urelas | c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe
Size

154KB
MD5

bbe8e829aee18186412c5aa0a0a53382
SHA1

e44472544add419c8ad1fca677cd4cceca18d02c
SHA256

c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab
SHA512

ae27a93fd3d6f9410621707db4891793f6f6d718589688f0eb5bcc8c758c4bac3b37e07fe4b4cf01ec4c74bf851a3b71b7ed2b7ad89535d2fd38f0090fcc9fdc
SSDEEP

3072:Ntbqvi9nMKxQbZ5x66EfACsxfcYvQd2Oep:Nt2vsx+AV4LfLOO

Score

10^/10

urelas discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2076	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2548	1924	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe	30
PID 1924 wrote to memory of 2548	1924	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe	30
PID 1924 wrote to memory of 2548	1924	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe	30
PID 1924 wrote to memory of 2548	1924	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe	30
PID 1924 wrote to memory of 2076	1924	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe	31
PID 1924 wrote to memory of 2076	1924	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe	31
PID 1924 wrote to memory of 2076	1924	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe	31
PID 1924 wrote to memory of 2076	1924	c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe	31

C:\Users\Admin\AppData\Local\Temp\c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe
"C:\Users\Admin\AppData\Local\Temp\c562276ebb24c6752847dfc97fa16c3d79f0106621c9b0eeda7e8713e222f8ab.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2930c042c9ee5e07f321f2134a0c7edc

SHA1
ee39f41eaf6ce3c8d917a89e65959414ae0088e6

SHA256
a328475bbb730da292b83ed6cabbdbfc0616f042296f0c6fa356c5368ffc1309

SHA512
2da91d5effc116d8c8661c2a99f1d9c2aaffda0f776551dc7ad1911fdb2765591e5b441b9a1fe0090bcda8ed24d180b563ed2c127676cf1de40001e4b15b5506

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
218f1183cea08a87d59f988bb1532733

SHA1
4689ac14fe87c120737c99d8fd9ca54cd0f867f7

SHA256
48ebb3ba1daba58d6a0d2b53bbd5edab42ce9e4041d1cb41bbf48ba267147059

SHA512
f81ca8f6913504c15d0368f1eab10f578256d8940de58841216e7062eaf8d03ae13c27d6741c694d2ed9fb815906800eeb7547209500b926922bf6e422a37359

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
154KB

MD5
14cbfab204af7c4fdf12fb96624d5537

SHA1
7bb97428767b71ab1ec56b1bda601fd9926e658b

SHA256
8cd14f08f08a181cc580a6dc83231c585b0879273bb48cc841311778891a740b

SHA512
d91673c4b3e0f14b114439eb7787c18b8c6fdcfa91a4f4b77b02c47877aad7d132e776d88b7ba13d37a1837e6d900d5c2c1bdf54e720f161f379b0a5750d83eb

Download Submit