urelas | 1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30

General

Target

1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe
Size

329KB
MD5

d62edbb903c07c03db6f4f4e223100e0
SHA1

0b8d2a884b1be06bac1f0acba5ba440b5170fbe9
SHA256

1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30
SHA512

54548e2632999b9fcefaa9468f28b02def72f1cd772308444abe31287d8ea935e1776f58f137dca730523cab3c929633038cec2854ce5ab77ae1ebcb2c26773e
SSDEEP

6144:zPVgqTQ9zAjPGhwLycSURGPp0RCeiYwpPaXRaBAz7jNsNRpxo3UBQE743vopFR:zPhTIzAjPHkUkPLeSPaXRL7xsNRXEFEv

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023cb6-10.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	teaph.exe

Executes dropped EXE 2 IoCs

pid	Process
1472	teaph.exe
736	kodyn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teaph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kodyn.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe
736	kodyn.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1472	816	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	82
PID 816 wrote to memory of 1472	816	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	82
PID 816 wrote to memory of 1472	816	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	82
PID 816 wrote to memory of 788	816	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	83
PID 816 wrote to memory of 788	816	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	83
PID 816 wrote to memory of 788	816	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	83
PID 1472 wrote to memory of 736	1472	teaph.exe	94
PID 1472 wrote to memory of 736	1472	teaph.exe	94
PID 1472 wrote to memory of 736	1472	teaph.exe	94

C:\Users\Admin\AppData\Local\Temp\1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe
"C:\Users\Admin\AppData\Local\Temp\1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\teaph.exe
  "C:\Users\Admin\AppData\Local\Temp\teaph.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\kodyn.exe
    "C:\Users\Admin\AppData\Local\Temp\kodyn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d7e36f5666c9241f982155c4a357314d

SHA1
7044fa30e82aff74ffb283bf20a9ed9918a31cb8

SHA256
373b4bf09edde46908f86ba18b0ce43a0bae0e79ae0e41a01e9c060e779afda7

SHA512
26ac63e0a367e48bb2a7ed1b9803cd7cae4fcd470c7e37b2a3d737613b952410916d1b46ae86d8dcbdc845a9bbb08ee75c7ba356f8428f492b5421bc198e42e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5b9d9e3395950b82b56f197c3839d339

SHA1
0aaf65f4f4ed3aa4ef5b0fe65cc11bec4e11bde1

SHA256
a83eb9a72289df07390cb97bada5e4869b7056cde374b25fe9a1f357e5bb3910

SHA512
c609c40414effd11ed0761aa2b25ddeb400f8504d478f81b3d9ef6455f7fbfa4ca3d0e703ac6c0b8ff0df0e6ddbb6e0da74aac40d7ba0fa80c86b0942a53bfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kodyn.exe

Filesize
197KB

MD5
284f44cf288a9cdf819c4df91979de85

SHA1
5483bed873d155df01d0c95b43199c358b8b2217

SHA256
2e62a4d996259887e33842154381737ebea34ee7cd64488deb0effb485b75d22

SHA512
f7230f313c9d43b1028c3937c406003dc0ca98024e9ac0bd6beb1ed84ee34bd10b98589eb6cb788ca6b15b74eea2d6acc50137cdc6f0042c3016b841325176d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\teaph.exe

Filesize
329KB

MD5
43b2169dc5b3149f7fea633784cb8145

SHA1
3d3e7c30aec3c945f1f86ab8e08e47561bbe1c80

SHA256
b2a47d19a525d31d3a57c63318f389ccad68811e2a1c3fcbc2eaf5d03775f8f7

SHA512
a46fea07bd40748cb844dca9f87fa53482e37c87066a6f6a4b56cace6d210969d838fee72197b4c64a1bcaaa18d522819f6fba9e43fed3d78fc7b5da5e737c1d

Download Submit
memory/736-43-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/736-48-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/736-47-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/736-46-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/816-2-0x00000000009B0000-0x0000000000A2D000-memory.dmp

Filesize
500KB

Download
memory/816-1-0x00000000009B0000-0x0000000000A2D000-memory.dmp

Filesize
500KB

Download
memory/816-4-0x00000000009B0000-0x0000000000A2D000-memory.dmp

Filesize
500KB

Download
memory/816-3-0x00000000009B0000-0x0000000000A2D000-memory.dmp

Filesize
500KB

Download
memory/816-23-0x00000000009B0000-0x0000000000A2D000-memory.dmp

Filesize
500KB

Download
memory/816-0-0x00000000009B0000-0x0000000000A2D000-memory.dmp

Filesize
500KB

Download
memory/1472-21-0x0000000000D10000-0x0000000000D8D000-memory.dmp

Filesize
500KB

Download
memory/1472-20-0x0000000000D10000-0x0000000000D8D000-memory.dmp

Filesize
500KB

Download
memory/1472-19-0x0000000000D10000-0x0000000000D8D000-memory.dmp

Filesize
500KB

Download
memory/1472-26-0x0000000000D10000-0x0000000000D8D000-memory.dmp

Filesize
500KB

Download
memory/1472-22-0x0000000000D10000-0x0000000000D8D000-memory.dmp

Filesize
500KB

Download
memory/1472-42-0x0000000000D10000-0x0000000000D8D000-memory.dmp

Filesize
500KB

Download
memory/1472-14-0x0000000000D10000-0x0000000000D8D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing