urelas | f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839

General

Target

f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe
Size

274KB
MD5

f7c9a018f5d66e1d592cd9181491e320
SHA1

78e1282d9944d4571a5b10514b34439283fab774
SHA256

f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839
SHA512

9a0dc299c081d1a2ba20ca2f2ac50d17d969c1e30d81d5770f4206465ae2dd146e4a13d46752784d25a7d5d9849a328b4fc2f24d8495ca0361fb8dc0062dc4bc
SSDEEP

6144:96xwSR5NtUIJEWyXuew+q1l0d2Js6H5/TZkT:9A3NtUISdPw+Elq2Jsm2T

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000709-34.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	desol.exe

Executes dropped EXE 2 IoCs

pid	Process
2584	desol.exe
5112	couwq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	couwq.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe
5112	couwq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2584	2536	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	83
PID 2536 wrote to memory of 2584	2536	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	83
PID 2536 wrote to memory of 2584	2536	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	83
PID 2536 wrote to memory of 5088	2536	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	84
PID 2536 wrote to memory of 5088	2536	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	84
PID 2536 wrote to memory of 5088	2536	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	84
PID 2584 wrote to memory of 5112	2584	desol.exe	104
PID 2584 wrote to memory of 5112	2584	desol.exe	104
PID 2584 wrote to memory of 5112	2584	desol.exe	104

C:\Users\Admin\AppData\Local\Temp\f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe
"C:\Users\Admin\AppData\Local\Temp\f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\desol.exe
  "C:\Users\Admin\AppData\Local\Temp\desol.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\couwq.exe
    "C:\Users\Admin\AppData\Local\Temp\couwq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
19aad9e281519c7639e609614a7fc59c

SHA1
2051ad675e5404794c25eb65d989c4372709972e

SHA256
66fbc901984b456f25aaf9a511d143789843a7d50a8aaec458f4166f4dc4d00d

SHA512
0801f4745c7bfa2cd48189de96766cd945074b5b31dd0b66babbfb4e69bcd78524e3fb94372a5904dd47e703a3fae6f1102784a29ca66bf917a9390a75bfb47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\couwq.exe

Filesize
216KB

MD5
6100232eb24a712df7fd496a8eae6779

SHA1
8aa6cda600d12362d79c8670541267448fa42b0a

SHA256
9d4f6d062246a253633ee66714eb8ba7bc81fb4eafbfe98dd1efd361671650d6

SHA512
05436d6bedf7e3a1a72e33bcdc8ec33b409374e3e31c164d92779f114534692b69d8e08583e07e7e01f7ea4bd4dcc5bcbf755d2700c726eefa277ab7d806b04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\desol.exe

Filesize
274KB

MD5
239a5501f7c9a84efd39baebdd6218e9

SHA1
fc453709f2cb96e17e78810f9eeaed133545ebea

SHA256
85a054c5c31076f42712270f7978fb16ce824b63059ecd6d3f50cc83a2b08fcc

SHA512
20e7941e9d8dda10868dbc76249190398d6e2471c453a9a53214e6a76524539cce7a2e7c77c3aecd50c496a16c7eaeb0df35e9f563dc799d188f3343f2e28f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4920f0e8f2784fb1c4452cb6fc89d135

SHA1
2a76bccaeb2d5bde3251387ed62863ce33795990

SHA256
7916c3eec85c94b6907bd9e5215f53d87c4e8089c073f50aba395e45237867f4

SHA512
538cedcd39478de7c3de2cd0abb959f1279b8f00052316bc476a2bb40e54f8558de5f04dc562661016eaebfba993d05d65ad88c0968b87961a49f6ecc3054798

Download Submit
memory/2536-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2536-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2536-17-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2584-20-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2584-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2584-21-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2584-14-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2584-40-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5112-38-0x0000000000F30000-0x0000000000FD2000-memory.dmp

Filesize
648KB

Download
memory/5112-43-0x0000000000F30000-0x0000000000FD2000-memory.dmp

Filesize
648KB

Download
memory/5112-42-0x0000000000F30000-0x0000000000FD2000-memory.dmp

Filesize
648KB

Download
memory/5112-41-0x0000000000F30000-0x0000000000FD2000-memory.dmp

Filesize
648KB

Download
memory/5112-45-0x0000000000F30000-0x0000000000FD2000-memory.dmp

Filesize
648KB

Download
memory/5112-46-0x0000000000F30000-0x0000000000FD2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing