urelas | 91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0

Analysis

max time kernel
93s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe
Size

57KB
MD5

b86b4f383ea77c2b0c43528f612bcee3
SHA1

33d328be7ce955a19507d83f4298c135d7eca623
SHA256

91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0
SHA512

105efbf64f450d5223b51f48c1c7d46d6bef7553b827d555fa954b49607db01821d017e80e595e47ec301be3ed67e39793e9b8ee44ef8d69e4fdedc562d57195
SSDEEP

1536:6W82C0Db1edMckBI1kmJAhTPY6pnouy8Q:6n25DbaMySmJAhbvoutQ

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

212 biudfw.exe

pid	process
212	biudfw.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2996-0-0x0000000000B10000-0x0000000000B3C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\biudfw.exe	upx
behavioral2/memory/212-10-0x0000000000540000-0x000000000056C000-memory.dmp	upx
behavioral2/memory/2996-14-0x0000000000B10000-0x0000000000B3C000-memory.dmp	upx
behavioral2/memory/212-17-0x0000000000540000-0x000000000056C000-memory.dmp	upx
behavioral2/memory/212-19-0x0000000000540000-0x000000000056C000-memory.dmp	upx
behavioral2/memory/212-25-0x0000000000540000-0x000000000056C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe

description	pid	process	target process
PID 2996 wrote to memory of 212	2996	91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe	biudfw.exe
PID 2996 wrote to memory of 212	2996	91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe	biudfw.exe
PID 2996 wrote to memory of 212	2996	91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe	biudfw.exe
PID 2996 wrote to memory of 868	2996	91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe	cmd.exe
PID 2996 wrote to memory of 868	2996	91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe	cmd.exe
PID 2996 wrote to memory of 868	2996	91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe
"C:\Users\Admin\AppData\Local\Temp\91bd7684c4f7afba9d01ad8467d22e5ad3f27da3c408e93f3367ce06c8ab89a0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2996

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
57KB

MD5
24ad8d97bec4fd6790850daeb6ebab82

SHA1
834b3ae0fae94849696a11353e4ad0c2c4cab468

SHA256
eb61c926f401918bd48f28578dbeb50d7ae395f2aa57aba247f9845c9194e8d0

SHA512
f229ba47d63d05c223e011ffad76f44b2a2628ca82cf358a1534853e6a97be0fd6b72f786037659b6c2cc1fb4c512b33f67fac2d2664f335115c2b67d9139fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b4a86880004da8726288d7ec954885a8

SHA1
1bab1cfbdc2c540246210bc7852f8fe7e8357b31

SHA256
c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46

SHA512
22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
4fc5f7d9f6ee388c8cc7322a80f6b45a

SHA1
50988d57c58da9d2b021b449f468ae5d4e9b6919

SHA256
d1722009dd181f93955e2212c09b5fc99d1977d0cd3d1f1ab8a2de13c9215509

SHA512
6e94e0898139df07f633bb3be643a73b40bf6c57bf4ca851e68854f8c8657e1c489cec880d87fab0019669806fce209241567adbbd214a11218acb3c04cd18cc

Download Submit
memory/212-10-0x0000000000540000-0x000000000056C000-memory.dmp

Filesize
176KB

Download
memory/212-17-0x0000000000540000-0x000000000056C000-memory.dmp

Filesize
176KB

Download
memory/212-19-0x0000000000540000-0x000000000056C000-memory.dmp

Filesize
176KB

Download
memory/212-25-0x0000000000540000-0x000000000056C000-memory.dmp

Filesize
176KB

Download
memory/2996-0-0x0000000000B10000-0x0000000000B3C000-memory.dmp

Filesize
176KB

Download
memory/2996-14-0x0000000000B10000-0x0000000000B3C000-memory.dmp

Filesize
176KB

Download