urelas | cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3

General

Target

cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe
Size

289KB
MD5

3890385c6cbcf4c554385ee7f4788e10
SHA1

d0114d9cc6c87ca277bdc4345a47396330f91b9e
SHA256

cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3
SHA512

741c66301c41168c203bf88e812fe895690eb5986fae42a92c6a1f263a56d89dc28a28d86674ab0cc9869160e5e625b021fc55ad50c01ef28b542e7c4c1c06b2
SSDEEP

6144:96xwSR5NtUIJEWyXuew+q1l0d2Js6H5/TZkKre:9A3NtUISdPw+Elq2Jsm2z

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000709-33.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	qyugj.exe

Executes dropped EXE 2 IoCs

pid	Process
1008	qyugj.exe
1552	yqmyw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qyugj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqmyw.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe
1552	yqmyw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1008	2452	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	83
PID 2452 wrote to memory of 1008	2452	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	83
PID 2452 wrote to memory of 1008	2452	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	83
PID 2452 wrote to memory of 3700	2452	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	84
PID 2452 wrote to memory of 3700	2452	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	84
PID 2452 wrote to memory of 3700	2452	cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe	84
PID 1008 wrote to memory of 1552	1008	qyugj.exe	103
PID 1008 wrote to memory of 1552	1008	qyugj.exe	103
PID 1008 wrote to memory of 1552	1008	qyugj.exe	103

C:\Users\Admin\AppData\Local\Temp\cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe
"C:\Users\Admin\AppData\Local\Temp\cc1086ee187d56dfb4a99abcca30ab8582353309dc3701ef00ae01356d20f0b3N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\qyugj.exe
  "C:\Users\Admin\AppData\Local\Temp\qyugj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\yqmyw.exe
    "C:\Users\Admin\AppData\Local\Temp\yqmyw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
08f387163a951b72caaeef7006db75d8

SHA1
3905f476885ffdad41f4251d61bb0ba7650fe584

SHA256
ecfb3c279372b918017ac7b6e782c428d8c21a4cd86b0e6d54a34784b990261e

SHA512
5701a67f4785769e4717ac285dde64ea8e53ae50a1455bbf37a98c89687703074c5e7caadbc19a44241e496a2799f00d239ab60bf9141e12acdc6ebfe3d16815

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4b4cc13decdaceadb673da27934bbacb

SHA1
ade81e71fbe6b8c801753e63c4afddce58b8e156

SHA256
a32628f576139740c8a1c7bdd00da6f0534cf10939f6ac0e9365f6f1bd139ca8

SHA512
f902df9062b42adfe6cbe5540e62ea3c563cc56ee21650cd0574fd4ea48428cf7d2f0241b7875ee343e4ada76cd3c1fc62c6d4176b3166c90f0c4a3d8a68b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyugj.exe

Filesize
289KB

MD5
ecdf7eeeb53389856f439bf183541ce6

SHA1
14609bfdff3a6d5946198c356ec4c134726cc265

SHA256
f9ce631836454f3f2d17c7cb4f8f27f62da4efc398b6cbe48bcf01af99fcffe8

SHA512
4f47984701d5159801834b4731add239afb8ecbd6f6b0565d7a359881786b2184faedad1d33708780001a8aad09ff7ca6c671c96eef390018174f7ee4c10f3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqmyw.exe

Filesize
216KB

MD5
687dce40bba9452a77bec04694e66cba

SHA1
137e35d95178fa6f943115796d517148beb589a7

SHA256
6dcd27e21ba9ddb2acc9945c8c5c32b2f1abd57d32bb31b27630ea9f4dfc34a2

SHA512
f86c4fed41c12c964cf89bd4b350085fa25f969c3bb8cacdeece8a0d47e1a30beb3df982b2dd66358c09f1cf5283f46854d18080535f6142319506347a4f62f8

Download Submit
memory/1008-42-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1008-13-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1008-19-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1008-20-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1552-40-0x0000000000E00000-0x0000000000EA2000-memory.dmp

Filesize
648KB

Download
memory/1552-39-0x0000000000E00000-0x0000000000EA2000-memory.dmp

Filesize
648KB

Download
memory/1552-38-0x0000000000E00000-0x0000000000EA2000-memory.dmp

Filesize
648KB

Download
memory/1552-37-0x0000000000E00000-0x0000000000EA2000-memory.dmp

Filesize
648KB

Download
memory/1552-44-0x0000000000E00000-0x0000000000EA2000-memory.dmp

Filesize
648KB

Download
memory/1552-45-0x0000000000E00000-0x0000000000EA2000-memory.dmp

Filesize
648KB

Download
memory/2452-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2452-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2452-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing