urelas | 6edf4b4fd4c9444373d4cc6a9d1022a174c7088361c7212d5e7877eb030d150c

Analysis

max time kernel
89s
max time network
89s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b539a06f73be7631c06097dd2537e00N.exe
Size

154KB
MD5

8b539a06f73be7631c06097dd2537e00
SHA1

465f3410bf356c5d1cacc35137722a2096e2a4a3
SHA256

6edf4b4fd4c9444373d4cc6a9d1022a174c7088361c7212d5e7877eb030d150c
SHA512

9223f280ef96221a827bad46c882d2c64db08aed65c1c8426988948119cba803730f7936548768c7d030e3579f04057a6e2a7a319b24e2967d3a6d28b3c901c8
SSDEEP

3072:Ntbqvi9nMKxQbZ5x66EfACsxfcYvQd2Oew:Nt2vsx+AV4LfLOD

Score

10^/10

urelas discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2728 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2200 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

8b539a06f73be7631c06097dd2537e00N.exe

pid process

1644 8b539a06f73be7631c06097dd2537e00N.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2728	cmd.exe

pid	process
2200	biudfw.exe

pid	process
1644	8b539a06f73be7631c06097dd2537e00N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8b539a06f73be7631c06097dd2537e00N.exebiudfw.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b539a06f73be7631c06097dd2537e00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8b539a06f73be7631c06097dd2537e00N.exe

description	pid	process	target process
PID 1644 wrote to memory of 2200	1644	8b539a06f73be7631c06097dd2537e00N.exe	biudfw.exe
PID 1644 wrote to memory of 2200	1644	8b539a06f73be7631c06097dd2537e00N.exe	biudfw.exe
PID 1644 wrote to memory of 2200	1644	8b539a06f73be7631c06097dd2537e00N.exe	biudfw.exe
PID 1644 wrote to memory of 2200	1644	8b539a06f73be7631c06097dd2537e00N.exe	biudfw.exe
PID 1644 wrote to memory of 2728	1644	8b539a06f73be7631c06097dd2537e00N.exe	cmd.exe
PID 1644 wrote to memory of 2728	1644	8b539a06f73be7631c06097dd2537e00N.exe	cmd.exe
PID 1644 wrote to memory of 2728	1644	8b539a06f73be7631c06097dd2537e00N.exe	cmd.exe
PID 1644 wrote to memory of 2728	1644	8b539a06f73be7631c06097dd2537e00N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8b539a06f73be7631c06097dd2537e00N.exe
"C:\Users\Admin\AppData\Local\Temp\8b539a06f73be7631c06097dd2537e00N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2930c042c9ee5e07f321f2134a0c7edc

SHA1
ee39f41eaf6ce3c8d917a89e65959414ae0088e6

SHA256
a328475bbb730da292b83ed6cabbdbfc0616f042296f0c6fa356c5368ffc1309

SHA512
2da91d5effc116d8c8661c2a99f1d9c2aaffda0f776551dc7ad1911fdb2765591e5b441b9a1fe0090bcda8ed24d180b563ed2c127676cf1de40001e4b15b5506

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
31429775ef6629e8cfb9db58991f6b72

SHA1
ab996535ed2155db6bb71fe93aa58f2b97517117

SHA256
44e501989e3e5bd3c85d7fd4dad7cb4c5f2110bf1986084b1251124ad03884f7

SHA512
8174bbbee728ac71f41b6a1fc24b9ad53b4444f5ca64652672d35a14e80f1bc0c8ea3c8ee64385d1c76063a11a4a53c8acdbbcf9b82abe4a155cce68556f16c7

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
154KB

MD5
657b2d57ea7bde323c4ab5c99875e274

SHA1
d934746fe090eb58fbcde2554f02e106a7380614

SHA256
f3ae40b7e2b80cb7825bb3566bfe178e8854c05e331d01a8d3ed9b1921fbe7b1

SHA512
48cd249ca789c62ea6dba0dc402fb5575edcdcc1e7f7abb4fc40ee8373b701a7ba200037200fb1878bb9ed9ff1fa30129ce7b5dee4f061f0bdab2e1124907a89

Download Submit