urelas | ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5c

Analysis

max time kernel
89s
max time network
87s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe
Size

154KB
MD5

bd099b79279d97ef33e3e2701d1c6c60
SHA1

6e1ae7cb3be30f3cbdb2293e17d3305479af3755
SHA256

ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5c
SHA512

0fe5ea10685553c2fa566b45cca652a9312154e583f30d7734746333d8e2527f8f73dacb75f5b0eb3ceb15cebfe3ee3ba318cbbd43379b4bdb4c9ff80b68d41b
SSDEEP

3072:Ntbqvi9nMKxQbZ5x66EfACsxfcYvQd2OeS:Nt2vsx+AV4LfLOR

Score

10^/10

urelas discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2444	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2888	2444	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe	30
PID 2444 wrote to memory of 2888	2444	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe	30
PID 2444 wrote to memory of 2888	2444	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe	30
PID 2444 wrote to memory of 2888	2444	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe	30
PID 2444 wrote to memory of 2716	2444	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe	31
PID 2444 wrote to memory of 2716	2444	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe	31
PID 2444 wrote to memory of 2716	2444	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe	31
PID 2444 wrote to memory of 2716	2444	ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe	31

C:\Users\Admin\AppData\Local\Temp\ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe
"C:\Users\Admin\AppData\Local\Temp\ecf24d1e9ea91661f99a8dcecc826b1d0c79f2a02cd1aee98d45669638658c5cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2930c042c9ee5e07f321f2134a0c7edc

SHA1
ee39f41eaf6ce3c8d917a89e65959414ae0088e6

SHA256
a328475bbb730da292b83ed6cabbdbfc0616f042296f0c6fa356c5368ffc1309

SHA512
2da91d5effc116d8c8661c2a99f1d9c2aaffda0f776551dc7ad1911fdb2765591e5b441b9a1fe0090bcda8ed24d180b563ed2c127676cf1de40001e4b15b5506

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
faf327843e5f9fa9929675de5bf7174c

SHA1
08b3dd34478b8b28f375e8295b8a37a00417647d

SHA256
66f309b291522027f8c7307a35db25c042a2ab5adad2c7d1685a21ee92ffa1f6

SHA512
498b3ec88f48e02de8cfc93164c77c60d7b588a50a4f6f4e9d8e92aa0462cb12a2968747107d5eb5644fa8c58d92fcd6c7b41171dfa8010b4551ceadcb930776

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
154KB

MD5
70f29d52397bbfae8fae596db656fd6c

SHA1
485a4f9aefb50b5b58a2e5a2a1116234e5dd4b44

SHA256
faf435cbc546787c929533043b7c4a5d9439e562731a4382abf7d0b51b24bbd9

SHA512
c73a57fbf78acaabbb21db293022cf357941e16b1a446fb7550de3864ac62d533fc421166a1e5e2b451400e640098a8001641cfdd3876155e1fae19d8f8a0d97

Download Submit