urelas | 1fbcf343c87e21644685f97726b153c922f5651683d0c99ccf12a290667aeb39

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe
Size

199KB
MD5

19ec39f2f9f444d667967009fb09d6d9
SHA1

5311a41fd105f7841f7da9c076956e2f1fb96516
SHA256

41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6
SHA512

e98a973d3e8f8ba4111272f7a3bd76d6e3567139a078a14f6c9ccb31726cd0e9e9a37631e795eb8e0b387504688b4ca6cdc14a870019b957806aa7247425af82
SSDEEP

3072:llfTVlvfdEDRmyc+XA60Kj4omjuVZ6rNp0w:lpTV9rZllomjuCNp0w

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe

Executes dropped EXE 1 IoCs

pid	Process
3128	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3128	1772	41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe	92
PID 1772 wrote to memory of 3128	1772	41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe	92
PID 1772 wrote to memory of 3128	1772	41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe	92
PID 1772 wrote to memory of 4260	1772	41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe	93
PID 1772 wrote to memory of 4260	1772	41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe	93
PID 1772 wrote to memory of 4260	1772	41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe	93

C:\Users\Admin\AppData\Local\Temp\41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe
"C:\Users\Admin\AppData\Local\Temp\41d875ffc919e005c8d5a3e41e48a4763c232b543f292253912275c13668a0d6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
199KB

MD5
2d3856d89302ec44ff50d59bf86dc5b5

SHA1
2ffa292f8c3e9f54893fabd05093bef60fce478d

SHA256
ffa937df3f1b444db5644556a34010b5c7694c55d20c5a313047cd1ac4f4c80d

SHA512
bc906d45b6292769091bc156d8ce9851c31942f025040af6c4e69cf5fe46c3a1c6494092d49daf0446d9068c0ce4a10e4c49bd80d1355393a09dc7ddc38c88e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
199KB

MD5
2d3856d89302ec44ff50d59bf86dc5b5

SHA1
2ffa292f8c3e9f54893fabd05093bef60fce478d

SHA256
ffa937df3f1b444db5644556a34010b5c7694c55d20c5a313047cd1ac4f4c80d

SHA512
bc906d45b6292769091bc156d8ce9851c31942f025040af6c4e69cf5fe46c3a1c6494092d49daf0446d9068c0ce4a10e4c49bd80d1355393a09dc7ddc38c88e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
199KB

MD5
2d3856d89302ec44ff50d59bf86dc5b5

SHA1
2ffa292f8c3e9f54893fabd05093bef60fce478d

SHA256
ffa937df3f1b444db5644556a34010b5c7694c55d20c5a313047cd1ac4f4c80d

SHA512
bc906d45b6292769091bc156d8ce9851c31942f025040af6c4e69cf5fe46c3a1c6494092d49daf0446d9068c0ce4a10e4c49bd80d1355393a09dc7ddc38c88e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fc7c2ef888930c9e3d5e328202990a11

SHA1
336cbc6a838acad79206b98e9eb2414736e718ed

SHA256
79115937973fc5e46c104e0eff35fe65ece75db6224847bcd152057b496ed517

SHA512
a426d6b66e7576aa639692147f14d8c6c8b580b16ac2b17d2c8e68e01f423d11205fb806074b26273f1ca267f85bc6edd91f932e7d5deeb95811cd20622690e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
083a2b9830e240f6067518149052b974

SHA1
435aba7010bcc4fcbd6c443f492c73d84fa9f59d

SHA256
69a47c13ccba29b3d9b75654721a3453c1e206add91c4bce4fd19fb6825e2570

SHA512
7013eefb1d8200b23f6a4db2d588f5bc4076e1db2a93267ec365d623d258d80723a2c744c6e7719c75a2b72a46683ef0f8e9a7aac1689844a78d1136de343eb9

Download Submit
memory/1772-0-0x0000000000FE0000-0x0000000001018000-memory.dmp

Filesize
224KB

Download
memory/1772-12-0x0000000000FE0000-0x0000000001018000-memory.dmp

Filesize
224KB

Download
memory/1772-19-0x0000000000FE0000-0x0000000001018000-memory.dmp

Filesize
224KB

Download
memory/3128-15-0x00000000008B0000-0x00000000008E8000-memory.dmp

Filesize
224KB

Download
memory/3128-21-0x00000000008B0000-0x00000000008E8000-memory.dmp

Filesize
224KB

Download
memory/3128-22-0x00000000008B0000-0x00000000008E8000-memory.dmp

Filesize
224KB

Download