urelas | 4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0

General

Target

4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe
Size

427KB
MD5

881101dfbab2828e70ee78e5c4bcb590
SHA1

74df88468a643d17fbf5d1fffabaab1d5e310dfb
SHA256

4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0
SHA512

979be186a0b3354fee5d06652fd15053f25974610aa4aee02f0cbe63293231bff8eda6c14b524cc7334b8cd5855f920c965c846d7888937d61126cd7fa65a78c
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsZ:YU7M5ijWh0XOW4sEfeO+

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000707-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	bumyb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4524	bumyb.exe
4072	cefom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cefom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bumyb.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe
4072	cefom.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4524	4692	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	83
PID 4692 wrote to memory of 4524	4692	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	83
PID 4692 wrote to memory of 4524	4692	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	83
PID 4692 wrote to memory of 2500	4692	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	84
PID 4692 wrote to memory of 2500	4692	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	84
PID 4692 wrote to memory of 2500	4692	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	84
PID 4524 wrote to memory of 4072	4524	bumyb.exe	103
PID 4524 wrote to memory of 4072	4524	bumyb.exe	103
PID 4524 wrote to memory of 4072	4524	bumyb.exe	103

C:\Users\Admin\AppData\Local\Temp\4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe
"C:\Users\Admin\AppData\Local\Temp\4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\bumyb.exe
  "C:\Users\Admin\AppData\Local\Temp\bumyb.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\cefom.exe
    "C:\Users\Admin\AppData\Local\Temp\cefom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
3f83b98ebc543a7596da0f19701f9cd8

SHA1
3ce5dab1d85c23f3721cfa4aab6d9e9438914278

SHA256
ff0f86534782d2389216c0f6b2a27f165d53e6af070da71d45fc159bf4522580

SHA512
6c427e9ec53b6a958fa529e1e86f14b5a9353befee95f4f8853d923435eefabb721d4ab78d71f8006a17dec374af739e6f05dd4ce5ebc3051129131ca5c075c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bumyb.exe

Filesize
427KB

MD5
df7dff09e93954a98f2bcab1f3dbe07b

SHA1
39d45ed9c2fa5302054097cb89331ab0ecfa9616

SHA256
a85541599b182cc48fe484f92c23e27e70b0f03c5f01244dd3b933106f0adef8

SHA512
8170e246a908c668325e5efd38c54421c53cb95010b1e6bb8034e1a19fbccc068faedd0a14eaa875e854d9636b903252dc17ca4c8371ad580b94d859384f1bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cefom.exe

Filesize
212KB

MD5
c8efef9c5423b95f40cb6af7fcea3ce4

SHA1
b2537bf47df7e0259dfe36ed3e869ccca4d0de62

SHA256
0fea85210bfb307469f3155a0f7ab9cd4ab8e9ae12f61794e7c060d4f484e4bb

SHA512
18318056d83040ff012d51efb0a4f4336b00de9baadb3c613affe58310a426503f066bcecc1886c27317968d613e4992bc7f1eb01d98bc9c1a1ddd3109c5e0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9f7d606409429a1a3cc9f10f7f444a5a

SHA1
5f8646089e9448dbcebe88ca52a168d2cb5db837

SHA256
cfdfdc85529ccdb3f040184d45b0a6e56c6995e4a914009e26123ef734ffabee

SHA512
7a2f2af7b0ea592c015b829b74c3ae5d4721dede9ed9ea3f5350637eaff1c34aab9f8774075291915b1967b3a54760c20fe806d71b36c2aeef604f4c400b00eb

Download Submit
memory/4072-28-0x0000000000FE0000-0x0000000001074000-memory.dmp

Filesize
592KB

Download
memory/4072-27-0x0000000000FE0000-0x0000000001074000-memory.dmp

Filesize
592KB

Download
memory/4072-26-0x0000000000FE0000-0x0000000001074000-memory.dmp

Filesize
592KB

Download
memory/4072-31-0x0000000000FE0000-0x0000000001074000-memory.dmp

Filesize
592KB

Download
memory/4072-32-0x0000000000FE0000-0x0000000001074000-memory.dmp

Filesize
592KB

Download
memory/4524-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4524-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4692-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4692-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing