urelas | 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 07:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Size

427KB
MD5

2c5283c0e5519979932fb112a11d86e3
SHA1

c512c7ca7666c6c7a20a82fa7b5b3c140587814e
SHA256

384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5
SHA512

0af2f0f0ccaa9029d99c6dbac951d928b68bb0c48d643d6d09d90a9e286aa4ea468c789b57d3f2bb0a9e450f0a1ef9f0bb69597a65c1f6156233b0962c2becf0
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsp:YU7M5ijWh0XOW4sEfeOA

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00090000000164db-28.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	duucx.exe
1736	dopea.exe

Loads dropped DLL 3 IoCs

pid	Process
2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
2344	duucx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duucx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dopea.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe
1736	dopea.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2344	2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	30
PID 2092 wrote to memory of 2344	2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	30
PID 2092 wrote to memory of 2344	2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	30
PID 2092 wrote to memory of 2344	2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	30
PID 2092 wrote to memory of 1716	2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	31
PID 2092 wrote to memory of 1716	2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	31
PID 2092 wrote to memory of 1716	2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	31
PID 2092 wrote to memory of 1716	2092	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	31
PID 2344 wrote to memory of 1736	2344	duucx.exe	34
PID 2344 wrote to memory of 1736	2344	duucx.exe	34
PID 2344 wrote to memory of 1736	2344	duucx.exe	34
PID 2344 wrote to memory of 1736	2344	duucx.exe	34

C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
"C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\duucx.exe
  "C:\Users\Admin\AppData\Local\Temp\duucx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\dopea.exe
    "C:\Users\Admin\AppData\Local\Temp\dopea.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
eb31203f5f96923d92feaff32488c418

SHA1
9705f8f7486538cf9e3189cf2f247613ca1ac64a

SHA256
97a329565d2ba8c8f6bf8fcdcb8f8022d8f2d9677c3c2592b46df9ca6743e4cc

SHA512
7bdaa10c1b77004b1e4b3d3842b62c95ea362cd5434d5c522cba872ae7e90a97d8713bb4ecd78cdc3f3fa0e5d909c02a4aaa1225d47cbaa4eacf2fdd4f75c94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2ac8f660471d8eb76c61d4ad52645cfb

SHA1
1b93588156d65d98af1e078bc1ec86a25ae0ecd1

SHA256
4602535b914dbb574c56ce72cb013b88a6c6cc1852dda28bc1b5d097c8cbd18f

SHA512
ad952ad67ef103e4f0fc898d93d1a26ef43dba4d22e03b3e10b1ed978e3d8612f5403ce3104aa9b3a984bbcd0df51f5e36625b45e7011b7807442a6bc5e3e8c5

Download Submit
\Users\Admin\AppData\Local\Temp\dopea.exe

Filesize
212KB

MD5
533ccd818ea4e091a77ec850ef665c34

SHA1
0f6abf9efa05087cde6bed7f651dee6d748e2b81

SHA256
22be5b19c75c9db59a921ae61f8cc80d2425ad76d4b65e377bc2714f7fa21817

SHA512
ce5ff4aeb405c2457a592f18bc792bf825d13afbe579c7e7668f7468f182bed91f7abaeeed3f76a8957625dad19b792a7a28ebaf1d8080890c0438f1452a7c50

Download Submit
\Users\Admin\AppData\Local\Temp\duucx.exe

Filesize
427KB

MD5
a502d65fdb0200ee4b2ced951d029c69

SHA1
6f44f68f25dbf4a27636c0ec4cf7a477a14a0016

SHA256
fc1609867d8beb9eed59130ef5197ff75602513f30e2fde647aa68fa01e6f850

SHA512
dfba07f32c2a9e2dc6abae9a01a747d7079c02998b2c254578161c967d99aa7bcd59cc1f82cfd2227be35c07a32dedfb8774e47ae4d11d0e68397e9a73dfd6dc

Download Submit
memory/1736-36-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/1736-41-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/1736-44-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/1736-43-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/1736-42-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/1736-40-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/1736-34-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/1736-35-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/1736-37-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/2092-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2092-19-0x00000000029B0000-0x0000000002A17000-memory.dmp

Filesize
412KB

Download
memory/2092-20-0x00000000029B0000-0x0000000002A17000-memory.dmp

Filesize
412KB

Download
memory/2092-22-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2344-31-0x0000000003390000-0x0000000003424000-memory.dmp

Filesize
592KB

Download
memory/2344-33-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2344-21-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2344-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download