512

73eb904eef513d38f2681b74f5862ffbff678fb5cb994ea6920bf275fa1e7421b43280bb252ff9848c3f80ffd99d7fb646b5df6c0cf16add1c1ecc05f9f8d25c
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisz:Nd7rpL43btmQ58Z27zw39gY2FeZh4pi

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0002000000022188-31.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	kyqoky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lefyp.exe

Executes dropped EXE 3 IoCs

pid	Process
3712	lefyp.exe
2852	kyqoky.exe
4496	apnea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lefyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyqoky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apnea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe
4496	apnea.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3712	452	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	84
PID 452 wrote to memory of 3712	452	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	84
PID 452 wrote to memory of 3712	452	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	84
PID 452 wrote to memory of 4756	452	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	85
PID 452 wrote to memory of 4756	452	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	85
PID 452 wrote to memory of 4756	452	1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe	85
PID 3712 wrote to memory of 2852	3712	lefyp.exe	87
PID 3712 wrote to memory of 2852	3712	lefyp.exe	87
PID 3712 wrote to memory of 2852	3712	lefyp.exe	87
PID 2852 wrote to memory of 4496	2852	kyqoky.exe	106
PID 2852 wrote to memory of 4496	2852	kyqoky.exe	106
PID 2852 wrote to memory of 4496	2852	kyqoky.exe	106
PID 2852 wrote to memory of 2248	2852	kyqoky.exe	107
PID 2852 wrote to memory of 2248	2852	kyqoky.exe	107
PID 2852 wrote to memory of 2248	2852	kyqoky.exe	107

C:\Users\Admin\AppData\Local\Temp\1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe
"C:\Users\Admin\AppData\Local\Temp\1e65baade5f896272cc3adf8ff93d3de17531cc5a71ddadd1550e812bb9d0b59.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\lefyp.exe
  "C:\Users\Admin\AppData\Local\Temp\lefyp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\kyqoky.exe
    "C:\Users\Admin\AppData\Local\Temp\kyqoky.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\apnea.exe
      "C:\Users\Admin\AppData\Local\Temp\apnea.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
fbda5501e0cc5d81f18db3e932f5f92d

SHA1
561a1409b02236a4a3b8fce97cc4269bf722b5d9

SHA256
f583f215cc4b75178c1b05bed17694223aaa494b6298dc48d5971b2bcf5194ce

SHA512
932edd3e01e7b9576f1e3a1e94988cec2cef0775938d4a6ba02dbb2f48dd1d869225e5a8236c5ba4896ffd03db1cfcba7d26ae95824ae41aac1bc34f5a81019b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
c5f3c712ca83af71f86d67454cb7d800

SHA1
18cb647c77d7e94c2efec7db827d66f566ed7076

SHA256
8079dc5083ba4bb8ada407789dbbf99440a10ffeaf1690c101c86a96fece1c12

SHA512
e1b22c06e6ad24f2f97758bc980da15ea32614a282de7dbab8d55f534d67867408d727abb4341ac6a01c6149db00dfd31e6a19780ff42663d5ac4701c99ab5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\apnea.exe

Filesize
136KB

MD5
9b09b97b9b73f06f2e0c622b35ffeec7

SHA1
3d34c78b22463612c52fb80d0e0204a961ec4c6e

SHA256
9fa005e1eef47b595754161d67bbd905056761381c2318f6ecfedb022dc15085

SHA512
84a25eed388ec2024540f08d2633012d0a6b68d0e612ca1782d0f004dc28d65efa35536b679a6e01ba4426117d03755ede9fd4aa3419c7d936b8f86cd559aea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
18d34ee79cb090200bd13c2eaedeae74

SHA1
c202890bd9a46d0559f45974c5b03b3dbeec2074

SHA256
1e2cec8cc7a986f64434918514dfdaae15620797557692de961fe2686935fd26

SHA512
944eab0ce1456327a500f71c27b23fc1279cbfe0357ec5accce10ca9e6616f7813be249b270b57974552054ce34c3b02e4fac54bf3657a8e16ce9c2f2523dcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lefyp.exe

Filesize
331KB

MD5
29ecbb32d3cdba1e7ab901a0d37ddd5b

SHA1
ff53b4b2ff0db317033ed587826527de46e22cb9

SHA256
f222252733591426add2f84d40be909cb1a3fdbdea6bc8af5fa93a83ba3f2aaf

SHA512
9bb6790059728e0c8fb284ee0ea42f52f95cb8c89b4eb833ed30af2982941f7043599c0c6d3560ea0886474304a6629869d063609f72aa58888c682e57983c1f

Download Submit
memory/452-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/452-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2852-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2852-42-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3712-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4496-40-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/4496-39-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/4496-41-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/4496-38-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/4496-44-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/4496-45-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/4496-46-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/4496-47-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/4496-48-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/4496-49-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download