urelas | 5eab0cfa0f6c916740515e4ea6389ca0a55c1108c993532143e962d1f289c122

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

815c519c72a50051d4cebaff3f4d2810N.exe
Size

56KB
MD5

815c519c72a50051d4cebaff3f4d2810
SHA1

bdb780f001c05599f825776d62e54d5c6c38fd91
SHA256

5eab0cfa0f6c916740515e4ea6389ca0a55c1108c993532143e962d1f289c122
SHA512

eb72003d8ee4fbc469a8a735af81317721dfe96a4dc67f2b5c6f1b4c1c24870d2581aaee3c2641495969ad699a66b8235dcb1a356099e5c39ef5a8c7c158b86d
SSDEEP

1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS88k:MOemdTd1o74qlmbbJ+x+Ik6k

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

815c519c72a50051d4cebaff3f4d2810N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	815c519c72a50051d4cebaff3f4d2810N.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

1376 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1376	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

815c519c72a50051d4cebaff3f4d2810N.exe

description	pid	process	target process
PID 536 wrote to memory of 1376	536	815c519c72a50051d4cebaff3f4d2810N.exe	biudfw.exe
PID 536 wrote to memory of 1376	536	815c519c72a50051d4cebaff3f4d2810N.exe	biudfw.exe
PID 536 wrote to memory of 1376	536	815c519c72a50051d4cebaff3f4d2810N.exe	biudfw.exe
PID 536 wrote to memory of 4168	536	815c519c72a50051d4cebaff3f4d2810N.exe	cmd.exe
PID 536 wrote to memory of 4168	536	815c519c72a50051d4cebaff3f4d2810N.exe	cmd.exe
PID 536 wrote to memory of 4168	536	815c519c72a50051d4cebaff3f4d2810N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\815c519c72a50051d4cebaff3f4d2810N.exe
"C:\Users\Admin\AppData\Local\Temp\815c519c72a50051d4cebaff3f4d2810N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
56KB

MD5
d01e044199a78c5a0e694a9d6d00939a

SHA1
d1ad46e2affc5f49efe9a7286aca29fba5ebe244

SHA256
838efc26193998a2c55653f6e9c4a73d799863d502cc2ae324341ef32dbfcf10

SHA512
8f9917d0473dcf5c3e7c5f568f81a4a35045616fed908a699ea3914ab468bd123034c717d80beaa1fbfe9a96dbdec08d38983b83700afaca8e64c524e33dd09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7cdc8777d33db85bc19aefb64879a7f7

SHA1
f2d494d4dfe93a05eb58513935196e8578648adf

SHA256
9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336

SHA512
34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
20b1348571562bbb719adce0f53c43ed

SHA1
a1fe8a193779dc356c90cc83bc978f6eebfd2a29

SHA256
7d4b8fa2e4deff14dfd4ed3be2497311350d8b32622d11164521b1994301f8d9

SHA512
101adf1a271656ada5d9651092cfa2009c603ebefc7a981e63b1dc776122a0b57ce5beef396721120ec10f3e620c937c38c4daeeb79c04daa306986fe4925e71

Download Submit
memory/536-0-0x0000000000740000-0x0000000000766000-memory.dmp

Filesize
152KB

Download
memory/536-15-0x0000000000740000-0x0000000000766000-memory.dmp

Filesize
152KB

Download
memory/1376-12-0x0000000000E20000-0x0000000000E46000-memory.dmp

Filesize
152KB

Download
memory/1376-18-0x0000000000E20000-0x0000000000E46000-memory.dmp

Filesize
152KB

Download
memory/1376-20-0x0000000000E20000-0x0000000000E46000-memory.dmp

Filesize
152KB

Download
memory/1376-26-0x0000000000E20000-0x0000000000E46000-memory.dmp

Filesize
152KB

Download