urelas | b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e

Analysis

max time kernel
95s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe
Size

67KB
MD5

50c120558fb0abc6c421072bdd0f0032
SHA1

8ff8418beb040c5c9f66202abea3b7a339ae4f7a
SHA256

b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e
SHA512

6f03f6c3dba2c4c6e23e97dd345d0b764cd31b41eb34e35db786718a233528b5903b3e817641de80dc9b5c61fac454d8a525904ce95da5499e68c6d3750c1809
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCarU:yLAYUzmdD0sMQl7d7IuhCag

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe

Executes dropped EXE 1 IoCs

pid	Process
4972	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4972	1644	b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe	87
PID 1644 wrote to memory of 4972	1644	b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe	87
PID 1644 wrote to memory of 4972	1644	b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe	87
PID 1644 wrote to memory of 3132	1644	b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe	88
PID 1644 wrote to memory of 3132	1644	b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe	88
PID 1644 wrote to memory of 3132	1644	b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe	88

C:\Users\Admin\AppData\Local\Temp\b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe
"C:\Users\Admin\AppData\Local\Temp\b17de79fe99a08b69e342af556f9169eb04933003fb9fce745bf63ae01c9157e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
67KB

MD5
7efffe2daeed172a8cfb977fba28d4cc

SHA1
8b7b63506b5996b94d36f90f0e8021b79d28b03e

SHA256
856b133c24428191b4dd990bc129a41ae33bd2b268abc985d27feec156b690d4

SHA512
bd4af66aa5a1a8cf3cf06115932311f61d81b3d7a2632198425ac99ed3255d85b03ae472f0bff1875ae367ae4fa58eed5ea5a8bf5d1a7158251815eccf9d65c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
9ad71aedcbac6e3589e904b7845ba34d

SHA1
cd56885a4679e6eef2f5a78dfe9b9ed39f5dd625

SHA256
6cdf3504e1cdadee4813c85ec1a09785e5f0f97de0f61f3a2f6ea2aafca38674

SHA512
b7e7ca586af49d814e196683e917478cb03ba2b1a86f90f9ca641cf42e1996914242fff07ac15cffdb13842e482b5c9111f0780aa91b74d8b232e134ae8fa7ab

Download Submit
memory/1644-0-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1644-18-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/4972-15-0x0000000000FB0000-0x0000000000FD7000-memory.dmp

Filesize
156KB

Download
memory/4972-21-0x0000000000FB0000-0x0000000000FD7000-memory.dmp

Filesize
156KB

Download
memory/4972-23-0x0000000000FB0000-0x0000000000FD7000-memory.dmp

Filesize
156KB

Download
memory/4972-29-0x0000000000FB0000-0x0000000000FD7000-memory.dmp

Filesize
156KB

Download