urelas | bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e

General

Target

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
Size

633KB
MD5

2dc85d1e4f325a156676d3bdde485025
SHA1

f2097f754cb08feedc7cf72ce6101004b000ee8f
SHA256

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e
SHA512

b2bb12a5f2d33584cd7361f53f47b3db8a130540cfa38697f68806add1bba36ceb4f162dfd40700efc31d8628950c95d92ad8ea61df8c2831a59ec06d40313f3
SSDEEP

12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsf:RUowYcOW4a2YcOW4Y

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\duzoz.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exeridop.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ridop.exe

Executes dropped EXE 2 IoCs

Processes:

ridop.exeduzoz.exe

pid process

3520 ridop.exe
1472 duzoz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3520	ridop.exe
1472	duzoz.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exeridop.execmd.exeduzoz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ridop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duzoz.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

duzoz.exe

pid	process
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe
1472	duzoz.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exeridop.exe

description	pid	process	target process
PID 5016 wrote to memory of 3520	5016	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	ridop.exe
PID 5016 wrote to memory of 3520	5016	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	ridop.exe
PID 5016 wrote to memory of 3520	5016	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	ridop.exe
PID 5016 wrote to memory of 432	5016	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	cmd.exe
PID 5016 wrote to memory of 432	5016	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	cmd.exe
PID 5016 wrote to memory of 432	5016	bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe	cmd.exe
PID 3520 wrote to memory of 1472	3520	ridop.exe	duzoz.exe
PID 3520 wrote to memory of 1472	3520	ridop.exe	duzoz.exe
PID 3520 wrote to memory of 1472	3520	ridop.exe	duzoz.exe

C:\Users\Admin\AppData\Local\Temp\bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
"C:\Users\Admin\AppData\Local\Temp\bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\ridop.exe
  "C:\Users\Admin\AppData\Local\Temp\ridop.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\duzoz.exe
    "C:\Users\Admin\AppData\Local\Temp\duzoz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
bd8ebfdcb1c1bca57830986e2ffe55e5

SHA1
499a9acee565d3c71c58df966d275e8d98ba3cf6

SHA256
8548951834db14210dc7e23fa89c207a74429dd8b5cf5bfc3b8d593fb2845c6f

SHA512
b0e370ad45acda055505e41602571193b8a47987751232fde804c53b9c3cef9e0de478377f9e42c5a8fe9571fcbd4fe2f0e87c1dbeda9bb44015c5f94374a435

Download Submit
C:\Users\Admin\AppData\Local\Temp\duzoz.exe

Filesize
212KB

MD5
04f0d2867c1055b2bd7a75bec3eac583

SHA1
2eed4de0eeeea7815f133a336d8b47abd9d417a5

SHA256
701bddaa4ea6874f0c7cff8013538737b16c43309b666cd7f7e4cd28d3d92e22

SHA512
bab03e1b1d638622c84a74d75d0a32ce2396d22b03f926068acb6d560d8af323efec9b2c6729df0136252557e978390eead1d335dd334171ed5aa7d46ad868c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c851b50e9fb7fafd40e5da3940146544

SHA1
e818933ee572ffa15b9bd6133c2931b13d6070cf

SHA256
b4f46102d3bbd595de1e0bdb47523a48e3a452e19c395304c96d7dc3e07acd41

SHA512
cc382eec53cb21246728fdefb265ba1731028ea716b626a9824613aad8dc53fbaf9a3cc0110b4529e105fd81cfe07c7bd3247fdf850d763fe9debadd65aeb691

Download Submit
C:\Users\Admin\AppData\Local\Temp\ridop.exe

Filesize
633KB

MD5
edf29fd91f0df8296d97ed1494d626a4

SHA1
c8de47f2caeb64c242fa4990b683fd31730867d8

SHA256
13ab7f0ae7ab78b4f2a878ac6268d9026e7507bb5b33c927969fe101d2874358

SHA512
8ed811cb09c35e819df990329370ca50091cec0e67e4bb1108e4eb43315fd5f38330888bf875ab048d9d9259aad86f5601c890c0ea4bc446d57eaf32537ebb83

Download Submit
memory/1472-25-0x0000000000990000-0x0000000000A24000-memory.dmp

Filesize
592KB

Download
memory/1472-28-0x0000000000990000-0x0000000000A24000-memory.dmp

Filesize
592KB

Download
memory/1472-27-0x0000000000990000-0x0000000000A24000-memory.dmp

Filesize
592KB

Download
memory/1472-26-0x0000000000990000-0x0000000000A24000-memory.dmp

Filesize
592KB

Download
memory/1472-31-0x0000000000990000-0x0000000000A24000-memory.dmp

Filesize
592KB

Download
memory/1472-32-0x0000000000990000-0x0000000000A24000-memory.dmp

Filesize
592KB

Download
memory/3520-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3520-29-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5016-13-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5016-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads