urelas | 126ad942766d4aa10279c14c3ebe7b8911edb87542c83ea74f923583b068a112

Analysis

max time kernel
170s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 12:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe
Size

123KB
MD5

d8c5dcba0144f9557cd411ef70f3b3c0
SHA1

51bfb70c286193f604131e83e80031b3a4e22297
SHA256

126ad942766d4aa10279c14c3ebe7b8911edb87542c83ea74f923583b068a112
SHA512

d7717705c0389f6e5371c25f74b81bbffc3ef1df84fa4360bf6a623675de561a58c89fb56c3b52cedde8a22dd8a5267d223d5620c6234bd09daf79ba58077d17
SSDEEP

1536:Ko6JdvxttIBcXISDPV2Mhg3GkFceersWjcd06UsfqW2vxq6Uw:iHC6D92O8n7eU06UsfUpqC

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.209

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe

Executes dropped EXE 1 IoCs

pid	Process
4216	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4216	1428	NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe	92
PID 1428 wrote to memory of 4216	1428	NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe	92
PID 1428 wrote to memory of 4216	1428	NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe	92
PID 1428 wrote to memory of 4700	1428	NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe	93
PID 1428 wrote to memory of 4700	1428	NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe	93
PID 1428 wrote to memory of 4700	1428	NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d8c5dcba0144f9557cd411ef70f3b3c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
123KB

MD5
b03dcf0deb496256ab931ba517ccb39a

SHA1
ed168cdb6a3723162d8c2bba93a0d118e098a87c

SHA256
6c0b234bb26cc3b2b04243918c4e66f9939d4fd302ba1a28bc1a3f591aa70c6f

SHA512
b3ecf1d9d2d6a1719b678492f3f623e2d06e92326ef4942abc1b0a8f68657cfceb541a6b6bf36fdd6258aad2a18d46ac1e0fceb82ed033e3e356977b6f068ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
123KB

MD5
b03dcf0deb496256ab931ba517ccb39a

SHA1
ed168cdb6a3723162d8c2bba93a0d118e098a87c

SHA256
6c0b234bb26cc3b2b04243918c4e66f9939d4fd302ba1a28bc1a3f591aa70c6f

SHA512
b3ecf1d9d2d6a1719b678492f3f623e2d06e92326ef4942abc1b0a8f68657cfceb541a6b6bf36fdd6258aad2a18d46ac1e0fceb82ed033e3e356977b6f068ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
123KB

MD5
b03dcf0deb496256ab931ba517ccb39a

SHA1
ed168cdb6a3723162d8c2bba93a0d118e098a87c

SHA256
6c0b234bb26cc3b2b04243918c4e66f9939d4fd302ba1a28bc1a3f591aa70c6f

SHA512
b3ecf1d9d2d6a1719b678492f3f623e2d06e92326ef4942abc1b0a8f68657cfceb541a6b6bf36fdd6258aad2a18d46ac1e0fceb82ed033e3e356977b6f068ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8b6fb23d659bed3f6b1cf40a104e95a

SHA1
07c9c74af6b0fe9b78bb1b3aed5bdc1e0b5de952

SHA256
f28d96334bf66f634f899c800b4d5c6195bcf407cb073761f8a4f30a4061f136

SHA512
e841cd9283c63a92395b4221492e2ae6b06d9c4108fcbbfe7d8a7928cfca405c14c0634a6388a4f18da3db611696ea797f9b825ed314d1640a17aa767593e412

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
813b404a0a8befc17907e2845984a78e

SHA1
3005105e0371062e16092b41a4a83baa1499544f

SHA256
29c8cc06b22c1114aa0caf536d3746b5699b81362fa9b27701490e4ac0b9b4cc

SHA512
5b95e2d185825b327f5d0a211e2edf5ffca7438b5472032bf6c340dbb11364dcaf0fe406c965ffc7cbbe53045294aba391ff5b94c56afcb3b1f0a0ac1bce728d

Download Submit
memory/1428-0-0x0000000000CD0000-0x0000000000CF8000-memory.dmp

Filesize
160KB

Download
memory/1428-17-0x0000000000CD0000-0x0000000000CF8000-memory.dmp

Filesize
160KB

Download
memory/4216-12-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/4216-20-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/4216-21-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download