urelas | bfdb4cfcece38ae85a23834ca2bfc18aa237cc1f6a242d9b3dd06fb1e8a86b09

Analysis

max time kernel
99s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08ac25b3ad97d78e62884941570539f0N.exe
Size

69KB
MD5

08ac25b3ad97d78e62884941570539f0
SHA1

9cd65e259018da7bc2ecc96be3133800a453e368
SHA256

bfdb4cfcece38ae85a23834ca2bfc18aa237cc1f6a242d9b3dd06fb1e8a86b09
SHA512

debe2af527ce7ec73a6f6cd29b67f737632698f3b5ef630a66f320ce084ac8d27a0398766a1ce00a1a8c92642f10434ea7fe0c910627205069e53620b7cdf49c
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCarawW:yLAYUzmdD0sMQl7d7IuhCaeZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08ac25b3ad97d78e62884941570539f0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	08ac25b3ad97d78e62884941570539f0N.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

1608 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1608	biudfw.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

08ac25b3ad97d78e62884941570539f0N.exebiudfw.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08ac25b3ad97d78e62884941570539f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

08ac25b3ad97d78e62884941570539f0N.exe

description	pid	process	target process
PID 5096 wrote to memory of 1608	5096	08ac25b3ad97d78e62884941570539f0N.exe	biudfw.exe
PID 5096 wrote to memory of 1608	5096	08ac25b3ad97d78e62884941570539f0N.exe	biudfw.exe
PID 5096 wrote to memory of 1608	5096	08ac25b3ad97d78e62884941570539f0N.exe	biudfw.exe
PID 5096 wrote to memory of 912	5096	08ac25b3ad97d78e62884941570539f0N.exe	cmd.exe
PID 5096 wrote to memory of 912	5096	08ac25b3ad97d78e62884941570539f0N.exe	cmd.exe
PID 5096 wrote to memory of 912	5096	08ac25b3ad97d78e62884941570539f0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\08ac25b3ad97d78e62884941570539f0N.exe
"C:\Users\Admin\AppData\Local\Temp\08ac25b3ad97d78e62884941570539f0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
69KB

MD5
76731686d4d85dadef8cf249f1311340

SHA1
2122ae598a74d1a257b5009e4e561c215c2c8e4f

SHA256
6c9e0333dc7a232fec2860441a13ed5fea4bbb703eff27789d0762e798e8e1ad

SHA512
0cdc96752e037db067e3f3ebf3257815c72d0ed6b0f67bf887384a88179abd1c493d64a73e9bc8103cd8c3a3b717ddcc5e7ff923eb039e3b3a37f8b273291c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
7667a6479fdaef8c6474c43ba8be8bf6

SHA1
75993f5c2bcb29bc168711c0e65b8681a46b99ec

SHA256
7d41adc415cf15b24e4cd4ef4ab79fb0d9d6800a8bb63e6140367871ddf7d4ac

SHA512
6c7c2e3d619bb14beb48f0e69d2faa238ef64ff63fd84e17da1d6556f86a2d3462ed241f60f56b9ff23e734d0d290e9668fd96f2f54049ab60798b981dd03dce

Download Submit
memory/1608-13-0x0000000000640000-0x0000000000667000-memory.dmp

Filesize
156KB

Download
memory/1608-21-0x0000000000640000-0x0000000000667000-memory.dmp

Filesize
156KB

Download
memory/1608-23-0x0000000000640000-0x0000000000667000-memory.dmp

Filesize
156KB

Download
memory/1608-30-0x0000000000640000-0x0000000000667000-memory.dmp

Filesize
156KB

Download
memory/5096-0-0x0000000000C10000-0x0000000000C37000-memory.dmp

Filesize
156KB

Download
memory/5096-18-0x0000000000C10000-0x0000000000C37000-memory.dmp

Filesize
156KB

Download