urelas | 7b366eaa79a016d841c81103b445ee38f588ae52e6acd02dcffdf475445583e1

Analysis

max time kernel
101s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

255615d7f6aff559589d0e167d18dcd0N.exe
Size

52KB
MD5

255615d7f6aff559589d0e167d18dcd0
SHA1

3e78e128d2345544c450167ec27f72ec641335d5
SHA256

7b366eaa79a016d841c81103b445ee38f588ae52e6acd02dcffdf475445583e1
SHA512

d6ae94b639fe44a6b88dbc1c211460495fbfb3d7c4c34e5fd120c58b07bcb8bd5b6aa691a47f3f74f48a0304784c421ec237cad00212e1f817b740a08749561c
SSDEEP

1536:TlnBzGPEdPJpUI4QP4BDK3XmbPfKJ97ife:JnBGPUMQwBDamb3a7i2

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

255615d7f6aff559589d0e167d18dcd0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	255615d7f6aff559589d0e167d18dcd0N.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

1464 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1464	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

255615d7f6aff559589d0e167d18dcd0N.exe

description	pid	process	target process
PID 216 wrote to memory of 1464	216	255615d7f6aff559589d0e167d18dcd0N.exe	biudfw.exe
PID 216 wrote to memory of 1464	216	255615d7f6aff559589d0e167d18dcd0N.exe	biudfw.exe
PID 216 wrote to memory of 1464	216	255615d7f6aff559589d0e167d18dcd0N.exe	biudfw.exe
PID 216 wrote to memory of 3688	216	255615d7f6aff559589d0e167d18dcd0N.exe	cmd.exe
PID 216 wrote to memory of 3688	216	255615d7f6aff559589d0e167d18dcd0N.exe	cmd.exe
PID 216 wrote to memory of 3688	216	255615d7f6aff559589d0e167d18dcd0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\255615d7f6aff559589d0e167d18dcd0N.exe
"C:\Users\Admin\AppData\Local\Temp\255615d7f6aff559589d0e167d18dcd0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
52KB

MD5
10d0095431ee008002c1e9485a915d3f

SHA1
e9b84e97ee35829cf3705c451d18f27929637adc

SHA256
78af50ec50a57ef99d66eba1c9e75418ae6bc75e41b8099dd5b44f4bd26fe24d

SHA512
bc616e55d225c0bba10af8b9c7e1f310195dcd5890f3565265ea66fc904de935dd1adb20e0d75b82196ceaff8f40947220d28f46c8f062344f5292d22eb12ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b4a86880004da8726288d7ec954885a8

SHA1
1bab1cfbdc2c540246210bc7852f8fe7e8357b31

SHA256
c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46

SHA512
22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
cd30f77bd65f1bdc0b1d8f71ad4ba0de

SHA1
f5dda6cd4a1237d80e50d3b7bde8b29a3299cd75

SHA256
1bd292a0dce30b6399648902fac205560e1bea0ea58a71152b1cd2c2e9e85815

SHA512
f0f1aa0858195fa85ced64cebaaeda209e2c2d18657f65b09484ceade0b69e3b7c85283874b6cc36ede66903209d78ff45a2c4608f7499fe243990155637ed6b

Download Submit
memory/216-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/216-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1464-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1464-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1464-20-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1464-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download