urelas | 43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2025 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe
Size

272KB
MD5

aecf4606a0b406bb8548b52359eced02
SHA1

3e28f3c5cbac870a51875001af50d2dbc218f539
SHA256

43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74
SHA512

9a81b2d4fa2fb39afa1dae91df10738881c3f33e21c8cc39a5356c07e387fa0d568299493ad6347a34cfa270c97b5c0f213dd49d19097a365f8d18002805aa19
SSDEEP

6144:XwgM03hO1Gw64OU4OttDPGigknGDjvzYR05CFc/SnODow:ggM03sA3uttDDgk6vzYR05Mc/QO3

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Downloads MZ/PE file 1 IoCs

flow	pid	Process
44	4952	Process not Found

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000001e4cc-35.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	orxum.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	orxum.exe
2920	zuyvy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orxum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuyvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4044	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe
2920	zuyvy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2156	1608	43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe	89
PID 1608 wrote to memory of 2156	1608	43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe	89
PID 1608 wrote to memory of 2156	1608	43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe	89
PID 1608 wrote to memory of 2828	1608	43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe	90
PID 1608 wrote to memory of 2828	1608	43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe	90
PID 1608 wrote to memory of 2828	1608	43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe	90
PID 2156 wrote to memory of 2920	2156	orxum.exe	99
PID 2156 wrote to memory of 2920	2156	orxum.exe	99
PID 2156 wrote to memory of 2920	2156	orxum.exe	99

C:\Users\Admin\AppData\Local\Temp\43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe
"C:\Users\Admin\AppData\Local\Temp\43d1ec730b594fe8d6759d68eae77dacc18b5153248908cb699f5ea7d1e1cb74.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\orxum.exe
  "C:\Users\Admin\AppData\Local\Temp\orxum.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\zuyvy.exe
    "C:\Users\Admin\AppData\Local\Temp\zuyvy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2828

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTBBMDQ5MjgtREYxNC00QjE5LTkyOUQtMjE5MjZEMEU5MkZBfSIgdXNlcmlkPSJ7RjNFQTAyOTItNDkzNC00OTdFLTk2M0MtMTBERDlBNzZBREU4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODE5QzhEQjYtMDIxNi00NERDLUE3RjctRDY1RDBFNjhDNDA2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTYxNTE2MDI3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fd697d02f9d2f91744562aa3cf2c5a7c

SHA1
cd33bc5a4aad01a092b4205aa97a78f74b90f9f4

SHA256
7d4e3f2b7552f16832605f1b65fb462ee1bbc3e93f664fd61442eccb78aa2202

SHA512
347392d04d23722f2e1d12a0eb9fdff033b71cebdd9ca2b70d844809e1f2575832b98f8db8ea3bcc36fa53572efbf4c47cfdab33815fa603f77c1bb4016e8a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2ed2ce8d863c7ce56744f37bd4309e0f

SHA1
1ab10d774f6195f0d1cd3e9d18b3f7e6a0df497a

SHA256
bf53e9d59b9a2a6779a95c3b37430f80f4f9361855b702eddf41eb5f6cd74d98

SHA512
20294d070f04dc5db2d28cdbc9953f458656edfdea11847755b926f2fc2f44f6f853007d9569365a858fcc23bdbe481f0cce93bb37b9ae1644c0cf4c4364a207

Download Submit
C:\Users\Admin\AppData\Local\Temp\orxum.exe

Filesize
273KB

MD5
ce2bf77413957388bc12076572204e6e

SHA1
d734f6c6173058c39e6860b15373aefd0ea2d910

SHA256
117822e75f560cb604cf2d42c478774ed49b9115b3311c1be31b1d0f7929b769

SHA512
d81cc5244fdf72e7a17e05d46a46d4f3ad5392c284626de3800d37af675d5b35b5d17124403b6058e75f2cd387e7393aeb703c30d3a2f2e595dbfaf756269ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuyvy.exe

Filesize
212KB

MD5
7da9facdbc0e6d898a7a2225beb0cd29

SHA1
6fec4186dec811835089e6892c626e3fb29ece78

SHA256
32045da136669dc6b4bd983f7cf6fe8107dd36b44fcfb0d1f6bc79d5a7492cf0

SHA512
93c6a669d8d0a0f782f8b89e5c0e09730afb89ed5b4b4f3b50df66396c5fff0a64c3f132692391920664782a5463015ce05940b6fc04c4715d83c42d45314700

Download Submit
memory/1608-17-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1608-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1608-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2156-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2156-14-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2156-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2156-21-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2156-41-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2920-42-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/2920-43-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/2920-44-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/2920-39-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/2920-46-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/2920-47-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/2920-48-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/2920-49-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/2920-50-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download