urelas | 4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54

General

Target

4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe
Size

292KB
MD5

6e91f34c4b411dbfd5700e9c26ec9e50
SHA1

cda3d2eed281fa65a830c0a420b1494a6ad19ad3
SHA256

4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54
SHA512

1d3f7d8fd836994e130584599f41142f89f4258e82e3f6f5457875479ece1d1e30a7cfe20ec2fc0e9a36f15cbbe0062604e0d623cf791a90ff8e62e5092a03c5
SSDEEP

6144:tfkEtfjev+ueKJD68yXWsutct2XhhbbQ5iL/Zd:tvdP+yXpuWw3nQ5Yz

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000016210-14.dat	aspack_v212_v242
behavioral1/files/0x0009000000016009-61.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
1616	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2032	etpyn.exe
3032	nuguzy.exe
764	laxoj.exe

Loads dropped DLL 5 IoCs

pid	Process
1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe
1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe
2032	etpyn.exe
2032	etpyn.exe
3032	nuguzy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuguzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laxoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etpyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe
764	laxoj.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2032	1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	28
PID 1744 wrote to memory of 2032	1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	28
PID 1744 wrote to memory of 2032	1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	28
PID 1744 wrote to memory of 2032	1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	28
PID 1744 wrote to memory of 1616	1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	29
PID 1744 wrote to memory of 1616	1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	29
PID 1744 wrote to memory of 1616	1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	29
PID 1744 wrote to memory of 1616	1744	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	29
PID 2032 wrote to memory of 3032	2032	etpyn.exe	31
PID 2032 wrote to memory of 3032	2032	etpyn.exe	31
PID 2032 wrote to memory of 3032	2032	etpyn.exe	31
PID 2032 wrote to memory of 3032	2032	etpyn.exe	31
PID 3032 wrote to memory of 764	3032	nuguzy.exe	34
PID 3032 wrote to memory of 764	3032	nuguzy.exe	34
PID 3032 wrote to memory of 764	3032	nuguzy.exe	34
PID 3032 wrote to memory of 764	3032	nuguzy.exe	34
PID 3032 wrote to memory of 2000	3032	nuguzy.exe	35
PID 3032 wrote to memory of 2000	3032	nuguzy.exe	35
PID 3032 wrote to memory of 2000	3032	nuguzy.exe	35
PID 3032 wrote to memory of 2000	3032	nuguzy.exe	35

C:\Users\Admin\AppData\Local\Temp\4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe
"C:\Users\Admin\AppData\Local\Temp\4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\etpyn.exe
  "C:\Users\Admin\AppData\Local\Temp\etpyn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\nuguzy.exe
    "C:\Users\Admin\AppData\Local\Temp\nuguzy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\laxoj.exe
      "C:\Users\Admin\AppData\Local\Temp\laxoj.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
fd421fd548d7d4baa4c0b879d002b3ac

SHA1
c576e390744166b07012631d71b3f154ae2d1c19

SHA256
a1a48c2dcba16088ccfb641a5e1053337efe1f95bdd3fe66211101d457391f86

SHA512
8b0e9a436abc3dccfe696831fc27e6c3c0012a2de84932a5cf7e9bb05a4311c01baa6dd2b4c05d158d10eac52903da3ed1bcd1db55ee9a015d4c99411c3ade1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
1423755fcedc204d93a63ece6de096ee

SHA1
de0d2ff6e4de385a4c6d2b2290d9969450c08f6b

SHA256
ed4672d4d66d6f342f7e2d3a79de81d46da39d27fa17ae6b1d2e3c9f72e05bbe

SHA512
0d76699e63addbee83b2c5683ab56d72806f206d79efe7a0080daca4312a24f0519d0dff0cd09c1ba5baad68c2b8aaa3973664f49f57a00faf4b2e9b016392ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpyn.exe

Filesize
292KB

MD5
25ccb7eb12b8ebb8d639e1c311061a8d

SHA1
b89646de9f67d15903284e1ddf5930155a07b7d8

SHA256
f2b89429769e284ef017cfc39899219fb0d9ef859082231bf746aa4cfc2ea700

SHA512
56d2ddbfca81c521ca0e226f7c385dc396f3d8b546ef3b662e62faa43b9d689a6a2e679ba95a61e9a3d8f0b40a995cea6c3f3e264dffc9eb2695cb81d39e7e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af47f6a84a95b1811a02edace00bcc1a

SHA1
51e15527f40ae7fc114fbf4090587a6ff56b7727

SHA256
53a577b72d10acec71e3386e0f2e3d8e11355e714d89b2484f9788edb7301946

SHA512
51c218889aee1d035d76ea33dfde13e023255d214e465fcf33253687a4faee95235eca84035fe6302b52bc2ff95589b9a99a09dc91f708ccd42605d4ad467724

Download Submit
C:\Users\Admin\AppData\Local\Temp\laxoj.exe

Filesize
216KB

MD5
f83ed03241a0801b7b3548f449fc0d49

SHA1
40d73170c17d5bb7ab0adc93aaa554b5cffa06af

SHA256
15c1e0efee29ee737b73f60bada3d91f34a7a8fae3d1d46dd7e471dc39793483

SHA512
f5c2f1ec6b49992412077f78758c6d3bc7127caaa5f83a14e9c5a39af89c542f9c4744a100cad73f3dc5a63b5221f2299353d20fb4f7afe22bf8f55e0dd3f522

Download Submit
memory/764-65-0x0000000000F60000-0x0000000001002000-memory.dmp

Filesize
648KB

Download
memory/764-74-0x0000000000F60000-0x0000000001002000-memory.dmp

Filesize
648KB

Download
memory/764-79-0x0000000000F60000-0x0000000001002000-memory.dmp

Filesize
648KB

Download
memory/764-78-0x0000000000F60000-0x0000000001002000-memory.dmp

Filesize
648KB

Download
memory/764-77-0x0000000000F60000-0x0000000001002000-memory.dmp

Filesize
648KB

Download
memory/764-63-0x0000000000F60000-0x0000000001002000-memory.dmp

Filesize
648KB

Download
memory/764-64-0x0000000000F60000-0x0000000001002000-memory.dmp

Filesize
648KB

Download
memory/1744-26-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1744-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1744-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1744-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1744-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-23-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-41-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-28-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-24-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-25-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3032-73-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3032-46-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3032-42-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3032-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3032-44-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3032-45-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing