urelas | b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe
Size

633KB
MD5

bedf5ef24508a60e2459fd9062b4ac36
SHA1

3ea78acef799ce1599af184e26611c6f363324b8
SHA256

b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24
SHA512

d24ca9809f1acbdbbf44f98ebe95b6938ee4c33c3e43ae196cf5c5544d6f88d8e47753e83a062f7c69144adfe39664b88f0c5909edf141c0311b43dfcb77c4ca
SSDEEP

12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsdd:5UowYcOW4a2YcOW4u

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-27.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2428	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1660	acokg.exe
2908	viaxm.exe

Loads dropped DLL 3 IoCs

pid	Process
2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe
2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe
1660	acokg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viaxm.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe
2908	viaxm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1660	2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe	30
PID 2348 wrote to memory of 1660	2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe	30
PID 2348 wrote to memory of 1660	2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe	30
PID 2348 wrote to memory of 1660	2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe	30
PID 2348 wrote to memory of 2428	2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe	31
PID 2348 wrote to memory of 2428	2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe	31
PID 2348 wrote to memory of 2428	2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe	31
PID 2348 wrote to memory of 2428	2348	b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe	31
PID 1660 wrote to memory of 2908	1660	acokg.exe	34
PID 1660 wrote to memory of 2908	1660	acokg.exe	34
PID 1660 wrote to memory of 2908	1660	acokg.exe	34
PID 1660 wrote to memory of 2908	1660	acokg.exe	34

C:\Users\Admin\AppData\Local\Temp\b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe
"C:\Users\Admin\AppData\Local\Temp\b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\acokg.exe
  "C:\Users\Admin\AppData\Local\Temp\acokg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\viaxm.exe
    "C:\Users\Admin\AppData\Local\Temp\viaxm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
dff9241e398129e5231245c4a6cff3e4

SHA1
9d07e2a8e82bb1965a8496737ec6c78c1dbd32f2

SHA256
3b190ce06aaebe8f90da68d6e17f72493426518d3bf63c7c02ea83c00b63e481

SHA512
18766b41f461dbd97554426962579b21a7237e6f34507b98a54eb81c1db096523ba43cb51a219f8f45d0c4a637828791c360ce085cb0e30e3030ce678e5b95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
48b71969a2bd79fb27aa5c27956114f7

SHA1
efb6be6eca8484b0c91ca432bf76e1d77932bc67

SHA256
4b82146ee14f0f85511545bc03b6e400ae724acb59a28d76933b8097a2ea849d

SHA512
4b22142e1f5028147db4cf51cd27db5a1815fb8f690a8fb817531d2546511a14f1c11d29ccb83564410276acedb7441567f59980bc0db4b3301cc46d95ea40ac

Download Submit
\Users\Admin\AppData\Local\Temp\acokg.exe

Filesize
633KB

MD5
302f832eaa9ec65b0b0ca6417fcabf9a

SHA1
fea14ccd979c9ebb683dafb2b89b7eab8fda8c14

SHA256
b04781ac7dad8199b26f85e3e6f992633bc05225c2d7afab7de56235a011e2d6

SHA512
f5abc03b7acd37c8ce2f699cdcb41ee8108b241507c6c3cbffc2885646b4405bfc82378e06f1013ed42cdddabd09d685217ec983d2dfa58462b608236877608b

Download Submit
\Users\Admin\AppData\Local\Temp\viaxm.exe

Filesize
212KB

MD5
d652b3a707740c77725e5ae6b90ca0db

SHA1
6236b095a5a9f3b7cd9c6e252613292e4526caf1

SHA256
fd12d317cb3f237a0f99197f1696bd6af803f17ec93b12e90d922f7cc7ea6024

SHA512
80e63622420bbb2ba0ecd1281882f0dac6e6936d9cb88cd1dfb5706c4f52bb1d26780088671899a181c0935dfe3faed1c469c5aa6525d576a7f417d69c8b4fa9

Download Submit
memory/1660-30-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1660-24-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2348-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2348-12-0x00000000025F0000-0x000000000268B000-memory.dmp

Filesize
620KB

Download
memory/2348-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2348-11-0x00000000025F0000-0x000000000268B000-memory.dmp

Filesize
620KB

Download
memory/2908-32-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download
memory/2908-33-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download
memory/2908-34-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download
memory/2908-35-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download
memory/2908-37-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download
memory/2908-38-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download
memory/2908-39-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download
memory/2908-40-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download
memory/2908-41-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download