urelas | 0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
Size

636KB
MD5

11886b65ec7637fd092d18acbdb6661e
SHA1

65059e8ab7c5fd4bf00178d12515e782b11de4e0
SHA256

0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93
SHA512

1b1dd22af551fc35d760b0bfa1cb65057047e8d9ca73a7d8cc3d2c6ff343df5e5cce57a9e0e0e4d5c940102c68588ccc0a05a7ff96d96c12ba2f9508b55bb136
SSDEEP

12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsJ:RUowYcOW4a2YcOW4C

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x0005000000000034-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exeneguv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	neguv.exe

Executes dropped EXE 2 IoCs

Processes:

neguv.exepuujc.exe

pid	Process
3528	neguv.exe
4376	puujc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

puujc.exe0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exeneguv.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puujc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neguv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

puujc.exe

pid	Process
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe
4376	puujc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exeneguv.exe

description	pid	Process	procid_target
PID 212 wrote to memory of 3528	212	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	84
PID 212 wrote to memory of 3528	212	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	84
PID 212 wrote to memory of 3528	212	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	84
PID 212 wrote to memory of 1304	212	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	85
PID 212 wrote to memory of 1304	212	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	85
PID 212 wrote to memory of 1304	212	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	85
PID 3528 wrote to memory of 4376	3528	neguv.exe	94
PID 3528 wrote to memory of 4376	3528	neguv.exe	94
PID 3528 wrote to memory of 4376	3528	neguv.exe	94

C:\Users\Admin\AppData\Local\Temp\0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
"C:\Users\Admin\AppData\Local\Temp\0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\neguv.exe
  "C:\Users\Admin\AppData\Local\Temp\neguv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\puujc.exe
    "C:\Users\Admin\AppData\Local\Temp\puujc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2cf691e9fc741cf4bb9d4f9df3c5c0ec

SHA1
0f867a28088558ed0780a6ec6a0f81809687bc6d

SHA256
53698a9391ae197505b586dad042c2ecf0b91f75aa0a8fb78de8589e31df1d7e

SHA512
71d38fd1282364dad572e9d71d63832043735d12efd0fca2bc084f5476b77d5f39055607726ba0ec0bd5c36f35d88fb1f548b4e50723bb2ed9604bb00b0e77af

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
172f8124349a145a114b48a253f81a99

SHA1
7806706444ff23606654c20422606a0dfe1db299

SHA256
bb0d3a1c9c89dfb9752051b59a62ca7237357e3352f66d1514e62c6c8189cc7c

SHA512
8a48a1c8c3902670fa77f98337bf5c2c58d1a10272883a4ec6faf74e4f7e784cbfbbc3ea60e897ec5454efcb56ff00688e4591f275bda155e95a9257bfd5fe60

Download Submit
C:\Users\Admin\AppData\Local\Temp\neguv.exe

Filesize
636KB

MD5
a97e119d3dbbb976b5ff3958b8e34cd1

SHA1
a367ee6b8a4529bce3c8cdcf84ad1ed86651ab67

SHA256
8f03deed890fe904a8696597229fdb7d15571a1939b1403c64564b77849bb5dc

SHA512
f0d81a5f01cf3903ffc0a965ad1f1c6bab7ef075787566db0c3d195a593d0d7ef69955fa839e481fd937a500aa958c5bd92996954a012a597f964f6dd533a2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\puujc.exe

Filesize
212KB

MD5
47311ad19df6ab7766b49baeef0ac046

SHA1
9a00213a7bdb667b67d9fc8f2c4c6dd0cb5b433e

SHA256
b84eb95403569c82418c72620b0dc424f36ee55c43b63e0e1ac64fb6ce62e658

SHA512
7ffa320221c8462e6dc08b7b029e71864665ef2a70e05da949defd1be6985cdec22e21bf2b61e507225bd8f4e2bfc56764850d139156cf89d255b49b53372d4d

Download Submit
memory/212-13-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/212-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3528-29-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3528-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4376-28-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download
memory/4376-26-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download
memory/4376-25-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download
memory/4376-27-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download
memory/4376-31-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download
memory/4376-32-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download
memory/4376-33-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download
memory/4376-34-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download
memory/4376-35-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download