urelas | 7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe
Size

57KB
MD5

5c4205c4269a2d1815595faf5e679d2c
SHA1

9661541dc524a86dae464f6a2cf88df2c0793795
SHA256

7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a
SHA512

f485370d75129eb8ced199c86826960570d62a75db0b6f731ba3cd6f05fff1b2e654fe4e56aec2c59e5a4754b7b271f2779e9623283db59e42ed87ed8b905a6c
SSDEEP

1536:amZ+4hcuX5uZ79jmvFQTXnz9yQ/PFBhl1L:amZ+luXwy2f9LDhDL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe

Executes dropped EXE 1 IoCs

pid	Process
3740	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 3740	1572	7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe	87
PID 1572 wrote to memory of 3740	1572	7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe	87
PID 1572 wrote to memory of 3740	1572	7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe	87
PID 1572 wrote to memory of 3772	1572	7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe	90
PID 1572 wrote to memory of 3772	1572	7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe	90
PID 1572 wrote to memory of 3772	1572	7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe	90

C:\Users\Admin\AppData\Local\Temp\7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe
"C:\Users\Admin\AppData\Local\Temp\7f26a966eb0432999e0de8f118dc2ba7ecd752dcb8da3eaa6b99d44158d6b17a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
57KB

MD5
ec4c4aa95c27884aeca5af0210cb3e53

SHA1
d199ba36264547c8d5d394734eb507039c52eedb

SHA256
4d38c31956a06ca87a0ab9bd3b97e15fe542967859e89fb879e151c9b705513e

SHA512
b177ff1dfe34c9e0e32cc3541fa52627021fb4c8a25e633fcda4aa753c0465a2e9c5a45ec9fe56bb14b119186b1a5cbdb4154bab1962869c9df0dad0f99de36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
26625b4ca7658f7ba4dc7d982782323c

SHA1
574aa314998c39e683675ccf457b0305341a4aaf

SHA256
c494e0ffeee72023dac244366c08072f677ba328ba805f9e480abc2824e99283

SHA512
5a9af4c6be10240dec0d33b37bc6f6836f1db5d0a2a9dd158d63848a8a97dad68e2d9217aca2b2d1cf122d9534aba0d23b247f6686c4ff934bd7035a927d9b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
3936560fcf80c4c7e00f1476931f14c3

SHA1
9f134c37a2b6a96f6c273dc2779e6f47a200c62c

SHA256
2902953a0e40ff32ab6380853fc4d8e139672715c9e0b5ce2a072564ffd902f5

SHA512
c6a03258c3ca5977cce3a932b6aacfb30c25da4416c331ca017694350da4c18493abf09eb137ea67aeebb709c14e1d68a5b64d33e6b504b14fd9581ad9622b71

Download Submit
memory/1572-0-0x0000000000D50000-0x0000000000D82000-memory.dmp

Filesize
200KB

Download
memory/1572-18-0x0000000000D50000-0x0000000000D82000-memory.dmp

Filesize
200KB

Download
memory/3740-13-0x0000000000840000-0x0000000000872000-memory.dmp

Filesize
200KB

Download
memory/3740-21-0x0000000000840000-0x0000000000872000-memory.dmp

Filesize
200KB

Download
memory/3740-23-0x0000000000840000-0x0000000000872000-memory.dmp

Filesize
200KB

Download
memory/3740-30-0x0000000000840000-0x0000000000872000-memory.dmp

Filesize
200KB

Download