urelas | 30a3b7f39988987441d94f82b1de19261b11f1cc1b89da3ddf7860d1268e57be

Analysis

max time kernel
90s
max time network
93s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c37611c386e95775b676364e11735260N.exe
Size

56KB
MD5

c37611c386e95775b676364e11735260
SHA1

883a0f832db1b4e85aa58e2d0a077df2b0764a7a
SHA256

30a3b7f39988987441d94f82b1de19261b11f1cc1b89da3ddf7860d1268e57be
SHA512

59c30a3cc29f468a31b3eeaa95c383ae807b3fba23367e40e0c71b80041283d120bd215895390c3cb1043840e0f5ac550a0041ce9f17ffc5c973cf2618cf9458
SSDEEP

1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8M:MOemdTd1o74qlmbbJ+x+Ike

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
468	c37611c386e95775b676364e11735260N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c37611c386e95775b676364e11735260N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 3052	468	c37611c386e95775b676364e11735260N.exe	30
PID 468 wrote to memory of 3052	468	c37611c386e95775b676364e11735260N.exe	30
PID 468 wrote to memory of 3052	468	c37611c386e95775b676364e11735260N.exe	30
PID 468 wrote to memory of 3052	468	c37611c386e95775b676364e11735260N.exe	30
PID 468 wrote to memory of 2664	468	c37611c386e95775b676364e11735260N.exe	31
PID 468 wrote to memory of 2664	468	c37611c386e95775b676364e11735260N.exe	31
PID 468 wrote to memory of 2664	468	c37611c386e95775b676364e11735260N.exe	31
PID 468 wrote to memory of 2664	468	c37611c386e95775b676364e11735260N.exe	31

C:\Users\Admin\AppData\Local\Temp\c37611c386e95775b676364e11735260N.exe
"C:\Users\Admin\AppData\Local\Temp\c37611c386e95775b676364e11735260N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7cdc8777d33db85bc19aefb64879a7f7

SHA1
f2d494d4dfe93a05eb58513935196e8578648adf

SHA256
9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336

SHA512
34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
3f45966531702738675b09d0b8ddb343

SHA1
c031c79a7c8a49f2d339f68ce7a95d99d60e97ee

SHA256
2129554bb7567e82483498ba2b040d0763d531af8b990ca10a735a47869e1da1

SHA512
8f65ee3ec5b5b774bf484e643d09389135d55b19c15de4ec4bea39d95134d871fbf2c5b1ed31571a43cb642c03a4421bf7618f59f563402dee8454ec86ba63c8

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
57KB

MD5
58edda105c313e1c468a4d2aa089af2b

SHA1
3929234d998594ee5bc1e30a38b23ec4797d547d

SHA256
8d9bbd24be6b95ccfe1c776e72918cd876e510311f5f12215624e45bf397996e

SHA512
daa57dd8ac6517a60c742139b0ebe6d1832a1e4b0410a85b003a167f60ee84c80cc50bf6d473078e826e4abbb0ea4c3a97b95f3bf2f1b9fbb55c44e261f148c2

Download Submit
memory/468-0-0x0000000000E70000-0x0000000000E96000-memory.dmp

Filesize
152KB

Download
memory/468-7-0x0000000000790000-0x00000000007B6000-memory.dmp

Filesize
152KB

Download
memory/468-19-0x0000000000E70000-0x0000000000E96000-memory.dmp

Filesize
152KB

Download
memory/3052-10-0x00000000001D0000-0x00000000001F6000-memory.dmp

Filesize
152KB

Download
memory/3052-22-0x00000000001D0000-0x00000000001F6000-memory.dmp

Filesize
152KB

Download
memory/3052-24-0x00000000001D0000-0x00000000001F6000-memory.dmp

Filesize
152KB

Download
memory/3052-31-0x00000000001D0000-0x00000000001F6000-memory.dmp

Filesize
152KB

Download