urelas | 44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 19:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe
Size

167KB
MD5

d26676d7f2326eff6d1e61e37e4a2f51
SHA1

a5912c9d44e31e96c80bca866c26eeca6f3e8b3f
SHA256

44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52
SHA512

cf79c68be4b11249c452a868d69f1da0ee91a02c0a0122236f1156b3602d39e5379dd0a1fa83729ac855251c0a18516df0b195e2ee9333c62603b4466e3ff21a
SSDEEP

3072:yp56zRJ83+OJ7NoGvdwWy6k04yW/KR0Yx4BXP6:yOzRWu27dlOd5/YWVy

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe

Executes dropped EXE 1 IoCs

pid	Process
368	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 368	4640	44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe	92
PID 4640 wrote to memory of 368	4640	44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe	92
PID 4640 wrote to memory of 368	4640	44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe	92
PID 4640 wrote to memory of 4900	4640	44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe	93
PID 4640 wrote to memory of 4900	4640	44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe	93
PID 4640 wrote to memory of 4900	4640	44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe	93

C:\Users\Admin\AppData\Local\Temp\44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe
"C:\Users\Admin\AppData\Local\Temp\44fc4fba4ac5f5a9d36cd543aa733d076a38c2e7a1d71834389468166ab48b52.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
168KB

MD5
d7ce8d6716c0e4e18747cdc77378b9dd

SHA1
bd51fe38725bd218532fa7ba9d442ac992a14ba5

SHA256
1744777ea2c7561254594b4232e8fc1ca57e7fe10a5869921259963198c5f4ab

SHA512
3967f4d2a947e26024f6d7ce4723670d22abfb538c7fd7520c17418238ba25dbedae74507bb59cded5460006b2e3fcfdeebaee95c31ee63d11727664a196feee

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ac5e84ed8031d66a9fcd5e472ba8091b

SHA1
06303add604104d6abbb69458f89773c066b470c

SHA256
3a3cfa6f4786dab0ac8bc76204948f32a3a2cbd094922f87c251ec80d22baae5

SHA512
7bf829102a70a1304dae435b8ae3c9ef9a925af7e995fe381d80730f4f702e1fd2a0a1b6a3a4b4667925f5bb95c897166a8fc0f52d3171d9cdba0bf09b53f152

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
21a39d646f82ab8578b99ed066620582

SHA1
6b98ac6aada039eff69f111dff94e3a582aeeea0

SHA256
8f2e41d48e83f279af8463f7bc23c0a9f8c09ef7ba1920f266fb2c9a96839552

SHA512
876d442548759532e01a3bfdbbaecfda38685f024c61421712bbd9831dec6e6ab132df0deafb3d16b444255a4ff841b678453be28e1b714250f1ec619367c331

Download Submit
memory/368-16-0x0000000000F80000-0x0000000000FAB000-memory.dmp

Filesize
172KB

Download
memory/368-20-0x0000000000F80000-0x0000000000FAB000-memory.dmp

Filesize
172KB

Download
memory/4640-0-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/4640-17-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download