urelas | ce089fe865d47c7a4b5dbb399229e35b30a939e52797d316fd0ec6f130cf46c8

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b45f931cf10857580e832601b463bc3.exe
Size

187KB
MD5

3b45f931cf10857580e832601b463bc3
SHA1

b1c1c1c9cd8a832204fbf09cd673af7a1fee04dc
SHA256

ce089fe865d47c7a4b5dbb399229e35b30a939e52797d316fd0ec6f130cf46c8
SHA512

5f2ad53658bb9d139e99e0b6b6d64565414a691b75fb180624f836a2d131767e9c91dd5086879f5dec851a5b909f5c227b04a6afe869a45f8312e318c934b245
SSDEEP

3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFad3:2mvqeP33AYFIN9treHy3

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	3b45f931cf10857580e832601b463bc3.exe

Executes dropped EXE 1 IoCs

pid	Process
3720	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 3720	4972	3b45f931cf10857580e832601b463bc3.exe	94
PID 4972 wrote to memory of 3720	4972	3b45f931cf10857580e832601b463bc3.exe	94
PID 4972 wrote to memory of 3720	4972	3b45f931cf10857580e832601b463bc3.exe	94
PID 4972 wrote to memory of 2952	4972	3b45f931cf10857580e832601b463bc3.exe	92
PID 4972 wrote to memory of 2952	4972	3b45f931cf10857580e832601b463bc3.exe	92
PID 4972 wrote to memory of 2952	4972	3b45f931cf10857580e832601b463bc3.exe	92

C:\Users\Admin\AppData\Local\Temp\3b45f931cf10857580e832601b463bc3.exe
"C:\Users\Admin\AppData\Local\Temp\3b45f931cf10857580e832601b463bc3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
187KB

MD5
7b70255d26849b2fd34ccc5cfd83ced7

SHA1
cb765856f83cae17e4c57b1883f3f505439a6294

SHA256
cf3f71023774872ada78077bb6c08917a8a10da177474797dd16873cdbb7a148

SHA512
eac8e0720a9e15dfccf016a7664c88ffffe26ded0e7d9d9d53c6df4007545641100b18227ae26af55e8a656eea940a461947673f6d35ae8b00c95c50c6934c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1e75a7e32613b9d0b73f13b66c2c2f58

SHA1
035e2d6ab4ac34190f0e684681098188409e978c

SHA256
9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3

SHA512
e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
cb0a8830fbf20a8d3908fbb84303c4ec

SHA1
a0f81f41530ee0c1aa27378475fa2e7a8569f015

SHA256
cec8c307ddf35cbe00de0d1c397d1db046fb119bcf55912895087db5e46b5e63

SHA512
842f9bf101c568a3731476474f4a7403ffcedf9f68385e57110ff656bf84f6d037eecf8d703acc70389d0cc9a14fb3fcfc0a7548d2c61affa52c4c572e163bf3

Download Submit
memory/3720-14-0x0000000000670000-0x00000000006A2000-memory.dmp

Filesize
200KB

Download
memory/3720-20-0x0000000000670000-0x00000000006A2000-memory.dmp

Filesize
200KB

Download
memory/3720-21-0x0000000000670000-0x00000000006A2000-memory.dmp

Filesize
200KB

Download
memory/4972-0-0x0000000000420000-0x0000000000452000-memory.dmp

Filesize
200KB

Download
memory/4972-17-0x0000000000420000-0x0000000000452000-memory.dmp

Filesize
200KB

Download