urelas | f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe
Size

633KB
MD5

b6fcc67a9b78bb28d5bc74158357e28e
SHA1

ce94d1931bef3c8733228d6d72c9a360f215f2be
SHA256

f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916
SHA512

adf0977a1873edaf5a3850c97a11ee1e0e2b7faba10964670e86183229844fbdd41df0f2231794f11a0d423c36687aa0a162d73471c96b19df543ebebd334d37
SSDEEP

12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsd3:5UowYcOW4a2YcOW4s

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000707-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	kyzig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe

Executes dropped EXE 2 IoCs

pid	Process
1832	kyzig.exe
748	afzux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyzig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afzux.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe
748	afzux.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 1832	220	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	83
PID 220 wrote to memory of 1832	220	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	83
PID 220 wrote to memory of 1832	220	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	83
PID 220 wrote to memory of 4748	220	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	84
PID 220 wrote to memory of 4748	220	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	84
PID 220 wrote to memory of 4748	220	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	84
PID 1832 wrote to memory of 748	1832	kyzig.exe	104
PID 1832 wrote to memory of 748	1832	kyzig.exe	104
PID 1832 wrote to memory of 748	1832	kyzig.exe	104

C:\Users\Admin\AppData\Local\Temp\f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe
"C:\Users\Admin\AppData\Local\Temp\f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\kyzig.exe
  "C:\Users\Admin\AppData\Local\Temp\kyzig.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\afzux.exe
    "C:\Users\Admin\AppData\Local\Temp\afzux.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
da10abeb4dfac4621f590a9af1d3c77a

SHA1
991dfda107240588182ae1d67aba33e549094c8c

SHA256
163610e949e1abf0093d02a79f9d44d96d00adbf1d14165138b0fc196c55caba

SHA512
3db6a6502c7407d1e2bba2a29ebdd8c840d2f632e539bebe4d0d1e8d950ef8605fbd482ee7342313476052a3495eba06ab0ba5099a99dfc5af55645856e5d949

Download Submit
C:\Users\Admin\AppData\Local\Temp\afzux.exe

Filesize
212KB

MD5
5e926e26a71eff55019a8d391df8ae24

SHA1
c5ad181462aec9b8ccec929f701c2a6b19ea05da

SHA256
6b18c863911d52c549d4fc18b6352f3c034286517a77dd09823fc8035a9f3394

SHA512
0739551ee370b6653ecc8abfa4d2e52ededa1096b027707665dd3cde564efc82f3a0111767b44f989f015ab8569e223d6b9792c8e5d507afbb9abee83f2d7add

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0a8289df3c973ee24eab0e5ec8490f34

SHA1
c1bffcb760737bb22cd17a0767eb3447bf683d8a

SHA256
254f04e981b72d609a5265747c4beb6ef23d803a50371f3a5ee46a9c68643321

SHA512
2e775dbc043af69c0a358d1fbb2a209a866f760b594c995427f4365820d4b1eb617d16ab7cfcc928755e729e3e1064e73a0b6674970fa3de88ecbd0bc75865bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyzig.exe

Filesize
633KB

MD5
78553d251de161de498a99cf713548d6

SHA1
6406fa5d88646beff126a8a681c25fdebb68972a

SHA256
74c6b568ff3da4eb66eb718aac6d904d3495a49bb4279ef54421d0da84231229

SHA512
ebfba72134dd476b6f7206474e3658f266738bcf36228cb6fd66f3c4f6b88577241ca237ea111bc0e92ba5961cb17de328ed9ce99018efdd1630aee607bdf3ff

Download Submit
memory/220-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/220-14-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/748-26-0x0000000000E60000-0x0000000000EF4000-memory.dmp

Filesize
592KB

Download
memory/748-29-0x0000000000E60000-0x0000000000EF4000-memory.dmp

Filesize
592KB

Download
memory/748-28-0x0000000000E60000-0x0000000000EF4000-memory.dmp

Filesize
592KB

Download
memory/748-27-0x0000000000E60000-0x0000000000EF4000-memory.dmp

Filesize
592KB

Download
memory/748-32-0x0000000000E60000-0x0000000000EF4000-memory.dmp

Filesize
592KB

Download
memory/748-33-0x0000000000E60000-0x0000000000EF4000-memory.dmp

Filesize
592KB

Download
memory/748-34-0x0000000000E60000-0x0000000000EF4000-memory.dmp

Filesize
592KB

Download
memory/748-35-0x0000000000E60000-0x0000000000EF4000-memory.dmp

Filesize
592KB

Download
memory/748-36-0x0000000000E60000-0x0000000000EF4000-memory.dmp

Filesize
592KB

Download
memory/1832-17-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1832-30-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1832-12-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download