urelas | 6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550

General

Target

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe
Size

51KB
MD5

c8d0eae4bb28c74ce785fceceb2a8760
SHA1

3c6c1716d86b09b4a3a6e514ab2b2762fcbd28d6
SHA256

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550
SHA512

2b213d137c38faeb12f8444ae5e91ea8f4c0c35dc84530b856b4d5f4fbfd5c72b333faf5668a33eaa9bc11dc25dfeda07bf27f99fa894a4b0ba69f311cfa1644
SSDEEP

768:pcRQ5/pEPH0gw0qN0GPvvpw+8P4twcmaV1Pc5q5bPga/AJFZr:pR/pEPHi0qN0WC+80p1LSGAPp

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1908	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid	Process
1272	biudfw.exe

Loads dropped DLL 1 IoCs

Processes:

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe

pid	Process
2360	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exebiudfw.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe

description	pid	Process	procid_target
PID 2360 wrote to memory of 1272	2360	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	31
PID 2360 wrote to memory of 1272	2360	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	31
PID 2360 wrote to memory of 1272	2360	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	31
PID 2360 wrote to memory of 1272	2360	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	31
PID 2360 wrote to memory of 1908	2360	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	32
PID 2360 wrote to memory of 1908	2360	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	32
PID 2360 wrote to memory of 1908	2360	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	32
PID 2360 wrote to memory of 1908	2360	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	32

C:\Users\Admin\AppData\Local\Temp\6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe
"C:\Users\Admin\AppData\Local\Temp\6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0ecda9ecaa423d5a8481985b7d3d5a77

SHA1
ecc237c20c234cf9c0e20b39a39ab27244dc7971

SHA256
caed69520592602de846673610507a47e22e0fb108e8e88ba1a85b314607f0a9

SHA512
82ce4bfc411781d187b6151383064f18e22b37f5f03d783476fed1c8ba74ee38dc74b16badf96961e22d6b63ae31425ae785c17fa3bd5d767ae3b0bd9652fe3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
c11cf96e5101f7fbc3aa138f18ca67ed

SHA1
d372dceff4655d141e749db615997a3b08a98fd2

SHA256
08e1f4b803b2256db8ef1aa68533e8b51c9db99b677d58beb551e1c2c4c4e740

SHA512
3dc7c7b49f1773a4a39dba3013b9627a51c1c88e1d700945248d39628120237344b848ad61fcc2073befab92d9dcf801d817dac0bf8252e522cea49138feda28

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
51KB

MD5
6d35dd7a5c8f268d8da75834c46ac7fb

SHA1
2cafce286ccd2074895ba55e931bd4d39f9e0f17

SHA256
d4fcde005debbde92ef5da553d2af543ca2cd664dd291c458145ce15b51d02f0

SHA512
7bb519d6ea2026dadcf2c239bb8157f412096e5040e992beee1ccce7ddf2254a377693a20db760c308eedcb76012aebb456da00b7f1c02cd54fb814a3c23a492

Download Submit
memory/1272-12-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1272-11-0x0000000000090000-0x00000000000B7000-memory.dmp

Filesize
156KB

Download
memory/1272-24-0x0000000000090000-0x00000000000B7000-memory.dmp

Filesize
156KB

Download
memory/1272-26-0x0000000000090000-0x00000000000B7000-memory.dmp

Filesize
156KB

Download
memory/1272-33-0x0000000000090000-0x00000000000B7000-memory.dmp

Filesize
156KB

Download
memory/2360-0-0x0000000001170000-0x0000000001197000-memory.dmp

Filesize
156KB

Download
memory/2360-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2360-7-0x00000000008A0000-0x00000000008C7000-memory.dmp

Filesize
156KB

Download
memory/2360-21-0x0000000001170000-0x0000000001197000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads