urelas | d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d

General

Target

d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe
Size

432KB
MD5

bd0b17c01aab214fcbf1b9eadd0d7c56
SHA1

7c41549a1ff40c832171eb0030b8c50e21e79b6d
SHA256

d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d
SHA512

386c389542c7f4c6f3c0bccb7b6a0e4bae0dd93b5ff82c07cf8705bbb23ba21d743a9f296387ecbca36aa265b695f4cdc591728a1a2430813439ea61c98e5740
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODsvFwfMHVlIro:hU7M5ijWh0XOW4sEfeOkJHVuro

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\loupi.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exefoibm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	foibm.exe

Executes dropped EXE 2 IoCs

Processes:

foibm.exeloupi.exe

pid process

2300 foibm.exe
4884 loupi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2300	foibm.exe
4884	loupi.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

loupi.exed00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exefoibm.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loupi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foibm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

loupi.exe

pid	process
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe
4884	loupi.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exefoibm.exe

description	pid	process	target process
PID 1660 wrote to memory of 2300	1660	d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe	foibm.exe
PID 1660 wrote to memory of 2300	1660	d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe	foibm.exe
PID 1660 wrote to memory of 2300	1660	d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe	foibm.exe
PID 1660 wrote to memory of 3640	1660	d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe	cmd.exe
PID 1660 wrote to memory of 3640	1660	d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe	cmd.exe
PID 1660 wrote to memory of 3640	1660	d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe	cmd.exe
PID 2300 wrote to memory of 4884	2300	foibm.exe	loupi.exe
PID 2300 wrote to memory of 4884	2300	foibm.exe	loupi.exe
PID 2300 wrote to memory of 4884	2300	foibm.exe	loupi.exe

C:\Users\Admin\AppData\Local\Temp\d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe
"C:\Users\Admin\AppData\Local\Temp\d00dcd7ff7b6655a871a6110ae088e1290cc955e6d3f55eb65bc90b2bbb8231d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\foibm.exe
  "C:\Users\Admin\AppData\Local\Temp\foibm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\loupi.exe
    "C:\Users\Admin\AppData\Local\Temp\loupi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b2b2162ddbe317d90730c5e999f92606

SHA1
ef1152218270b33ad23150d8998b48ca31abcb27

SHA256
7e94ec9275ee727c2f55868f64f5348995ff3a5108202b866be9124f04c393c3

SHA512
9bbe9edbd9d13dd3c26e6948638797ea08762ca039fb8535d0cb1610056f7dea57a67784c300aa8fdf263741f9569e3b28233d168c44ef88ddce45a8010c341c

Download Submit
C:\Users\Admin\AppData\Local\Temp\foibm.exe

Filesize
432KB

MD5
8ec1dfadd7f64757c49b59daeb0bf97e

SHA1
bec41897cc8a7a3f6fad2b546d528f530d3a0b6f

SHA256
ea9bcf5473506dbce434308595bf80aedbab7448fa4767420b3648d846ed7fb2

SHA512
e6345ec98ba87e316633b07b7932f21f62583125536e2efe2a829e60af27b43cd8251610b2faf09eb80b0a353d202a3f85197dbbd39fd4f035d2f64f7e008b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f91b982d6f50ea89b4e170ab5c39854b

SHA1
1b28a7ca5d52be9883b4cb067a9ebb69988406ea

SHA256
361e7527c45278fc944c3bd41ef8a8ef8847a7b03ad3b8ccb3a25788e05979df

SHA512
07368b730618a8e36730dd66743be3496d2e58f1d9057b2fabe5ad4e60da4a4ebe25be831e746731c241de07e83678029fc924a5088767e63dbd8706ec95960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\loupi.exe

Filesize
212KB

MD5
4d4c58936aa409549ee9cb5650a206d2

SHA1
4c19802007961d143a87598861cf673df6f187c3

SHA256
0a49129823a033b48c09e2496c4d019ea3cd4909527d5343a8feb7a7ccc8cf7f

SHA512
3f73f1335f8a3973f1909ecc9a9ec7c9287c101ceb880e18a342128a3329397e313cfda716631505f46d42c2f4ace1ba6719ecbf87aa586227b4aa8b70a4372c

Download Submit
memory/1660-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1660-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2300-27-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2300-17-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2300-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4884-26-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download
memory/4884-29-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download
memory/4884-30-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download
memory/4884-28-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download
memory/4884-32-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download
memory/4884-33-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download
memory/4884-34-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download
memory/4884-35-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download
memory/4884-36-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads