urelas | 2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bc

General

Target

2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe
Size

124KB
MD5

df24c49c66626e354e439fffd1cf4260
SHA1

ebc440e19c1437af7067ede2fcd45033ec0f9ddc
SHA256

2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bc
SHA512

9a76996e084fa2a3654673d2f2dc113eed2bfb64ea292e119c0e59af7c5abcbb2c9646399f55e05f0bf8d409f80d796856737d4ce9dbe539fe01b3ecb6910aa1
SSDEEP

1536:Ko6JdvxttIBcXISDPV2Mhg3GkFceersWjcd06UsfqW2vxq8un1zYL:iHC6D92O8n7eU06UsfUpq/W

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.209

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2168 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2400 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe

pid process

2104 2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2168	cmd.exe

pid	process
2400	biudfw.exe

pid	process
2104	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exebiudfw.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe

description	pid	process	target process
PID 2104 wrote to memory of 2400	2104	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe	biudfw.exe
PID 2104 wrote to memory of 2400	2104	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe	biudfw.exe
PID 2104 wrote to memory of 2400	2104	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe	biudfw.exe
PID 2104 wrote to memory of 2400	2104	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe	biudfw.exe
PID 2104 wrote to memory of 2168	2104	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe	cmd.exe
PID 2104 wrote to memory of 2168	2104	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe	cmd.exe
PID 2104 wrote to memory of 2168	2104	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe	cmd.exe
PID 2104 wrote to memory of 2168	2104	2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe
"C:\Users\Admin\AppData\Local\Temp\2dc9dbcf659cff6762f59cf865553c7f6fbaaf3f10269f7a26e34ff46ff2f8bcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8b6fb23d659bed3f6b1cf40a104e95a

SHA1
07c9c74af6b0fe9b78bb1b3aed5bdc1e0b5de952

SHA256
f28d96334bf66f634f899c800b4d5c6195bcf407cb073761f8a4f30a4061f136

SHA512
e841cd9283c63a92395b4221492e2ae6b06d9c4108fcbbfe7d8a7928cfca405c14c0634a6388a4f18da3db611696ea797f9b825ed314d1640a17aa767593e412

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
9989ac27164ab8197226c14e781986c7

SHA1
70020e7a91f6126683ab43f79619427e86d022af

SHA256
d8d7fc6b22bf2439c51077003212fa6a101813efb2cae035ecb68fef8ebb21d6

SHA512
c6088267ef25aebf28101ff5330a1e63fe61717703902a347ec8d25d98a00abe39714a93fedc2b1ae18e07ced5554e0c76e7b7174e30cfd8b73758fbd820ef68

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
125KB

MD5
16f8716e420fa5c651dda49d29a4d16e

SHA1
69a06322dbed36d1354e77084495d2c5f0a20bcd

SHA256
23c88fc74ff3268d26cff44f205fef631c9d90bd00a1d69004249cb5370af263

SHA512
3aedf72ec6b98a8794e3c21bcf87b06e8f8ce407ffe1e1869cc93e7237a90264145c5d723d5d2707a339cf2f575224081e2dcff029c147e84898956b7af7c120

Download Submit
memory/2104-0-0x0000000001380000-0x00000000013A8000-memory.dmp

Filesize
160KB

Download
memory/2104-6-0x0000000000A90000-0x0000000000AB8000-memory.dmp

Filesize
160KB

Download
memory/2104-18-0x0000000001380000-0x00000000013A8000-memory.dmp

Filesize
160KB

Download
memory/2400-10-0x0000000001390000-0x00000000013B8000-memory.dmp

Filesize
160KB

Download
memory/2400-21-0x0000000001390000-0x00000000013B8000-memory.dmp

Filesize
160KB

Download
memory/2400-22-0x0000000001390000-0x00000000013B8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing