urelas | bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe
Size

633KB
MD5

5130a002bfbf98adc1b58e752ea819a8
SHA1

9145d33b663d58ba1e1f7f04470b167e7854a46f
SHA256

bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0
SHA512

e70be66fa061c1655a4251bc5cb5412081f29e98f00e561faed56b60455d54f2ffb21f52fccc93fb1a44490bfceb74e03585400073b9776e43da1e3a1f47d8ac
SSDEEP

12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsdt:5UowYcOW4a2YcOW4y

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000500000001dabd-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	uvjeo.exe

Executes dropped EXE 2 IoCs

pid	Process
396	uvjeo.exe
2452	uputi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uputi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe
2452	uputi.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 396	3096	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	88
PID 3096 wrote to memory of 396	3096	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	88
PID 3096 wrote to memory of 396	3096	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	88
PID 3096 wrote to memory of 4564	3096	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	89
PID 3096 wrote to memory of 4564	3096	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	89
PID 3096 wrote to memory of 4564	3096	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	89
PID 396 wrote to memory of 2452	396	uvjeo.exe	94
PID 396 wrote to memory of 2452	396	uvjeo.exe	94
PID 396 wrote to memory of 2452	396	uvjeo.exe	94

C:\Users\Admin\AppData\Local\Temp\bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe
"C:\Users\Admin\AppData\Local\Temp\bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\uvjeo.exe
  "C:\Users\Admin\AppData\Local\Temp\uvjeo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\uputi.exe
    "C:\Users\Admin\AppData\Local\Temp\uputi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1e5dc63fbc6896f0ee8522c3d9f1b437

SHA1
7d410356452a8b68d924c25249d03246761f7c63

SHA256
74dccddc058a2786dd365296be2377f6249d0bf77dccb43d7f9a9ca1a851c145

SHA512
11ca009cefde0d2fb14435f1e0fa39736a5498733b16dbaa2d9f53dc337d922c610c5414b407a59891bf6435b7fc73ebce4477d977ec826e5a6c8890e5346475

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fc564e7d380bc0ffcf19f756da28eb2b

SHA1
3725398f7669a922325ecef96eae93d86d64cc1e

SHA256
68e6c0caa2de0dd0b575e323191a067b47f0d1b24144b2de8f77173f60850fb9

SHA512
e540c41060a1ff24fc7bcbe4d7d9ed1b800bcdcb7b8a03f8b4fdb85f7cdd63467a2ad6d17e6ae8c11b9dc677066b2364a014bbbf9b29b95720edc9f5442a42f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uputi.exe

Filesize
212KB

MD5
7859113eb2329b9a2857a3ee9e85274d

SHA1
e2cf689273a072dfcb49d8265849f03ea7120f38

SHA256
6bd7423815e37ce0b8cf91b55316a1d43b12a52f346fa7e9cdf172f1a8f0bd54

SHA512
b4e3becd6c7bfcb31dcc473148c12af9c4c3eca4b126216033817cb18237635bb99de9a2d1c6f108664ec7931d673f4eff3b08202fb0bfd109dac8c334b3e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvjeo.exe

Filesize
633KB

MD5
0cdecf80ccbd703e326245ec014f6549

SHA1
b34d27033ce275130132761ad75bed701f08ac7d

SHA256
07add20ef3077fd3ea90fa8578245a93233394f495cf9a165ee77f26b2a8110e

SHA512
94acc9d92e301e1f40904fa536be2f5c3cd344ebec3b27427fd0c3e674ece56a73b8d584e737e9cc561ae560240fa0e9f3ffcb4fb7d58f9f59f9fbd6b4feb964

Download Submit
memory/396-26-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/396-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2452-25-0x0000000000BE0000-0x0000000000C74000-memory.dmp

Filesize
592KB

Download
memory/2452-27-0x0000000000BE0000-0x0000000000C74000-memory.dmp

Filesize
592KB

Download
memory/2452-29-0x0000000000BE0000-0x0000000000C74000-memory.dmp

Filesize
592KB

Download
memory/2452-28-0x0000000000BE0000-0x0000000000C74000-memory.dmp

Filesize
592KB

Download
memory/2452-31-0x0000000000BE0000-0x0000000000C74000-memory.dmp

Filesize
592KB

Download
memory/2452-32-0x0000000000BE0000-0x0000000000C74000-memory.dmp

Filesize
592KB

Download
memory/2452-33-0x0000000000BE0000-0x0000000000C74000-memory.dmp

Filesize
592KB

Download
memory/2452-34-0x0000000000BE0000-0x0000000000C74000-memory.dmp

Filesize
592KB

Download
memory/2452-35-0x0000000000BE0000-0x0000000000C74000-memory.dmp

Filesize
592KB

Download
memory/3096-13-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3096-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download