urelas | 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5

General

Target

384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Size

427KB
MD5

2c5283c0e5519979932fb112a11d86e3
SHA1

c512c7ca7666c6c7a20a82fa7b5b3c140587814e
SHA256

384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5
SHA512

0af2f0f0ccaa9029d99c6dbac951d928b68bb0c48d643d6d09d90a9e286aa4ea468c789b57d3f2bb0a9e450f0a1ef9f0bb69597a65c1f6156233b0962c2becf0
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsp:YU7M5ijWh0XOW4sEfeOA

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000709-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cezef.exe

Executes dropped EXE 2 IoCs

pid	Process
4020	cezef.exe
4380	elgev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cezef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elgev.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe
4380	elgev.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4020	4704	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	84
PID 4704 wrote to memory of 4020	4704	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	84
PID 4704 wrote to memory of 4020	4704	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	84
PID 4704 wrote to memory of 1416	4704	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	85
PID 4704 wrote to memory of 1416	4704	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	85
PID 4704 wrote to memory of 1416	4704	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	85
PID 4020 wrote to memory of 4380	4020	cezef.exe	96
PID 4020 wrote to memory of 4380	4020	cezef.exe	96
PID 4020 wrote to memory of 4380	4020	cezef.exe	96

C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
"C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\cezef.exe
  "C:\Users\Admin\AppData\Local\Temp\cezef.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\elgev.exe
    "C:\Users\Admin\AppData\Local\Temp\elgev.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
eb31203f5f96923d92feaff32488c418

SHA1
9705f8f7486538cf9e3189cf2f247613ca1ac64a

SHA256
97a329565d2ba8c8f6bf8fcdcb8f8022d8f2d9677c3c2592b46df9ca6743e4cc

SHA512
7bdaa10c1b77004b1e4b3d3842b62c95ea362cd5434d5c522cba872ae7e90a97d8713bb4ecd78cdc3f3fa0e5d909c02a4aaa1225d47cbaa4eacf2fdd4f75c94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cezef.exe

Filesize
427KB

MD5
dbc76aa9e1ad2b12af04623ef6c98d5c

SHA1
f47bd58e980bf24a014298ee2aade71b488f0f1e

SHA256
045c8cd3bc6982ed9a3443b4c632c8576d0d1b9b9a3188b02c81a33f24c888b2

SHA512
93617082dac60fd425faed916a3e4bc469cd9a773fa90a3230b9c21b6f7d9d5c3b9a6b3eb54a27c8209ff19f3008b57fe3ca2f5104c9f8495863298c62b45365

Download Submit
C:\Users\Admin\AppData\Local\Temp\elgev.exe

Filesize
212KB

MD5
fedf7b9eee6022dc319506eddd394266

SHA1
0e9367a9f9719ed91162f426c49557f3bb7f5dd2

SHA256
f05464380ec637ea12a41d1e6fb31499c6a31ed8347a4f3925b56ae180b1cc09

SHA512
3c505068080590121a375d8bf83641f5635da10a17e18808be108d407d2d2b0a7caf4438c21571bff652eb1a467409cbb5b11d0c4cf3d272c0c26b92df16f178

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9f8923d7696f12d3376d29414f24b7e2

SHA1
b7707722b0312e91d2e9e463396ea99fc29d2bb8

SHA256
1b73444872fd1072a70640070a62a07059ddb96ad8a8e58bdff0dc9ab3feab5c

SHA512
5f89b6d553231093b6990e0ec0dd5bd7fd74eb3c4ce5f54fb3c66cf233d90977cab0b81c5bf4601d5dfe6f538cc1e5c553cc7f693659f8f1f73465c193a4d212

Download Submit
memory/4020-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4020-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4380-25-0x0000000000FD0000-0x0000000001064000-memory.dmp

Filesize
592KB

Download
memory/4380-27-0x0000000000FD0000-0x0000000001064000-memory.dmp

Filesize
592KB

Download
memory/4380-29-0x0000000000FD0000-0x0000000001064000-memory.dmp

Filesize
592KB

Download
memory/4380-28-0x0000000000FD0000-0x0000000001064000-memory.dmp

Filesize
592KB

Download
memory/4380-31-0x0000000000FD0000-0x0000000001064000-memory.dmp

Filesize
592KB

Download
memory/4380-32-0x0000000000FD0000-0x0000000001064000-memory.dmp

Filesize
592KB

Download
memory/4704-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4704-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing