urelas | 0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93

Analysis

max time kernel
149s
max time network
81s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
Size

636KB
MD5

11886b65ec7637fd092d18acbdb6661e
SHA1

65059e8ab7c5fd4bf00178d12515e782b11de4e0
SHA256

0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93
SHA512

1b1dd22af551fc35d760b0bfa1cb65057047e8d9ca73a7d8cc3d2c6ff343df5e5cce57a9e0e0e4d5c940102c68588ccc0a05a7ff96d96c12ba2f9508b55bb136
SSDEEP

12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsJ:RUowYcOW4a2YcOW4C

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000016d5c-27.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	xyuzo.exe
2144	holyv.exe

Loads dropped DLL 3 IoCs

pid	Process
3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
2840	xyuzo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyuzo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	holyv.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe
2144	holyv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2840	3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	29
PID 3016 wrote to memory of 2840	3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	29
PID 3016 wrote to memory of 2840	3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	29
PID 3016 wrote to memory of 2840	3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	29
PID 3016 wrote to memory of 2888	3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	30
PID 3016 wrote to memory of 2888	3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	30
PID 3016 wrote to memory of 2888	3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	30
PID 3016 wrote to memory of 2888	3016	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	30
PID 2840 wrote to memory of 2144	2840	xyuzo.exe	32
PID 2840 wrote to memory of 2144	2840	xyuzo.exe	32
PID 2840 wrote to memory of 2144	2840	xyuzo.exe	32
PID 2840 wrote to memory of 2144	2840	xyuzo.exe	32

C:\Users\Admin\AppData\Local\Temp\0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
"C:\Users\Admin\AppData\Local\Temp\0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\xyuzo.exe
  "C:\Users\Admin\AppData\Local\Temp\xyuzo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\holyv.exe
    "C:\Users\Admin\AppData\Local\Temp\holyv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2cf691e9fc741cf4bb9d4f9df3c5c0ec

SHA1
0f867a28088558ed0780a6ec6a0f81809687bc6d

SHA256
53698a9391ae197505b586dad042c2ecf0b91f75aa0a8fb78de8589e31df1d7e

SHA512
71d38fd1282364dad572e9d71d63832043735d12efd0fca2bc084f5476b77d5f39055607726ba0ec0bd5c36f35d88fb1f548b4e50723bb2ed9604bb00b0e77af

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e96bb9e2dfb8f7cce73f7ed66cd1dae1

SHA1
e1e2326de1b73ffe1387fa04e19d4d89103685d6

SHA256
5caf5d2655aa3cfd91f8df24612c04872e6b882062d591ceca56778e48dcc09c

SHA512
b425316951ef4a78c7c98eb954c8aeca622c0c8568bfccd9f7194a4f219fd30dad5c9c3059f5034323376425e5712527295ecca7df489c23f6720f8512c31bf3

Download Submit
\Users\Admin\AppData\Local\Temp\holyv.exe

Filesize
212KB

MD5
3e18d848f856491ebbce0af213f45b12

SHA1
bd04a5c04d15f23e98d8a3a04f66c4e4a4dad536

SHA256
bebd1d59f586905848e39e9656cf60c5e858ec985ce0fa42e122857b56012d5d

SHA512
feb342456e49a9cb9b0eee0d0fe731cff5fc8dc9f06b2271cc0de4eab130e3ca6245856195a01a0c4cf500219cd1f8270bbd8c6da77d04666afb443f2d400106

Download Submit
\Users\Admin\AppData\Local\Temp\xyuzo.exe

Filesize
636KB

MD5
cfb3638e2c6fb5fb503712d20558c0af

SHA1
7ca7f2f2df08b730a593067469c7ccd4a396530c

SHA256
798dfc937c7dbe0766b15f2b9291826de4574e5239419084e9c5f6eff0a904dd

SHA512
54a4b3fcb810f745a6dc9848b618fd919e11312a09e6f2d4e92de000a1201b027901adcb40dff33a788ddb4265e31a31f75a6c445aef9bff0de51d192437f1c0

Download Submit
memory/2144-38-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2144-32-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2144-42-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2144-41-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2144-40-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2144-39-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2144-34-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2144-36-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2144-33-0x00000000009C0000-0x0000000000A54000-memory.dmp

Filesize
592KB

Download
memory/2840-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2840-30-0x0000000003340000-0x00000000033D4000-memory.dmp

Filesize
592KB

Download
memory/2840-35-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2840-24-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3016-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3016-19-0x00000000025D0000-0x000000000266B000-memory.dmp

Filesize
620KB

Download
memory/3016-20-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download