urelas | 451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe
Size

63KB
MD5

e725484c9776a8565bf009f1f4135e04
SHA1

eff2d00e6483e9a5cc3868c8047e1015cf2ede94
SHA256

451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577
SHA512

36005f9188256801502a336ac2702a5e3ce1fb1f4260172fa291f0061f15bf17b73bab3fb4326a19ecd3afc5236d09ce83e74bccf7fbebf964490fcb225da08b
SSDEEP

1536:6bQx5oPsr2vFxDPhAvzgAQzFZ77MzeTmUDv:6bQRSHpAvzyf7MzeThDv

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2088 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2088	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe

description	pid	process	target process
PID 2692 wrote to memory of 2088	2692	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	biudfw.exe
PID 2692 wrote to memory of 2088	2692	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	biudfw.exe
PID 2692 wrote to memory of 2088	2692	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	biudfw.exe
PID 2692 wrote to memory of 3512	2692	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	cmd.exe
PID 2692 wrote to memory of 3512	2692	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	cmd.exe
PID 2692 wrote to memory of 3512	2692	451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe
"C:\Users\Admin\AppData\Local\Temp\451984f65fde0f9164a7dc8b852d7798800d29c2d3aedd1bf429ea29cf5c8577.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
Filesize
64KB

MD5
f510d30978a828845f770ac6d4d1c7d7

SHA1
d1f24d18b308ec0f6b66c0e5a345af76e6b27beb

SHA256
8917db7e92ee99eb7802935f1bd3a03a78a0574150ae4d04ea08e1edd75d5f9c

SHA512
889d7f009a1da7adca34016b0ecca7f4139990788a77b6d8f2d3234bb478801438fc2e6ea22e142bfc0d73e70c11e5c27ce8031f01b62e5a4e1d21fa0fd6260b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
efd90b3ac908d5482af367de3a82184a

SHA1
de9f01d2ed0247b7b347e55c5a09721a60147fb9

SHA256
44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d

SHA512
6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
338B

MD5
f06a161a5225aca7be536128b321576e

SHA1
8635b13a7f20f888d77a2260b4c0daedf843f40c

SHA256
9a9927963e030a526a13501ab7e65ecc5af3178204e757342184bbb128a92362

SHA512
8be45fd2b0917e56e402e0e3ee3b7ddd2cc42b5eb4a1dd64a9cf336e95f96dad3a9c8fb7eea5803c5764db415e5698b66ceacbc5dfa7407583d378c53ce8368d

Download Submit
memory/2088-15-0x0000000000670000-0x0000000000695000-memory.dmp

Filesize
148KB

Download
memory/2088-21-0x0000000000670000-0x0000000000695000-memory.dmp

Filesize
148KB

Download
memory/2088-23-0x0000000000670000-0x0000000000695000-memory.dmp

Filesize
148KB

Download
memory/2088-30-0x0000000000670000-0x0000000000695000-memory.dmp

Filesize
148KB

Download
memory/2692-0-0x0000000000390000-0x00000000003B5000-memory.dmp

Filesize
148KB

Download
memory/2692-18-0x0000000000390000-0x00000000003B5000-memory.dmp

Filesize
148KB

Download