urelas | 9f80dbebf6a0eff41036bdc501002d424e6dd617b678ea6a115a18682a3da42b

Analysis

max time kernel
127s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8258c7d749681951cff040c91ef03340_JC.exe
Size

161KB
MD5

8258c7d749681951cff040c91ef03340
SHA1

406f9018b418ae80165a586e280e0032a9a28af9
SHA256

9f80dbebf6a0eff41036bdc501002d424e6dd617b678ea6a115a18682a3da42b
SHA512

d0449329b646cdc95d6da96b0336b22b9849111573601c8c8513c8067d631adbd37bb2e1e450b1233afdf377091d317e36208116d38110b1b6e2c8da93bf98ee
SSDEEP

3072:9p56zRJ83+OJ7NoGvdwWy6k04yW/KlQ2C:9OzRWu27dlOd5sk

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.8258c7d749681951cff040c91ef03340_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
1812	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1812	1460	NEAS.8258c7d749681951cff040c91ef03340_JC.exe	95
PID 1460 wrote to memory of 1812	1460	NEAS.8258c7d749681951cff040c91ef03340_JC.exe	95
PID 1460 wrote to memory of 1812	1460	NEAS.8258c7d749681951cff040c91ef03340_JC.exe	95
PID 1460 wrote to memory of 3000	1460	NEAS.8258c7d749681951cff040c91ef03340_JC.exe	96
PID 1460 wrote to memory of 3000	1460	NEAS.8258c7d749681951cff040c91ef03340_JC.exe	96
PID 1460 wrote to memory of 3000	1460	NEAS.8258c7d749681951cff040c91ef03340_JC.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.8258c7d749681951cff040c91ef03340_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8258c7d749681951cff040c91ef03340_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
161KB

MD5
8a06e520ca3a4b6de080ba71fc0994ea

SHA1
9298365c9a7cb977dfc6cb7c322ce06d44c4041c

SHA256
9842aa2ce635f9add6ff9e13285e2ed7f763f2ef8c48612a46af96a316edd2b9

SHA512
9201195f5028efe6fc0503fa3a04e0c1f27321ae3361e01c1fb6a86071320d59466444ff567542c028a43c2871a16204463edf85bbbd96572bedb2c711874575

Download Submit
C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
161KB

MD5
8a06e520ca3a4b6de080ba71fc0994ea

SHA1
9298365c9a7cb977dfc6cb7c322ce06d44c4041c

SHA256
9842aa2ce635f9add6ff9e13285e2ed7f763f2ef8c48612a46af96a316edd2b9

SHA512
9201195f5028efe6fc0503fa3a04e0c1f27321ae3361e01c1fb6a86071320d59466444ff567542c028a43c2871a16204463edf85bbbd96572bedb2c711874575

Download Submit
C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
161KB

MD5
8a06e520ca3a4b6de080ba71fc0994ea

SHA1
9298365c9a7cb977dfc6cb7c322ce06d44c4041c

SHA256
9842aa2ce635f9add6ff9e13285e2ed7f763f2ef8c48612a46af96a316edd2b9

SHA512
9201195f5028efe6fc0503fa3a04e0c1f27321ae3361e01c1fb6a86071320d59466444ff567542c028a43c2871a16204463edf85bbbd96572bedb2c711874575

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ac5e84ed8031d66a9fcd5e472ba8091b

SHA1
06303add604104d6abbb69458f89773c066b470c

SHA256
3a3cfa6f4786dab0ac8bc76204948f32a3a2cbd094922f87c251ec80d22baae5

SHA512
7bf829102a70a1304dae435b8ae3c9ef9a925af7e995fe381d80730f4f702e1fd2a0a1b6a3a4b4667925f5bb95c897166a8fc0f52d3171d9cdba0bf09b53f152

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
fb2147c82dceb18e82d793cdc23bb1b5

SHA1
d05163414089b96bd263d37b6d90902a47cd87ee

SHA256
7b13923061b63aad37821c6c2cb3f4df1f8e24d84d85ea297168a2d110a88684

SHA512
905ad167eece706ff88589973d134c0751f11b5c13eb5787f0f21b40607b906bb1f390c1976275137778846eee2959cec7d64005e21676468f48055c34de256c

Download Submit
memory/1460-0-0x0000000000270000-0x000000000029B000-memory.dmp

Filesize
172KB

Download
memory/1460-17-0x0000000000270000-0x000000000029B000-memory.dmp

Filesize
172KB

Download
memory/1812-13-0x00000000008E0000-0x000000000090B000-memory.dmp

Filesize
172KB

Download
memory/1812-20-0x00000000008E0000-0x000000000090B000-memory.dmp

Filesize
172KB

Download
memory/1812-21-0x00000000008E0000-0x000000000090B000-memory.dmp

Filesize
172KB

Download