urelas | 6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550

General

Target

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe
Size

51KB
MD5

c8d0eae4bb28c74ce785fceceb2a8760
SHA1

3c6c1716d86b09b4a3a6e514ab2b2762fcbd28d6
SHA256

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550
SHA512

2b213d137c38faeb12f8444ae5e91ea8f4c0c35dc84530b856b4d5f4fbfd5c72b333faf5668a33eaa9bc11dc25dfeda07bf27f99fa894a4b0ba69f311cfa1644
SSDEEP

768:pcRQ5/pEPH0gw0qN0GPvvpw+8P4twcmaV1Pc5q5bPga/AJFZr:pR/pEPHi0qN0WC+80p1LSGAPp

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid	Process
1180	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exebiudfw.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe

description	pid	Process	procid_target
PID 4068 wrote to memory of 1180	4068	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	90
PID 4068 wrote to memory of 1180	4068	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	90
PID 4068 wrote to memory of 1180	4068	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	90
PID 4068 wrote to memory of 2552	4068	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	91
PID 4068 wrote to memory of 2552	4068	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	91
PID 4068 wrote to memory of 2552	4068	6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe	91

C:\Users\Admin\AppData\Local\Temp\6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe
"C:\Users\Admin\AppData\Local\Temp\6564923c60842cd137ee1f5eb606f61e573c9cd25fbb4f473213b7a3f26ad550N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
51KB

MD5
46dfd4059010924936909ebbfc520d68

SHA1
3b2462625444881d60054bb7264a07a51350ff97

SHA256
05629f1a0fd30da7bb35fd5a034352e92f1fd92043ffcd9bbea616d557ee7019

SHA512
a57ce590e88ec0564ed5d96b596665de64b6f8134d3c63145d17c3b891970c9ccd6d1ce0ef0db7b5759757b942a0d5304e032e77f6507c6ac75671af4271e1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0ecda9ecaa423d5a8481985b7d3d5a77

SHA1
ecc237c20c234cf9c0e20b39a39ab27244dc7971

SHA256
caed69520592602de846673610507a47e22e0fb108e8e88ba1a85b314607f0a9

SHA512
82ce4bfc411781d187b6151383064f18e22b37f5f03d783476fed1c8ba74ee38dc74b16badf96961e22d6b63ae31425ae785c17fa3bd5d767ae3b0bd9652fe3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
c11cf96e5101f7fbc3aa138f18ca67ed

SHA1
d372dceff4655d141e749db615997a3b08a98fd2

SHA256
08e1f4b803b2256db8ef1aa68533e8b51c9db99b677d58beb551e1c2c4c4e740

SHA512
3dc7c7b49f1773a4a39dba3013b9627a51c1c88e1d700945248d39628120237344b848ad61fcc2073befab92d9dcf801d817dac0bf8252e522cea49138feda28

Download Submit
memory/1180-14-0x0000000000650000-0x0000000000677000-memory.dmp

Filesize
156KB

Download
memory/1180-16-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1180-23-0x0000000000650000-0x0000000000677000-memory.dmp

Filesize
156KB

Download
memory/1180-24-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1180-26-0x0000000000650000-0x0000000000677000-memory.dmp

Filesize
156KB

Download
memory/1180-32-0x0000000000650000-0x0000000000677000-memory.dmp

Filesize
156KB

Download
memory/4068-0-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download
memory/4068-1-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/4068-20-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads