urelas | e1956debfcb108a849bd79dd248753279ae9cb1e3de1925ea5b00fde3ce0b903

Analysis

max time kernel
108s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58ca44b2acdc23929378274d1af51dd0N.exe
Size

56KB
MD5

58ca44b2acdc23929378274d1af51dd0
SHA1

6fd2145e2ed15478712ef92762552aa73a128cb6
SHA256

e1956debfcb108a849bd79dd248753279ae9cb1e3de1925ea5b00fde3ce0b903
SHA512

df9c4f34ac7171cce4d0d96c5e463eb5e02a03374e16e5d3f3e694586364ffaa53ac914e35ae160d6995219d520ec04d84cc80405fd2dec58d656cadc1b6a5f3
SSDEEP

1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8H:MOemdTd1o74qlmbbJ+x+IkJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

58ca44b2acdc23929378274d1af51dd0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	58ca44b2acdc23929378274d1af51dd0N.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

4428 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4428	biudfw.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

58ca44b2acdc23929378274d1af51dd0N.exebiudfw.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58ca44b2acdc23929378274d1af51dd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

58ca44b2acdc23929378274d1af51dd0N.exe

description	pid	process	target process
PID 1980 wrote to memory of 4428	1980	58ca44b2acdc23929378274d1af51dd0N.exe	biudfw.exe
PID 1980 wrote to memory of 4428	1980	58ca44b2acdc23929378274d1af51dd0N.exe	biudfw.exe
PID 1980 wrote to memory of 4428	1980	58ca44b2acdc23929378274d1af51dd0N.exe	biudfw.exe
PID 1980 wrote to memory of 3260	1980	58ca44b2acdc23929378274d1af51dd0N.exe	cmd.exe
PID 1980 wrote to memory of 3260	1980	58ca44b2acdc23929378274d1af51dd0N.exe	cmd.exe
PID 1980 wrote to memory of 3260	1980	58ca44b2acdc23929378274d1af51dd0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\58ca44b2acdc23929378274d1af51dd0N.exe
"C:\Users\Admin\AppData\Local\Temp\58ca44b2acdc23929378274d1af51dd0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
56KB

MD5
48343e64dc88f87b9f61a783ac3457a7

SHA1
700ac6f47b556892d69b89521dfe6de2d9bf1e0f

SHA256
fee307d1aa27deca4787109a2de48fd614650acfca06370e86628e33345a7a1f

SHA512
0c5a2022a2e74628a9b5ff26451e9a0246bbd981c88387d7c8141834be0fe415f669f3baa33da750ea17f6c369b00c0b14c22d01b390c7c713c8b855f7a9ea2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7cdc8777d33db85bc19aefb64879a7f7

SHA1
f2d494d4dfe93a05eb58513935196e8578648adf

SHA256
9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336

SHA512
34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
f8ff781d0eb4e36dccc71fa91762dbb6

SHA1
c814dfe81f714e6bb925dc04b386daddf60083e2

SHA256
49b184f0aab4fc9f5650768296f898199f8c1ca0e2785b13660c7b3c232d53e9

SHA512
e87134995114152164b3074f55e0f1587828a7002839fac43369e2d5b34a979851b20bfcd9a922ddc078fc9a4b25be5e595bca9c7161e0bc1dda39f8a672e728

Download Submit
memory/1980-0-0x00000000003C0000-0x00000000003E6000-memory.dmp

Filesize
152KB

Download
memory/1980-15-0x00000000003C0000-0x00000000003E6000-memory.dmp

Filesize
152KB

Download
memory/4428-12-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download
memory/4428-18-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download
memory/4428-20-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download
memory/4428-26-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download