urelas | eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
Size

329KB
MD5

6812c0ef40c70d2409b123e19350c1e1
SHA1

55480d53effecf77d8c71c9df16586d7542e2baf
SHA256

eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5
SHA512

cd08ab3121278108e17ee22df078f7c9b035932bfa55693f1db1675dba7754057d531499ffdd9cb11923de914185fd1ef85671d45bd75ac29cc74cd8da821d7c
SSDEEP

6144:zPVgqTQ9zAjPGhwLycSURGPp0RCeiYwpPaXRaBAz7jNsNRpxo3UBQE743vopF5:zPhTIzAjPHkUkPLeSPaXRL7xsNRXEFEH

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023cc8-10.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	qoqug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe

Executes dropped EXE 2 IoCs

pid	Process
1984	qoqug.exe
3356	jeodg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoqug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeodg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe
3356	jeodg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 1984	4512	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	82
PID 4512 wrote to memory of 1984	4512	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	82
PID 4512 wrote to memory of 1984	4512	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	82
PID 4512 wrote to memory of 860	4512	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	83
PID 4512 wrote to memory of 860	4512	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	83
PID 4512 wrote to memory of 860	4512	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	83
PID 1984 wrote to memory of 3356	1984	qoqug.exe	94
PID 1984 wrote to memory of 3356	1984	qoqug.exe	94
PID 1984 wrote to memory of 3356	1984	qoqug.exe	94

C:\Users\Admin\AppData\Local\Temp\eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
"C:\Users\Admin\AppData\Local\Temp\eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\qoqug.exe
  "C:\Users\Admin\AppData\Local\Temp\qoqug.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\jeodg.exe
    "C:\Users\Admin\AppData\Local\Temp\jeodg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
76b2064fc7afd7b80fd7e869b06932d4

SHA1
26edb10067b620f24f9f0481d52ccbf47181635d

SHA256
a94f410d97ad4d13464d48b1bf49a294827d41042da44ceb73521f6c6dd0ff6a

SHA512
504d1c7cd7ea651ab58e137a597089f8bdeafbff0ced966290f652921391c9b5a5c7c4182fa635918ab2c2999cb8a6c7b70e9eaee335f665c888c69e5f2329e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5e424c64cc3968f77ff3c73afd89ff28

SHA1
2646908fb2bb8a93f50d70dc1ada151a2edcd71b

SHA256
b39f64050594738063ca7bf8ff483cf84eda786b94abadf56e4255cad9cfe34c

SHA512
c97a4c4063bdc34f06659adfc698c2d058561f6498ee79059996fd6dbc0f835d935157a41a0797e20b6ff5de3b074b639cd0c41fd9ecf1e4c2ae382180a4d0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeodg.exe

Filesize
197KB

MD5
a07974e4c5e9634f9c32e56be2a2bce4

SHA1
5caec7cda590c1889866a5c7ea47545c45ca80d7

SHA256
e552fb52ffa5b04031e691320b7471ed276f7f36800398edb1b9436e9959a3a0

SHA512
3d421db5d7678671545390b41862511b613da787e4ec5fafcb121db13844fef4f458150892dd5c30d3040684bfe6205dca9304f08103d4b6cab0d596f274341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoqug.exe

Filesize
329KB

MD5
5b4c81f32eafd2bcfdc1df28dd6d2442

SHA1
1d7dd3b00b6cf53d0deadd2ef6dbef0716904508

SHA256
277d3e83f271374cb670ddb1876fba1dcf694ee547c7fc8514fdb8bebb3b05d0

SHA512
ab9e7cd44003323c298f06f508a3a80ce2d6956606d83640e2822cf705f230b36fc1fd7c614254e8c7785fd581933c72d0f3da1647204f0be200320307983451

Download Submit
memory/1984-17-0x0000000000F80000-0x0000000000FFD000-memory.dmp

Filesize
500KB

Download
memory/1984-18-0x0000000000F80000-0x0000000000FFD000-memory.dmp

Filesize
500KB

Download
memory/1984-15-0x0000000000F80000-0x0000000000FFD000-memory.dmp

Filesize
500KB

Download
memory/1984-19-0x0000000000F80000-0x0000000000FFD000-memory.dmp

Filesize
500KB

Download
memory/1984-20-0x0000000000F80000-0x0000000000FFD000-memory.dmp

Filesize
500KB

Download
memory/1984-45-0x0000000000F80000-0x0000000000FFD000-memory.dmp

Filesize
500KB

Download
memory/1984-26-0x0000000000F80000-0x0000000000FFD000-memory.dmp

Filesize
500KB

Download
memory/3356-47-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3356-50-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3356-49-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3356-51-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3356-48-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3356-43-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3356-52-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4512-23-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/4512-3-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/4512-1-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/4512-0-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/4512-2-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download
memory/4512-4-0x0000000000FD0000-0x000000000104D000-memory.dmp

Filesize
500KB

Download