urelas | 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Size

427KB
MD5

2c5283c0e5519979932fb112a11d86e3
SHA1

c512c7ca7666c6c7a20a82fa7b5b3c140587814e
SHA256

384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5
SHA512

0af2f0f0ccaa9029d99c6dbac951d928b68bb0c48d643d6d09d90a9e286aa4ea468c789b57d3f2bb0a9e450f0a1ef9f0bb69597a65c1f6156233b0962c2becf0
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsp:YU7M5ijWh0XOW4sEfeOA

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000705-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	heriu.exe

Executes dropped EXE 2 IoCs

pid	Process
4936	heriu.exe
3020	xolim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heriu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xolim.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe
3020	xolim.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 4936	4484	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	82
PID 4484 wrote to memory of 4936	4484	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	82
PID 4484 wrote to memory of 4936	4484	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	82
PID 4484 wrote to memory of 4916	4484	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	83
PID 4484 wrote to memory of 4916	4484	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	83
PID 4484 wrote to memory of 4916	4484	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	83
PID 4936 wrote to memory of 3020	4936	heriu.exe	94
PID 4936 wrote to memory of 3020	4936	heriu.exe	94
PID 4936 wrote to memory of 3020	4936	heriu.exe	94

C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
"C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\heriu.exe
  "C:\Users\Admin\AppData\Local\Temp\heriu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\xolim.exe
    "C:\Users\Admin\AppData\Local\Temp\xolim.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
eb31203f5f96923d92feaff32488c418

SHA1
9705f8f7486538cf9e3189cf2f247613ca1ac64a

SHA256
97a329565d2ba8c8f6bf8fcdcb8f8022d8f2d9677c3c2592b46df9ca6743e4cc

SHA512
7bdaa10c1b77004b1e4b3d3842b62c95ea362cd5434d5c522cba872ae7e90a97d8713bb4ecd78cdc3f3fa0e5d909c02a4aaa1225d47cbaa4eacf2fdd4f75c94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bfd6f4e30716c4778a0faf16ca8e93fa

SHA1
79217af7d2100b3f120111fa0a3274ae190a9209

SHA256
443deebdb8b1feccdc71df21f720a918d7cbe3c319cb1a085d0d79750b590ba9

SHA512
eceed8428b31ed2f4bda72fb11d755166bf6b4fa1dae15bc853b70e7c632a432d8074277c55c57bb71ea13b1761b2f01a5a0d80b2b93bd8596fdcac93090acf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\heriu.exe

Filesize
427KB

MD5
6fb1e18049e8fc4a955ed9fd35ee3bf5

SHA1
dca113318ff01d963e8a15b315d7f72549321f05

SHA256
e7a6683c04260aefe2ef791fa6dec778be99a44b241505837bb50206e71a760e

SHA512
60ecdff1b4f9ee4c998a79c7f50513b1f64ab8004b13395e5c8e8ca807b567cc04953fab368bf5f74af46f187b1b77dacee5e7105733a0d4d77b9538299034f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xolim.exe

Filesize
212KB

MD5
f43400b090d1d88563c13f4fc5b3bc0e

SHA1
64b245a96a94707976a2e1e7dda704adb8b6f7c3

SHA256
8b68a7c3bcd1f74f96fc739b9c60c333bba9657b8bf067f1a656e98929be926e

SHA512
414d7302a0e3d60128e4919a0f32580a99fae6f40345714a98ded5d778f0f9f016cdc637291dc083cdb64bda5f0015df7cfda38c01bca92c1850fae8d9ee4cc7

Download Submit
memory/3020-29-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/3020-33-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/3020-36-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/3020-35-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/3020-34-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/3020-28-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/3020-27-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/3020-26-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/3020-32-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/4484-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4484-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4936-30-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4936-12-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4936-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download