urelas | 981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe
Size

65KB
MD5

d4efc4695bd947d17434f865ecd6aa20
SHA1

3b9a2e78df4e4aaa8a7432885d1275536f6de4dc
SHA256

981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08
SHA512

5c92d570b6c13c294aa21102276df61548af04c4a174a24051e256647a25bb578037fad31256194d953789488a6a44932023fc13b5765f7a7b99d56b37aa6779
SSDEEP

1536:6bQx5oPsr2vFxDPhAvzgAQzFZ77MzeTm/:6bQRSHpAvzyf7MzeTY

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 2708	3900	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	88
PID 3900 wrote to memory of 2708	3900	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	88
PID 3900 wrote to memory of 2708	3900	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	88
PID 3900 wrote to memory of 4312	3900	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	89
PID 3900 wrote to memory of 4312	3900	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	89
PID 3900 wrote to memory of 4312	3900	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	89

C:\Users\Admin\AppData\Local\Temp\981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe
"C:\Users\Admin\AppData\Local\Temp\981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
65KB

MD5
83a2f06b11bff59fb430e18386e56c4c

SHA1
f2fefa447da64bc2d4f45ddb37373526c8b7c522

SHA256
d854de7b254e916c65975ced30cd0beebb928f3528d58cd6effc10c1d90ddc48

SHA512
010554e72f15ab6387b18025c7f74e9ff8b6a1a00c9678517ff23a65e6487445b13bc7545b29966da58ff45a14fa82c31b4bb2b34b32b9f2bb02403646b1c92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
efd90b3ac908d5482af367de3a82184a

SHA1
de9f01d2ed0247b7b347e55c5a09721a60147fb9

SHA256
44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d

SHA512
6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
63bb09c8c15f8ea5ca3baab35d1b0848

SHA1
8da9455e2074aafb7dcdfd536a0a0fa3cff8f0dc

SHA256
e51b3a880968dde7ad6171b0395c1ad02e1033d14719e19d79159cf5f789163e

SHA512
78cf8c706833ec5c903675b01e5b2bc4d945d24195b248c5c01f9f0d08045f71214c33a73aa7b770291ff33580400c5c9e3fff11585b823faa43282a46c84148

Download Submit
memory/2708-12-0x00000000004C0000-0x00000000004E5000-memory.dmp

Filesize
148KB

Download
memory/2708-21-0x00000000004C0000-0x00000000004E5000-memory.dmp

Filesize
148KB

Download
memory/2708-23-0x00000000004C0000-0x00000000004E5000-memory.dmp

Filesize
148KB

Download
memory/2708-30-0x00000000004C0000-0x00000000004E5000-memory.dmp

Filesize
148KB

Download
memory/3900-0-0x00000000007D0000-0x00000000007F5000-memory.dmp

Filesize
148KB

Download
memory/3900-18-0x00000000007D0000-0x00000000007F5000-memory.dmp

Filesize
148KB

Download