urelas | c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
Size

419KB
MD5

ad3c035ef68a24ff4176375bcdbdfef0
SHA1

dfcf400b12143c8d1626517034261dd625c5cd53
SHA256

c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365
SHA512

d27ec8fc9abc4cc1f5a10e724ce1f74bbb09c5ca0c2d4b72aa0ff2e630a3f1b91db675d904bdb5e3d2118e513ee3657f588b3245da7f741020259862832d907b
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODsvFwy:hU7M5ijWh0XOW4sEfeOkr

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
1680	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1040	cisus.exe
336	aclol.exe

Loads dropped DLL 3 IoCs

pid	Process
2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
1040	cisus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aclol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cisus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe
336	aclol.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1040	2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	30
PID 2604 wrote to memory of 1040	2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	30
PID 2604 wrote to memory of 1040	2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	30
PID 2604 wrote to memory of 1040	2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	30
PID 2604 wrote to memory of 1680	2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	31
PID 2604 wrote to memory of 1680	2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	31
PID 2604 wrote to memory of 1680	2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	31
PID 2604 wrote to memory of 1680	2604	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	31
PID 1040 wrote to memory of 336	1040	cisus.exe	34
PID 1040 wrote to memory of 336	1040	cisus.exe	34
PID 1040 wrote to memory of 336	1040	cisus.exe	34
PID 1040 wrote to memory of 336	1040	cisus.exe	34

C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
"C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\cisus.exe
  "C:\Users\Admin\AppData\Local\Temp\cisus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\aclol.exe
    "C:\Users\Admin\AppData\Local\Temp\aclol.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
5db75dd1cd006582f4132530f639e094

SHA1
e2c83e4f5fcc22ea06531df28c3a2ab3e5fd2e3f

SHA256
62a61899aebf7002a7b8ba56179ea67a714397d52a6138a8e73cf1f2fe0a6a51

SHA512
98434a96fe5eab83304b0ac3949b800500a0598e4ac4154eb76076731ecc6334e00b27273b4385252c34796ecc1f34c174baf6adb59e0352f78b56e4b099e969

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a89ab349749048d8366159d26b37893e

SHA1
f4ed79b084a00331a97f5771b49155b91d9ca6ac

SHA256
bd2831f2c3e5a84c75a83cf82e67655a922443997dbfa912b103ac1c04fc6941

SHA512
2de0c080a921b794a0872421ff1051522106207ba817699d202ad23262554f90081fd05a5e31bfc17f1fd5572a692ca29b8de7648710d9a9f2e36e53664246ac

Download Submit
\Users\Admin\AppData\Local\Temp\aclol.exe

Filesize
212KB

MD5
55bdf2c712738e997825bb20b7bdee28

SHA1
e49793b03039f806202a7b97afcbba8fee286f9b

SHA256
138b013018880ee8301dbf2485066f4c58802017880b5eaa90900dd6697370a0

SHA512
47ffa1fc0c5ee911270f9488e855ce5465e8b2e4dce808f0b3d03a225f9e02c14b6e55ff4b35ccb807a6e943390b1b362fdbb522c5472ad549551b55973c30be

Download Submit
\Users\Admin\AppData\Local\Temp\cisus.exe

Filesize
419KB

MD5
7cbc0d127cc58d4a333a603d712323bc

SHA1
35b94961aa5315ae2b3e9e176a67d0731f3d05ba

SHA256
dfc5c7bf41fff5994b54f45bee49ec675dd83b8bd25d870ff06483ffb238a030

SHA512
f5d555a61b3b1e76521933432ba0b30787c8b96a884312bd94f0bbee4a3126cf999a10537e962c2020a26b2693bcee9eed7dc67b26daaa7214a4c71a8e9478c7

Download Submit
memory/336-39-0x0000000000200000-0x0000000000294000-memory.dmp

Filesize
592KB

Download
memory/336-40-0x0000000000200000-0x0000000000294000-memory.dmp

Filesize
592KB

Download
memory/336-35-0x0000000000200000-0x0000000000294000-memory.dmp

Filesize
592KB

Download
memory/336-41-0x0000000000200000-0x0000000000294000-memory.dmp

Filesize
592KB

Download
memory/336-38-0x0000000000200000-0x0000000000294000-memory.dmp

Filesize
592KB

Download
memory/336-34-0x0000000000200000-0x0000000000294000-memory.dmp

Filesize
592KB

Download
memory/336-33-0x0000000000200000-0x0000000000294000-memory.dmp

Filesize
592KB

Download
memory/336-37-0x0000000000200000-0x0000000000294000-memory.dmp

Filesize
592KB

Download
memory/336-31-0x0000000000200000-0x0000000000294000-memory.dmp

Filesize
592KB

Download
memory/1040-28-0x0000000003B90000-0x0000000003C24000-memory.dmp

Filesize
592KB

Download
memory/1040-32-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1040-23-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2604-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2604-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2604-6-0x0000000002980000-0x00000000029E5000-memory.dmp

Filesize
404KB

Download