urelas | c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
Size

419KB
MD5

ad3c035ef68a24ff4176375bcdbdfef0
SHA1

dfcf400b12143c8d1626517034261dd625c5cd53
SHA256

c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365
SHA512

d27ec8fc9abc4cc1f5a10e724ce1f74bbb09c5ca0c2d4b72aa0ff2e630a3f1b91db675d904bdb5e3d2118e513ee3657f588b3245da7f741020259862832d907b
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODsvFwy:hU7M5ijWh0XOW4sEfeOkr

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000709-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	doefi.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	doefi.exe
4008	ybzob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ybzob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doefi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe
4008	ybzob.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 2196	3448	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	83
PID 3448 wrote to memory of 2196	3448	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	83
PID 3448 wrote to memory of 2196	3448	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	83
PID 3448 wrote to memory of 4464	3448	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	84
PID 3448 wrote to memory of 4464	3448	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	84
PID 3448 wrote to memory of 4464	3448	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe	84
PID 2196 wrote to memory of 4008	2196	doefi.exe	104
PID 2196 wrote to memory of 4008	2196	doefi.exe	104
PID 2196 wrote to memory of 4008	2196	doefi.exe	104

C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
"C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\doefi.exe
  "C:\Users\Admin\AppData\Local\Temp\doefi.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\ybzob.exe
    "C:\Users\Admin\AppData\Local\Temp\ybzob.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
5db75dd1cd006582f4132530f639e094

SHA1
e2c83e4f5fcc22ea06531df28c3a2ab3e5fd2e3f

SHA256
62a61899aebf7002a7b8ba56179ea67a714397d52a6138a8e73cf1f2fe0a6a51

SHA512
98434a96fe5eab83304b0ac3949b800500a0598e4ac4154eb76076731ecc6334e00b27273b4385252c34796ecc1f34c174baf6adb59e0352f78b56e4b099e969

Download Submit
C:\Users\Admin\AppData\Local\Temp\doefi.exe

Filesize
419KB

MD5
72d1655760640cb9be53e0c6ec2b8339

SHA1
6df22bd4e7159ab9ad36cb9641e14f7d9dbab953

SHA256
bbc37f46f8463e96804e9d7043df0484be547c8b120aede25c95a81b9b3497c8

SHA512
2e2a9fcc68f01386a4cda751db11aa08c5ba12fe456ba5d62ea1bdcff5fb38d2201a7507c26b7eddaadbba0d0a5c6f11befeda0b901a20454cebdae802f979ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
648a32ed650ef7dcda539ded1b95238f

SHA1
ed46ef4e8ca7baedfc30323eed1887005d762f07

SHA256
68233e4d2ea57a5b3438d6e8860db36d4a79ab92bade7813c93e13845ddbd245

SHA512
277be57e0d7183643995b85cc3b76c5acfd43f44831284978374af9a81bcc0898391142761a1219be3dbc7c346d87cd04e56dcbbe6776804fe8f16b5dc72e59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybzob.exe

Filesize
212KB

MD5
662168b331122bdfbc8049be5d2757e0

SHA1
e827788731dff8d782702b99e88b5cd2867bc4c8

SHA256
5d1a9f9b7a006f722df68faa58df56aa6288f179cf6c87cb3ccb1ea44414ca39

SHA512
594388259826284b28e7acd656f78dfa8f08b8bda8c6a32905e34d843d072cc20bb0406bddfd523b1ff4ceefcf09af4611afc004400ebd1f3816cf4a07e2a69c

Download Submit
memory/2196-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2196-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3448-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3448-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4008-28-0x0000000000020000-0x00000000000B4000-memory.dmp

Filesize
592KB

Download
memory/4008-27-0x0000000000020000-0x00000000000B4000-memory.dmp

Filesize
592KB

Download
memory/4008-26-0x0000000000020000-0x00000000000B4000-memory.dmp

Filesize
592KB

Download
memory/4008-25-0x0000000000020000-0x00000000000B4000-memory.dmp

Filesize
592KB

Download
memory/4008-31-0x0000000000020000-0x00000000000B4000-memory.dmp

Filesize
592KB

Download
memory/4008-32-0x0000000000020000-0x00000000000B4000-memory.dmp

Filesize
592KB

Download
memory/4008-33-0x0000000000020000-0x00000000000B4000-memory.dmp

Filesize
592KB

Download
memory/4008-34-0x0000000000020000-0x00000000000B4000-memory.dmp

Filesize
592KB

Download
memory/4008-35-0x0000000000020000-0x00000000000B4000-memory.dmp

Filesize
592KB

Download