urelas | 9fb2d1aa8a690de100629d4029dcb40bb9c1a8a19bf783ff4d29c8e211546167

Analysis

max time kernel
100s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a0d35356cb29cc100814c509666060N.exe
Size

61KB
MD5

33a0d35356cb29cc100814c509666060
SHA1

004f841827eb1977ee1c9a8027b497ef4645f978
SHA256

9fb2d1aa8a690de100629d4029dcb40bb9c1a8a19bf783ff4d29c8e211546167
SHA512

74701d39f4e0c004ffd1785ca9b912dac1490b2e366122b60c7726c1c2ac4a4a9f47879889794cae9e5451c2d3581d2f20d19d6535299db41ee25f024bbe20e8
SSDEEP

1536:saTkcl2v/z0thjkh6+uYLo31d0JuPrROVz:Jo0cAthu6+FQ0JuPkz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	33a0d35356cb29cc100814c509666060N.exe

Executes dropped EXE 1 IoCs

pid	Process
4772	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33a0d35356cb29cc100814c509666060N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4772	2416	33a0d35356cb29cc100814c509666060N.exe	88
PID 2416 wrote to memory of 4772	2416	33a0d35356cb29cc100814c509666060N.exe	88
PID 2416 wrote to memory of 4772	2416	33a0d35356cb29cc100814c509666060N.exe	88
PID 2416 wrote to memory of 720	2416	33a0d35356cb29cc100814c509666060N.exe	89
PID 2416 wrote to memory of 720	2416	33a0d35356cb29cc100814c509666060N.exe	89
PID 2416 wrote to memory of 720	2416	33a0d35356cb29cc100814c509666060N.exe	89

C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe
"C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
61KB

MD5
b6a93393a126b159c5d8eb9651635363

SHA1
7724cd0320ef44b2d0a993043f48e137bb5dea12

SHA256
156269dc6a875f8d63c261e556a81875ef00f45b6531e2ae9ca8855bd23b8868

SHA512
85c176cfc5f0ae3a4038bc07163c4dab15786bf491f7f0fc66d3c0a0b30d40b2aad0f0955f70abc4099ea2f32fa8b743cd70fb3378d51c0d6ea94abcbe9d270a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
657ce9e5dd337971e44dfb9cb3fbf7dd

SHA1
026734083afaa4b7d298781b26a72ac9b67ac831

SHA256
3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472

SHA512
79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
40b712c61ed3bfc861e5f3c1811b6281

SHA1
626b4b934ec6890740776d273d76080418526ce9

SHA256
023cd5235b4f06e6108752833b439df76e755ef596bfb12fd669e8bff28868de

SHA512
06ef7a0ff65b2219fbc0b99a5aa9cfd6bf6bc9b1e19d2b30322435b5b0205369b46b3d1dcbe8ec9bd5b99dc31a99a219f5e24fae2ad4e5bd62c698b4c0f57a96

Download Submit
memory/2416-0-0x00000000002D0000-0x00000000002F5000-memory.dmp

Filesize
148KB

Download
memory/2416-18-0x00000000002D0000-0x00000000002F5000-memory.dmp

Filesize
148KB

Download
memory/4772-13-0x0000000000900000-0x0000000000925000-memory.dmp

Filesize
148KB

Download
memory/4772-21-0x0000000000900000-0x0000000000925000-memory.dmp

Filesize
148KB

Download
memory/4772-23-0x0000000000900000-0x0000000000925000-memory.dmp

Filesize
148KB

Download
memory/4772-29-0x0000000000900000-0x0000000000925000-memory.dmp

Filesize
148KB

Download