urelas | c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365

General

Target

c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe
Size

419KB
MD5

ad3c035ef68a24ff4176375bcdbdfef0
SHA1

dfcf400b12143c8d1626517034261dd625c5cd53
SHA256

c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365
SHA512

d27ec8fc9abc4cc1f5a10e724ce1f74bbb09c5ca0c2d4b72aa0ff2e630a3f1b91db675d904bdb5e3d2118e513ee3657f588b3245da7f741020259862832d907b
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODsvFwy:hU7M5ijWh0XOW4sEfeOkr

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000705-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sueqw.exe

Executes dropped EXE 2 IoCs

pid	Process
3612	sueqw.exe
2212	xykyt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sueqw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xykyt.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe
2212	xykyt.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 3612	3548	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	83
PID 3548 wrote to memory of 3612	3548	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	83
PID 3548 wrote to memory of 3612	3548	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	83
PID 3548 wrote to memory of 1764	3548	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	84
PID 3548 wrote to memory of 1764	3548	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	84
PID 3548 wrote to memory of 1764	3548	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	84
PID 3612 wrote to memory of 2212	3612	sueqw.exe	104
PID 3612 wrote to memory of 2212	3612	sueqw.exe	104
PID 3612 wrote to memory of 2212	3612	sueqw.exe	104

C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe
"C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\sueqw.exe
  "C:\Users\Admin\AppData\Local\Temp\sueqw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\xykyt.exe
    "C:\Users\Admin\AppData\Local\Temp\xykyt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
50ea792bba913a3073ea21487ce12fd4

SHA1
372b7c296584ddd49cff19f01b30899007bbb8a7

SHA256
c2e3684afedf466ee04c9013d86b89fb9d17a994ae1a1372866eeff0d54480b3

SHA512
21b21d857975c87f7e212a220f8ba3ee80edc985f7be6d7ac8893f1f0e6416a788cc44f55f3065a19958e1fe114148b1858e476b0f34978d24f50a47de6b967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fee1ae03004b8e785e17e175abf5bbee

SHA1
12d0b4bebc288de7d72096a837215c6e899fdbf0

SHA256
c42de20cce9b10e1ff28c4eec5c7a91e1515d37525b0b57c7e0ef883087eb8b9

SHA512
9f659daf5221b76b55cf61af0b252c8b91a32d1d7c912b05cc3539418e9d31e70d5b09b426bcbe55682ba895cefd5326b1442580f77e7a9f290991c4fb6e5cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sueqw.exe

Filesize
419KB

MD5
381df168243683914bc98cfa8da09f7e

SHA1
f0e442a651b9c7f5cc627c50de6cd6cedd432c5c

SHA256
4436fc3365b45fb46ba58490fbb84fa1e46e4cc89e67d6b2adb9c65850698a27

SHA512
e99942abcc4f48fb233bd64fc35279436227e367a9fbea19d3c1712d64a652a5ade47ff561c9ecdca7eeffcf3ec7f5a822104e10dfc2d596202e41056ce28dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xykyt.exe

Filesize
212KB

MD5
27f2bf9f76adeb996b1f11f12eeddfe4

SHA1
2ff9b86ac0034c7806b069cff932c73a2cb86eb8

SHA256
2086ffc75292ce5017c8815d73eb904dc294cd52298d3306c93561d8763900e6

SHA512
981dab2e7f0312ca6556fe0471e6782aae4ca23eea6d239f121a64834e1354aa9ea6421d5c17dfe04034d23641edd644d957d7d2874494447c6e5560c6a4a053

Download Submit
memory/2212-28-0x0000000000770000-0x0000000000804000-memory.dmp

Filesize
592KB

Download
memory/2212-27-0x0000000000770000-0x0000000000804000-memory.dmp

Filesize
592KB

Download
memory/2212-25-0x0000000000770000-0x0000000000804000-memory.dmp

Filesize
592KB

Download
memory/2212-26-0x0000000000770000-0x0000000000804000-memory.dmp

Filesize
592KB

Download
memory/2212-31-0x0000000000770000-0x0000000000804000-memory.dmp

Filesize
592KB

Download
memory/2212-32-0x0000000000770000-0x0000000000804000-memory.dmp

Filesize
592KB

Download
memory/3548-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3548-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3612-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3612-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing