urelas | 2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe
Size

411KB
MD5

0168177624f8cb458832f644a1cf89ac
SHA1

8c1bf2eb9215ed595608cc7927ebe61ca35814eb
SHA256

2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b
SHA512

2af517a8d566c6ce794548afa987eadad7cc5e27b67e6c6bd13ee71cf39351f2c647a9784c99abf42e835d2c9fed4530b64fa3674fee9d507db2e8e4ed0e0d6b
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYC:eU7M5ijWh0XOW4sEfeOX

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000707-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	mixyp.exe

Executes dropped EXE 2 IoCs

pid	Process
3768	mixyp.exe
3088	xitod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xitod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe
3088	xitod.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 3768	4516	2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe	83
PID 4516 wrote to memory of 3768	4516	2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe	83
PID 4516 wrote to memory of 3768	4516	2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe	83
PID 4516 wrote to memory of 3632	4516	2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe	84
PID 4516 wrote to memory of 3632	4516	2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe	84
PID 4516 wrote to memory of 3632	4516	2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe	84
PID 3768 wrote to memory of 3088	3768	mixyp.exe	104
PID 3768 wrote to memory of 3088	3768	mixyp.exe	104
PID 3768 wrote to memory of 3088	3768	mixyp.exe	104

C:\Users\Admin\AppData\Local\Temp\2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe
"C:\Users\Admin\AppData\Local\Temp\2c4198210341481900aba4dc38fe997671b8ecdf77f8dc57f54174eafd4a284b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\mixyp.exe
  "C:\Users\Admin\AppData\Local\Temp\mixyp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\xitod.exe
    "C:\Users\Admin\AppData\Local\Temp\xitod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8798a36d6997c132e79120602a5aa447

SHA1
1fcacc0f4355a675e7672168950a89a8ce0f86f0

SHA256
cabf3c88094b6e3ae71f28e100e6ece1d103b8c9b02aa8fff45af31a18b49321

SHA512
97a8de3130c4d6cdf676361331349dbc0611ea8ca78f6b57b04df80581b92c48bb0f5e74992cb92593a78e96d5268364e47364262b394300fc4965fb5660414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8fbb398f5d53a480a4ec5afefca40f0

SHA1
8852854ca1ddee401b836e06642a5745ebb46533

SHA256
246c52da8fa0911a1fd7915c318b9505e62ee9213b71752d5d943adbec55d2c1

SHA512
dbbc0c15a13bfdaf918dfc0766a849923354ca4750aecdb74cfb6acf2c3532702d743ce36b55b3f365ecf46e4f853b577c27e8c564965ecd589e1b50fa6781c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mixyp.exe

Filesize
411KB

MD5
18d543d8c6e38886c0dcbec1c041b9d2

SHA1
caa2a1bd027c170228cde111eedbe458178da596

SHA256
75884f8d44e4613c8c587d2db2b09e861feb693c63a8a8591d644f48e037f8a0

SHA512
af07a7a367c8dbbbfe9e6c032a95d1c58c96486f87a8fd12d4fec691a2fbc3e911baa31921ea09014a48805975def743a8185c2b1e8ebdf87db703dde637e588

Download Submit
C:\Users\Admin\AppData\Local\Temp\xitod.exe

Filesize
212KB

MD5
5979bb194cd58f555bbb0495d8853e80

SHA1
69da707be4c812c6eddc461a4b58a7938688f83e

SHA256
cdbddad5914ddbdac67846579bf53137fd61af422807f5cf4f407310c35fbee9

SHA512
22ed6d0314b47d4861527c01486bb842b6f56322f05dd4d8ba6310f4b497c6852cc788ce7980a8eef5b064a852d6449579c86adcdf3c22ea5ad9c559d8813df2

Download Submit
memory/3088-28-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download
memory/3088-27-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download
memory/3088-25-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download
memory/3088-26-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download
memory/3088-31-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download
memory/3088-32-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download
memory/3088-33-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download
memory/3088-34-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download
memory/3088-35-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download
memory/3768-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3768-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4516-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4516-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download