urelas | bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e

General

Target

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
Size

633KB
MD5

2dc85d1e4f325a156676d3bdde485025
SHA1

f2097f754cb08feedc7cf72ce6101004b000ee8f
SHA256

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e
SHA512

b2bb12a5f2d33584cd7361f53f47b3db8a130540cfa38697f68806add1bba36ceb4f162dfd40700efc31d8628950c95d92ad8ea61df8c2831a59ec06d40313f3
SSDEEP

12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsf:RUowYcOW4a2YcOW4Y

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ujyve.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2176 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

sydoa.exeujyve.exe

pid process

2836 sydoa.exe
2940 ujyve.exe

pid	process
2176	cmd.exe

pid	process
2836	sydoa.exe
2940	ujyve.exe

Loads dropped DLL 3 IoCs

Processes:

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exesydoa.exe

pid	process
2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
2836	sydoa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeujyve.exebd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exesydoa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujyve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sydoa.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

ujyve.exe

pid	process
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe
2940	ujyve.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exesydoa.exe

description	pid	process	target process
PID 2892 wrote to memory of 2836	2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	sydoa.exe
PID 2892 wrote to memory of 2836	2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	sydoa.exe
PID 2892 wrote to memory of 2836	2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	sydoa.exe
PID 2892 wrote to memory of 2836	2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	sydoa.exe
PID 2892 wrote to memory of 2176	2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	cmd.exe
PID 2892 wrote to memory of 2176	2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	cmd.exe
PID 2892 wrote to memory of 2176	2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	cmd.exe
PID 2892 wrote to memory of 2176	2892	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	cmd.exe
PID 2836 wrote to memory of 2940	2836	sydoa.exe	ujyve.exe
PID 2836 wrote to memory of 2940	2836	sydoa.exe	ujyve.exe
PID 2836 wrote to memory of 2940	2836	sydoa.exe	ujyve.exe
PID 2836 wrote to memory of 2940	2836	sydoa.exe	ujyve.exe

C:\Users\Admin\AppData\Local\Temp\bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
"C:\Users\Admin\AppData\Local\Temp\bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\sydoa.exe
  "C:\Users\Admin\AppData\Local\Temp\sydoa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\ujyve.exe
    "C:\Users\Admin\AppData\Local\Temp\ujyve.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
bd8ebfdcb1c1bca57830986e2ffe55e5

SHA1
499a9acee565d3c71c58df966d275e8d98ba3cf6

SHA256
8548951834db14210dc7e23fa89c207a74429dd8b5cf5bfc3b8d593fb2845c6f

SHA512
b0e370ad45acda055505e41602571193b8a47987751232fde804c53b9c3cef9e0de478377f9e42c5a8fe9571fcbd4fe2f0e87c1dbeda9bb44015c5f94374a435

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5cf4fd07f778ffbd0187440c9afc5c0a

SHA1
59cd011aec9ecf21e653942428d362f3ce02b253

SHA256
cd2312f21209878d107038de595742ef05015f613d00608cf4b2a25b2f7f352a

SHA512
a36a38fcc64d06722c663a4f05de68e5c19e87f732609d8b06e3158ea701880b4c55a016549eaf224f7f0ad483f7527c860d72a0235bf3807d56365631825d05

Download Submit
\Users\Admin\AppData\Local\Temp\sydoa.exe

Filesize
633KB

MD5
0e62e286e44af3d62c240138baddb8d5

SHA1
d2594d291f9bc740fd9f0e67fcf349531f56cc49

SHA256
cce1b96a0aaea1733b98feaf63f2f6bd6781c63bca735097f9179be0697d7b59

SHA512
69889aebf7ef3d39720ab700a7d14a50ecf64af2a5addaa990bb19ec1169cd7e08a16b896fad3e83f2beb363eca5604370dd115f7f84364005c2f5490cb0a97a

Download Submit
\Users\Admin\AppData\Local\Temp\ujyve.exe

Filesize
212KB

MD5
038571140e5cf52445840c30ab4cea92

SHA1
5f71193b7e27d6cad18919db443cf85cdca943f3

SHA256
8a238dd885674ddee7850647626d4c13f2d84437af777ae25c2d3bae63599b80

SHA512
e2b9b1386d36770644ec8d8f418ea62b76c43f2163700662a1ee51a68fdb40e38f471a8408582800003194de31e6e9beda66c7044ad41b58e0f8c13652a4ba4c

Download Submit
memory/2836-31-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2836-24-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2892-11-0x0000000002BC0000-0x0000000002C5B000-memory.dmp

Filesize
620KB

Download
memory/2892-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2892-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2892-12-0x0000000002BC0000-0x0000000002C5B000-memory.dmp

Filesize
620KB

Download
memory/2940-35-0x0000000000180000-0x0000000000214000-memory.dmp

Filesize
592KB

Download
memory/2940-34-0x0000000000180000-0x0000000000214000-memory.dmp

Filesize
592KB

Download
memory/2940-33-0x0000000000180000-0x0000000000214000-memory.dmp

Filesize
592KB

Download
memory/2940-32-0x0000000000180000-0x0000000000214000-memory.dmp

Filesize
592KB

Download
memory/2940-37-0x0000000000180000-0x0000000000214000-memory.dmp

Filesize
592KB

Download
memory/2940-38-0x0000000000180000-0x0000000000214000-memory.dmp

Filesize
592KB

Download
memory/2940-39-0x0000000000180000-0x0000000000214000-memory.dmp

Filesize
592KB

Download
memory/2940-40-0x0000000000180000-0x0000000000214000-memory.dmp

Filesize
592KB

Download
memory/2940-41-0x0000000000180000-0x0000000000214000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads