urelas | bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
Size

633KB
MD5

2dc85d1e4f325a156676d3bdde485025
SHA1

f2097f754cb08feedc7cf72ce6101004b000ee8f
SHA256

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e
SHA512

b2bb12a5f2d33584cd7361f53f47b3db8a130540cfa38697f68806add1bba36ceb4f162dfd40700efc31d8628950c95d92ad8ea61df8c2831a59ec06d40313f3
SSDEEP

12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsf:RUowYcOW4a2YcOW4Y

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000703-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	qimok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	qimok.exe
3252	ajvor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qimok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajvor.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe
3252	ajvor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2204	1448	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	84
PID 1448 wrote to memory of 2204	1448	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	84
PID 1448 wrote to memory of 2204	1448	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	84
PID 1448 wrote to memory of 3108	1448	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	85
PID 1448 wrote to memory of 3108	1448	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	85
PID 1448 wrote to memory of 3108	1448	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	85
PID 2204 wrote to memory of 3252	2204	qimok.exe	94
PID 2204 wrote to memory of 3252	2204	qimok.exe	94
PID 2204 wrote to memory of 3252	2204	qimok.exe	94

C:\Users\Admin\AppData\Local\Temp\bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
"C:\Users\Admin\AppData\Local\Temp\bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\qimok.exe
  "C:\Users\Admin\AppData\Local\Temp\qimok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\ajvor.exe
    "C:\Users\Admin\AppData\Local\Temp\ajvor.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
bd8ebfdcb1c1bca57830986e2ffe55e5

SHA1
499a9acee565d3c71c58df966d275e8d98ba3cf6

SHA256
8548951834db14210dc7e23fa89c207a74429dd8b5cf5bfc3b8d593fb2845c6f

SHA512
b0e370ad45acda055505e41602571193b8a47987751232fde804c53b9c3cef9e0de478377f9e42c5a8fe9571fcbd4fe2f0e87c1dbeda9bb44015c5f94374a435

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajvor.exe

Filesize
212KB

MD5
853d7d22c33c5cf51c8c08c523c46873

SHA1
5471fb44b57d4bc83d200adc25b331d0a1d0a0f9

SHA256
4fbb7b1776ddff556e4c43eaceb7e4b228d32b42906e273f8a02273c0557e649

SHA512
56ae4691981062d30d2768b207c1088693013eecc970399fefcfe23f919d4d87f8f4ecb5edd9c69c624d62b6dc01cd1dd361d2f64533d01065d99601861bbaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
377d52e220d0086c8981b208e7706727

SHA1
36e000b376f69b13f7f1b5ef876dbd516f6591bb

SHA256
4c4d9b9a355f5543a22e85815cc8e5f0b657104dfc946a234048f9d59bf50604

SHA512
66416ec0c02a0b6b54b6d2667b7e96c94ff70e5bca5a13fa977866ca687dcb313bce2b6177bf97be8560616486059ec079caff5249f48fbfe751eafbe6389655

Download Submit
C:\Users\Admin\AppData\Local\Temp\qimok.exe

Filesize
633KB

MD5
9151e194ff6c202dd0da8ba713faa4ae

SHA1
75659c52cf116189c8ce8b9a7ec967205a5a5fd3

SHA256
e528eb37e1721764963ed20cef17aaac62ce38fddafdad06702ccf3a106421bf

SHA512
80f84eef8b4bbdab203d859e694e355e8cfc6c7289f784046f8a49f221c23b0cd9b068ad1ba287dc15b32cf68b39d88135b168ec7dd9e6fbf7a99e1beed14632

Download Submit
memory/1448-14-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1448-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2204-27-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2204-12-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2204-17-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3252-26-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download
memory/3252-30-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download
memory/3252-29-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download
memory/3252-28-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download
memory/3252-32-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download
memory/3252-33-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download
memory/3252-34-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download
memory/3252-35-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download
memory/3252-36-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download