urelas | 97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b

Analysis

max time kernel
94s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe
Size

69KB
MD5

5eec26e44af74ee197c86c818695481f
SHA1

53f2cd46774b850c69551851e096e20b089efafb
SHA256

97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b
SHA512

279ca61e3e2faa70b3730c8bcc2f394acc19fa1520ff316fbed54ac6999d7d50b433759e487709ca327168d26fbbcea6f2af3079d23b953362fdde571e225abb
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCaraw1:yLAYUzmdD0sMQl7d7IuhCaew

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

4012 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4012	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe

description	pid	process	target process
PID 4608 wrote to memory of 4012	4608	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	biudfw.exe
PID 4608 wrote to memory of 4012	4608	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	biudfw.exe
PID 4608 wrote to memory of 4012	4608	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	biudfw.exe
PID 4608 wrote to memory of 1696	4608	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	cmd.exe
PID 4608 wrote to memory of 1696	4608	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	cmd.exe
PID 4608 wrote to memory of 1696	4608	97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe
"C:\Users\Admin\AppData\Local\Temp\97ab784f69e8ec7639d6769ccf802578e02530e3bcac5ede8ca739b1efe9675b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
Filesize
69KB

MD5
7dcb53d60a9c3458c8f7cc37d38087c0

SHA1
865dede9b36b44c5391e977e3adbe13473494104

SHA256
ba27976ae5d7a1d836a3a6e929be0493ec603cddab5f8bde59155f13ebd1c186

SHA512
d5a576f6ba9550cefadf9ee8f5d056241cb3746c2ca9382955e220a660dab30ae6d3632fc42fef211547e36a2ac386bc4183417ab61933b2e69f5cee2278b8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
338B

MD5
625345521209a6c774281d1109201ab6

SHA1
3ce335f49eb6200b2568a3ba378646954950b490

SHA256
00b4b2b4362a89b176fdcf470e51062b3c89bcde54993670c8f251786500093d

SHA512
b3d700cc4ff46909195b4362d3bcbfafab47fb5771bd0c41bea90d29a56d15417870efe4429ce31948e565c42fbf277fc7d468bd8ee63a075897c6d0e05c3b10

Download Submit
memory/4012-13-0x0000000000E30000-0x0000000000E57000-memory.dmp

Filesize
156KB

Download
memory/4012-21-0x0000000000E30000-0x0000000000E57000-memory.dmp

Filesize
156KB

Download
memory/4012-23-0x0000000000E30000-0x0000000000E57000-memory.dmp

Filesize
156KB

Download
memory/4012-29-0x0000000000E30000-0x0000000000E57000-memory.dmp

Filesize
156KB

Download
memory/4608-0-0x0000000000AA0000-0x0000000000AC7000-memory.dmp

Filesize
156KB

Download
memory/4608-18-0x0000000000AA0000-0x0000000000AC7000-memory.dmp

Filesize
156KB

Download