urelas | 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702

General

Target

943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
Size

337KB
MD5

a180800232f58a1f6096d76c594bf860
SHA1

4f5ff11730ec328878bc3e6f23e4f060dc20b2a0
SHA256

943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702
SHA512

9592f1979aa1f1363203de4e125421c1697748aa033d5792f320b9ce02a1215f9e18539ad5ccac5df3f12d7301986370d45c38b1ec7504ddc0dbd1611724c852
SSDEEP

6144:4x4ITLKT/MUbCYqLbbCM2dWwh3gNUie2Jy+5vmSZGpd:4x4+LmMUbXq/byKLe2JPFS

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a000000023b96-10.dat	aspack_v212_v242
behavioral2/files/0x0005000000000034-39.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ovtoe.exe

Executes dropped EXE 2 IoCs

pid	Process
4164	ovtoe.exe
2272	jofuv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ovtoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jofuv.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe
2272	jofuv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 4164	324	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	82
PID 324 wrote to memory of 4164	324	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	82
PID 324 wrote to memory of 4164	324	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	82
PID 324 wrote to memory of 2388	324	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	83
PID 324 wrote to memory of 2388	324	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	83
PID 324 wrote to memory of 2388	324	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	83
PID 4164 wrote to memory of 2272	4164	ovtoe.exe	94
PID 4164 wrote to memory of 2272	4164	ovtoe.exe	94
PID 4164 wrote to memory of 2272	4164	ovtoe.exe	94

C:\Users\Admin\AppData\Local\Temp\943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
"C:\Users\Admin\AppData\Local\Temp\943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Local\Temp\ovtoe.exe
  "C:\Users\Admin\AppData\Local\Temp\ovtoe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\jofuv.exe
    "C:\Users\Admin\AppData\Local\Temp\jofuv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e91efa32c84a1881b1d18e4f5ad1ad2f

SHA1
5dcb841f644605b0266eb3a46590826751165615

SHA256
c186755c7beb23e3f69536ec56b6158f429cffb00a917b8b7e7573a5f4d55ed3

SHA512
6e43bdee1cd15e66f1aeec474188de3402b5c75af2191fc45d16662ad75c697d1984af8b6aebf590fd2ccc0d9d0f36eb2745e2854b886472e3883ea03f876749

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f41e5073eba3c4458e9f9e7ab0787180

SHA1
095bf5420b6d765d05f521934e2bc1f2af93574d

SHA256
61c09a12d4029e7f900452758b99ace9e3aaaac18d14f04618e69974567fa3ce

SHA512
3ec35f05b813bae8a8c16a0a3010e875f3cfa2fdc362034d9fc97bec466fa67aab1dac787a8028ffd74e61ec270f0de208d65217c6250b532aaa3f632eb2b9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jofuv.exe

Filesize
225KB

MD5
6f3ba4b96863e39b167f0e8c0903125a

SHA1
707152bd7494783652b7ed2aacc3a4b8955657ef

SHA256
2ec92e482ea6409b3eba3edf535e671dcea2823e0e335d9ac0cdd0bac39a4dfd

SHA512
9cd0f221c56b4c701ce16ac438ea22364785cc194e353ea976c8dd3052b0d2d36857683bb33c27722782393e5f65ee7d0c132f6268af37b69675e7a808b13538

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovtoe.exe

Filesize
337KB

MD5
c10773aaeccafb9068239bc64debdf53

SHA1
a10d8a26d22f32b47492da64f5a078b2b226435b

SHA256
5a1a674b1a6740508a8d2e9e59d9b30d2314111268ef5ed8022704299192a467

SHA512
e54b1c4f59da55b04f4542b84b4164db78d16a708b23872fee7f49c2e6bf1913a617ca6c97d25c062e53db03754a2a8fc4f0756fe5e8a066a2dfb2d6ec40d8f4

Download Submit
memory/324-4-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/324-0-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/324-2-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/324-1-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/324-3-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/324-23-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/2272-42-0x0000000000360000-0x00000000003FE000-memory.dmp

Filesize
632KB

Download
memory/2272-47-0x0000000000360000-0x00000000003FE000-memory.dmp

Filesize
632KB

Download
memory/2272-46-0x0000000000360000-0x00000000003FE000-memory.dmp

Filesize
632KB

Download
memory/2272-45-0x0000000000360000-0x00000000003FE000-memory.dmp

Filesize
632KB

Download
memory/2272-50-0x0000000000360000-0x00000000003FE000-memory.dmp

Filesize
632KB

Download
memory/2272-51-0x0000000000360000-0x00000000003FE000-memory.dmp

Filesize
632KB

Download
memory/4164-18-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/4164-19-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/4164-20-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/4164-26-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/4164-21-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/4164-14-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/4164-48-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing