urelas | 533cc19bd9b2b2bd5db03316d8a7e486f03c5c4b697887b33f1b691b37925d35

Analysis

max time kernel
89s
max time network
91s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

506a4b2f07b85042d59325b112bf3fc0N.exe
Size

67KB
MD5

506a4b2f07b85042d59325b112bf3fc0
SHA1

25a268da263c487b091a4eacc8d3981a609ba4f0
SHA256

533cc19bd9b2b2bd5db03316d8a7e486f03c5c4b697887b33f1b691b37925d35
SHA512

a8795aead64626f92a8a135cf79565561461cedf09071f5e95c5c4b1a3532bd3333059a2c611ad580be43e41c2d14d80183d6b514a3679aeeb30a966232ca81e
SSDEEP

1536:04/WgLAjdZsp+uChoLnDeoqYAJjvLFymnHsPe9:l//AjMp+u2onejH2Pe9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2868	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2560	506a4b2f07b85042d59325b112bf3fc0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	506a4b2f07b85042d59325b112bf3fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2448	2560	506a4b2f07b85042d59325b112bf3fc0N.exe	30
PID 2560 wrote to memory of 2448	2560	506a4b2f07b85042d59325b112bf3fc0N.exe	30
PID 2560 wrote to memory of 2448	2560	506a4b2f07b85042d59325b112bf3fc0N.exe	30
PID 2560 wrote to memory of 2448	2560	506a4b2f07b85042d59325b112bf3fc0N.exe	30
PID 2560 wrote to memory of 2868	2560	506a4b2f07b85042d59325b112bf3fc0N.exe	31
PID 2560 wrote to memory of 2868	2560	506a4b2f07b85042d59325b112bf3fc0N.exe	31
PID 2560 wrote to memory of 2868	2560	506a4b2f07b85042d59325b112bf3fc0N.exe	31
PID 2560 wrote to memory of 2868	2560	506a4b2f07b85042d59325b112bf3fc0N.exe	31

C:\Users\Admin\AppData\Local\Temp\506a4b2f07b85042d59325b112bf3fc0N.exe
"C:\Users\Admin\AppData\Local\Temp\506a4b2f07b85042d59325b112bf3fc0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
67KB

MD5
5e71120fbb0d221b56ac5d7620b47417

SHA1
448b4014d2471362f97f7de40aa06c5958e539d6

SHA256
5e7383e3bf16744b8b8a031f63668becc70a3bdfb98933a478d8bc938e418b62

SHA512
6e8c2d1d482e0dd1d050d5eb73547f4193f5d17026e9221135a64ebd4b337f8dc9ee546e6ab26bd7a26e22a80aaf2ae6d93d431a48448c7d715b4994769c2b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a250860c0687ed9dda488805c025a2d2

SHA1
0c181ed3b46463d35631ca169f0928c33a1da389

SHA256
3947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37

SHA512
0286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
41cb059dcbabf4eea539b86327b87ce6

SHA1
db95bfbabc68551c82723898a9f757077fe0a04a

SHA256
adb300d917f874ff90168c061d97be534934c795169393cccb0b832925b9fcbe

SHA512
a144f960448fd49c74be466039adcfbffe745e3205626f116003d960474017e97a73aba27710005dd5079e851189f6538aa7befe1c227b008dc10dc71494e951

Download Submit
memory/2448-10-0x0000000000AC0000-0x0000000000AE8000-memory.dmp

Filesize
160KB

Download
memory/2448-22-0x0000000000AC0000-0x0000000000AE8000-memory.dmp

Filesize
160KB

Download
memory/2448-24-0x0000000000AC0000-0x0000000000AE8000-memory.dmp

Filesize
160KB

Download
memory/2448-31-0x0000000000AC0000-0x0000000000AE8000-memory.dmp

Filesize
160KB

Download
memory/2560-0-0x00000000008C0000-0x00000000008E8000-memory.dmp

Filesize
160KB

Download
memory/2560-9-0x0000000001CF0000-0x0000000001D18000-memory.dmp

Filesize
160KB

Download
memory/2560-19-0x00000000008C0000-0x00000000008E8000-memory.dmp

Filesize
160KB

Download