urelas | cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3

General

Target

cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe
Size

289KB
MD5

3890385c6cbcf4c554385ee7f4788e10
SHA1

d0114d9cc6c87ca277bdc4345a47396330f91b9e
SHA256

cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3
SHA512

741c66301c41168c203bf88e812fe895690eb5986fae42a92c6a1f263a56d89dc28a28d86674ab0cc9869160e5e625b021fc55ad50c01ef28b542e7c4c1c06b2
SSDEEP

6144:96xwSR5NtUIJEWyXuew+q1l0d2Js6H5/TZkKre:9A3NtUISdPw+Elq2Jsm2z

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-37.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2188	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2356	gorem.exe
1976	sekey.exe

Loads dropped DLL 3 IoCs

pid	Process
3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe
3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe
2356	gorem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gorem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sekey.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe
1976	sekey.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2356	3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	31
PID 3068 wrote to memory of 2356	3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	31
PID 3068 wrote to memory of 2356	3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	31
PID 3068 wrote to memory of 2356	3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	31
PID 3068 wrote to memory of 2188	3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	32
PID 3068 wrote to memory of 2188	3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	32
PID 3068 wrote to memory of 2188	3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	32
PID 3068 wrote to memory of 2188	3068	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	32
PID 2356 wrote to memory of 1976	2356	gorem.exe	35
PID 2356 wrote to memory of 1976	2356	gorem.exe	35
PID 2356 wrote to memory of 1976	2356	gorem.exe	35
PID 2356 wrote to memory of 1976	2356	gorem.exe	35

C:\Users\Admin\AppData\Local\Temp\cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe
"C:\Users\Admin\AppData\Local\Temp\cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\gorem.exe
  "C:\Users\Admin\AppData\Local\Temp\gorem.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\sekey.exe
    "C:\Users\Admin\AppData\Local\Temp\sekey.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
08f387163a951b72caaeef7006db75d8

SHA1
3905f476885ffdad41f4251d61bb0ba7650fe584

SHA256
ecfb3c279372b918017ac7b6e782c428d8c21a4cd86b0e6d54a34784b990261e

SHA512
5701a67f4785769e4717ac285dde64ea8e53ae50a1455bbf37a98c89687703074c5e7caadbc19a44241e496a2799f00d239ab60bf9141e12acdc6ebfe3d16815

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a85167dc90016befeabec8537288adcd

SHA1
596486b9b00a88c6e0251a99e469a2ff403837f3

SHA256
9ef69f51960365c6c3cacc0e5583188daea5ef99548255e2afb41f7a0ed6b01e

SHA512
4fa818a253cb0ead64ac1df2d67dffa55cb1a390d06afcae38ce2bde2a936a9d8033a45d7db53ff16d8894888e4210f6a0e67fb8ec32b2330183032be9a7ead2

Download Submit
\Users\Admin\AppData\Local\Temp\gorem.exe

Filesize
289KB

MD5
32041d13a60ee7be36ea95bf120b91c8

SHA1
3e048db526d9382446b91ef982b12a0de1438abb

SHA256
24fe9bd430e82e28c718e62c1f281bf20884ef9ea3d0dc15cd6a90e876501ad5

SHA512
4969c7299f6bd891f6abff7510b0f005a6469a325d4a07de5553ab7d583adfd2a05f6d321772eaa8e937890eb8761e660d488378dd05a924f5fc659425e8bc7e

Download Submit
\Users\Admin\AppData\Local\Temp\sekey.exe

Filesize
216KB

MD5
5d5877874aba13f93d914fc5b55b39ce

SHA1
f66e4c7388601a0cd6e71e80622e3511d893aee8

SHA256
41a714c14c9d0f688c183a28a339bf173aae91f180700772e351f0748c379cb3

SHA512
2441232381b97a2df69686cf88f1fe4c13635e327c382cf0c6d5f5ab49ba813aa3779fb3832f7e26a4f66dc1e89f84a495f2ee2ad403706507f809927a96aa98

Download Submit
memory/1976-51-0x0000000001130000-0x00000000011D2000-memory.dmp

Filesize
648KB

Download
memory/1976-50-0x0000000001130000-0x00000000011D2000-memory.dmp

Filesize
648KB

Download
memory/1976-44-0x0000000001130000-0x00000000011D2000-memory.dmp

Filesize
648KB

Download
memory/1976-45-0x0000000001130000-0x00000000011D2000-memory.dmp

Filesize
648KB

Download
memory/1976-46-0x0000000001130000-0x00000000011D2000-memory.dmp

Filesize
648KB

Download
memory/1976-47-0x0000000001130000-0x00000000011D2000-memory.dmp

Filesize
648KB

Download
memory/2356-26-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2356-41-0x0000000003DA0000-0x0000000003E42000-memory.dmp

Filesize
648KB

Download
memory/2356-43-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2356-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2356-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2356-14-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3068-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3068-22-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3068-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing