urelas | 9fb2d1aa8a690de100629d4029dcb40bb9c1a8a19bf783ff4d29c8e211546167

Analysis

max time kernel
89s
max time network
86s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a0d35356cb29cc100814c509666060N.exe
Size

61KB
MD5

33a0d35356cb29cc100814c509666060
SHA1

004f841827eb1977ee1c9a8027b497ef4645f978
SHA256

9fb2d1aa8a690de100629d4029dcb40bb9c1a8a19bf783ff4d29c8e211546167
SHA512

74701d39f4e0c004ffd1785ca9b912dac1490b2e366122b60c7726c1c2ac4a4a9f47879889794cae9e5451c2d3581d2f20d19d6535299db41ee25f024bbe20e8
SSDEEP

1536:saTkcl2v/z0thjkh6+uYLo31d0JuPrROVz:Jo0cAthu6+FQ0JuPkz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2128	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2080	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	33a0d35356cb29cc100814c509666060N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33a0d35356cb29cc100814c509666060N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2080	2220	33a0d35356cb29cc100814c509666060N.exe	31
PID 2220 wrote to memory of 2080	2220	33a0d35356cb29cc100814c509666060N.exe	31
PID 2220 wrote to memory of 2080	2220	33a0d35356cb29cc100814c509666060N.exe	31
PID 2220 wrote to memory of 2080	2220	33a0d35356cb29cc100814c509666060N.exe	31
PID 2220 wrote to memory of 2128	2220	33a0d35356cb29cc100814c509666060N.exe	32
PID 2220 wrote to memory of 2128	2220	33a0d35356cb29cc100814c509666060N.exe	32
PID 2220 wrote to memory of 2128	2220	33a0d35356cb29cc100814c509666060N.exe	32
PID 2220 wrote to memory of 2128	2220	33a0d35356cb29cc100814c509666060N.exe	32

C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe
"C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
657ce9e5dd337971e44dfb9cb3fbf7dd

SHA1
026734083afaa4b7d298781b26a72ac9b67ac831

SHA256
3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472

SHA512
79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
40b712c61ed3bfc861e5f3c1811b6281

SHA1
626b4b934ec6890740776d273d76080418526ce9

SHA256
023cd5235b4f06e6108752833b439df76e755ef596bfb12fd669e8bff28868de

SHA512
06ef7a0ff65b2219fbc0b99a5aa9cfd6bf6bc9b1e19d2b30322435b5b0205369b46b3d1dcbe8ec9bd5b99dc31a99a219f5e24fae2ad4e5bd62c698b4c0f57a96

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
61KB

MD5
57616525df70bf86a4d4e3583d654205

SHA1
5ee971ae494ecf9773ac207eb8e23129e4135555

SHA256
7a3dcca25341a16f40773fc47b5bf78b0d554ea95b793560fd4cb5f533e60742

SHA512
a39f68d788ba1ee93dbc63b475913509a9216711c51175eabd76bcceaca830997b70e41232f9f785fecd1c3e87e4d01f8b11ac69ddb27c47821579cc28416546

Download Submit
memory/2080-10-0x00000000000B0000-0x00000000000D5000-memory.dmp

Filesize
148KB

Download
memory/2080-22-0x00000000000B0000-0x00000000000D5000-memory.dmp

Filesize
148KB

Download
memory/2080-24-0x00000000000B0000-0x00000000000D5000-memory.dmp

Filesize
148KB

Download
memory/2080-31-0x00000000000B0000-0x00000000000D5000-memory.dmp

Filesize
148KB

Download
memory/2220-0-0x0000000000B70000-0x0000000000B95000-memory.dmp

Filesize
148KB

Download
memory/2220-6-0x00000000009F0000-0x0000000000A15000-memory.dmp

Filesize
148KB

Download
memory/2220-19-0x0000000000B70000-0x0000000000B95000-memory.dmp

Filesize
148KB

Download