urelas | eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
Size

329KB
MD5

6812c0ef40c70d2409b123e19350c1e1
SHA1

55480d53effecf77d8c71c9df16586d7542e2baf
SHA256

eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5
SHA512

cd08ab3121278108e17ee22df078f7c9b035932bfa55693f1db1675dba7754057d531499ffdd9cb11923de914185fd1ef85671d45bd75ac29cc74cd8da821d7c
SSDEEP

6144:zPVgqTQ9zAjPGhwLycSURGPp0RCeiYwpPaXRaBAz7jNsNRpxo3UBQE743vopF5:zPhTIzAjPHkUkPLeSPaXRL7xsNRXEFEH

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000016c95-8.dat	aspack_v212_v242
behavioral1/files/0x000a000000016c95-49.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2324	ojqak.exe
1496	goduy.exe

Loads dropped DLL 2 IoCs

pid	Process
2612	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
2324	ojqak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojqak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goduy.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe
1496	goduy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2324	2612	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	31
PID 2612 wrote to memory of 2324	2612	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	31
PID 2612 wrote to memory of 2324	2612	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	31
PID 2612 wrote to memory of 2324	2612	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	31
PID 2612 wrote to memory of 2640	2612	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	32
PID 2612 wrote to memory of 2640	2612	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	32
PID 2612 wrote to memory of 2640	2612	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	32
PID 2612 wrote to memory of 2640	2612	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	32
PID 2324 wrote to memory of 1496	2324	ojqak.exe	35
PID 2324 wrote to memory of 1496	2324	ojqak.exe	35
PID 2324 wrote to memory of 1496	2324	ojqak.exe	35
PID 2324 wrote to memory of 1496	2324	ojqak.exe	35

C:\Users\Admin\AppData\Local\Temp\eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
"C:\Users\Admin\AppData\Local\Temp\eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\ojqak.exe
  "C:\Users\Admin\AppData\Local\Temp\ojqak.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\goduy.exe
    "C:\Users\Admin\AppData\Local\Temp\goduy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
76b2064fc7afd7b80fd7e869b06932d4

SHA1
26edb10067b620f24f9f0481d52ccbf47181635d

SHA256
a94f410d97ad4d13464d48b1bf49a294827d41042da44ceb73521f6c6dd0ff6a

SHA512
504d1c7cd7ea651ab58e137a597089f8bdeafbff0ced966290f652921391c9b5a5c7c4182fa635918ab2c2999cb8a6c7b70e9eaee335f665c888c69e5f2329e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\goduy.exe

Filesize
197KB

MD5
e7fa34eea92f759faf741b9a29f959a1

SHA1
5efdca59016e9de269004814c43c3e64171ea836

SHA256
edb99da3ee0409969ef9a96a7e968c60e465d0a71caa4179560c4913370f93a9

SHA512
704808b108771054548a3333229e711dccc03bddc361b52ab75aa803b3837f32c0c9fc493212f67fd18e373485b8420b6a1fc6a4109e0ecb2e191bfc7e42cc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b126f231e2372479baec0f7bb01285aa

SHA1
0840cd0f817cf6759adfc6dd39697d0d69ea05a0

SHA256
8e8165889662750a87d618fc24a1bfa373f4b6d0062caa05598e28e55a9b3135

SHA512
9479a0e58c1cc32a52c19378be3c93a54ab3ed48ca9bab0aa3e4834a6cb9658710feee0f92dbadf140b038b4c7fc3105f8ba7ce167d88c0a23eaa3f41c647e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojqak.exe

Filesize
329KB

MD5
3e6d0b61d303e3aed5eb8e13eb7a6473

SHA1
9a74a0262b7ee521ecceab48ac71aaf361c868cb

SHA256
578d38f843025bc683141c43f3f58a9fbb64a5fb2c318e76521093bd35a5e362

SHA512
5dcf4bfe0993230207a3c25ca761580064cb7ec9941f392faacab07663ab32a188f1778443a94468d3bfc6e1ca246698cf36d2139882cef83d48166432113ad2

Download Submit
\Users\Admin\AppData\Local\Temp\ojqak.exe

Filesize
329KB

MD5
34fcfb64e559f9bc83605b64ce556b54

SHA1
987bd4566bc55221860747a61e4c65b80e10814f

SHA256
ee28bb94599852790c8941620737273903a876dddaf83ba6922c364a1b1efbec

SHA512
34cc7abe37e2b2de6dcdd5cec77735e76781edaab95f704bf7211a8b1173a86cccd6440094b1ac20de60e5df5bf25cb7bd8a65eddde9f6e687a14bb32d33d43a

Download Submit
memory/1496-55-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1496-54-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1496-53-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1496-52-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1496-51-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1496-50-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1496-47-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2324-17-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/2324-16-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/2324-19-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/2324-30-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/2324-14-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/2324-46-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/2324-15-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/2612-27-0x0000000000940000-0x00000000009BD000-memory.dmp

Filesize
500KB

Download
memory/2612-12-0x0000000002450000-0x00000000024CD000-memory.dmp

Filesize
500KB

Download
memory/2612-0-0x0000000000940000-0x00000000009BD000-memory.dmp

Filesize
500KB

Download
memory/2612-3-0x0000000000940000-0x00000000009BD000-memory.dmp

Filesize
500KB

Download
memory/2612-4-0x0000000000940000-0x00000000009BD000-memory.dmp

Filesize
500KB

Download
memory/2612-2-0x0000000000940000-0x00000000009BD000-memory.dmp

Filesize
500KB

Download
memory/2612-1-0x0000000000940000-0x00000000009BD000-memory.dmp

Filesize
500KB

Download