urelas | 533cc19bd9b2b2bd5db03316d8a7e486f03c5c4b697887b33f1b691b37925d35

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

506a4b2f07b85042d59325b112bf3fc0N.exe
Size

67KB
MD5

506a4b2f07b85042d59325b112bf3fc0
SHA1

25a268da263c487b091a4eacc8d3981a609ba4f0
SHA256

533cc19bd9b2b2bd5db03316d8a7e486f03c5c4b697887b33f1b691b37925d35
SHA512

a8795aead64626f92a8a135cf79565561461cedf09071f5e95c5c4b1a3532bd3333059a2c611ad580be43e41c2d14d80183d6b514a3679aeeb30a966232ca81e
SSDEEP

1536:04/WgLAjdZsp+uChoLnDeoqYAJjvLFymnHsPe9:l//AjMp+u2onejH2Pe9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	506a4b2f07b85042d59325b112bf3fc0N.exe

Executes dropped EXE 1 IoCs

pid	Process
1376	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	506a4b2f07b85042d59325b112bf3fc0N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1376	4928	506a4b2f07b85042d59325b112bf3fc0N.exe	84
PID 4928 wrote to memory of 1376	4928	506a4b2f07b85042d59325b112bf3fc0N.exe	84
PID 4928 wrote to memory of 1376	4928	506a4b2f07b85042d59325b112bf3fc0N.exe	84
PID 4928 wrote to memory of 216	4928	506a4b2f07b85042d59325b112bf3fc0N.exe	85
PID 4928 wrote to memory of 216	4928	506a4b2f07b85042d59325b112bf3fc0N.exe	85
PID 4928 wrote to memory of 216	4928	506a4b2f07b85042d59325b112bf3fc0N.exe	85

C:\Users\Admin\AppData\Local\Temp\506a4b2f07b85042d59325b112bf3fc0N.exe
"C:\Users\Admin\AppData\Local\Temp\506a4b2f07b85042d59325b112bf3fc0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
67KB

MD5
79d2750a59e472ed8a23450c180289b1

SHA1
c9c639544a2eddc3ebf39c957d51beafc8875a49

SHA256
83f7ca9b465ec3d6ff05bf332f31a01872a101179e848887ef7fb3919660f161

SHA512
b487c26a1566ffadb56824d9ecbb60e738f48c5fe5f33805fd730050cbd87158ab8fec3ddd58f374dbfc7c61a30afbfd206751e691eb95fc2640edca517f92ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a250860c0687ed9dda488805c025a2d2

SHA1
0c181ed3b46463d35631ca169f0928c33a1da389

SHA256
3947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37

SHA512
0286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
41cb059dcbabf4eea539b86327b87ce6

SHA1
db95bfbabc68551c82723898a9f757077fe0a04a

SHA256
adb300d917f874ff90168c061d97be534934c795169393cccb0b832925b9fcbe

SHA512
a144f960448fd49c74be466039adcfbffe745e3205626f116003d960474017e97a73aba27710005dd5079e851189f6538aa7befe1c227b008dc10dc71494e951

Download Submit
memory/1376-15-0x0000000000D00000-0x0000000000D28000-memory.dmp

Filesize
160KB

Download
memory/1376-21-0x0000000000D00000-0x0000000000D28000-memory.dmp

Filesize
160KB

Download
memory/1376-23-0x0000000000D00000-0x0000000000D28000-memory.dmp

Filesize
160KB

Download
memory/1376-30-0x0000000000D00000-0x0000000000D28000-memory.dmp

Filesize
160KB

Download
memory/4928-0-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download
memory/4928-18-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download