urelas | 59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe
Size

60KB
MD5

4da3a323043dd78c587899c1facff863
SHA1

1adc2362a27a6d6ebd4f607d8afa557f7428d8ec
SHA256

59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d
SHA512

fa314aff1bd710cccb47f125b5f3bceb6ec4f137e3b5fea5fd3866366413632de736049c52c1fad03ac995b0463f0a9e14214dae29c247d0ff39777c6c072918
SSDEEP

768:n5mhew0GpSyMe6hwUkdwJzh+qciaQRENEzxZbARtR06g2wqp4YPeznellmqGwxPr:nK0GjMeQG3iaQREuVZ6ro29p4YxbKdM

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe

Executes dropped EXE 1 IoCs

pid	Process
1372	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 1372	3932	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	83
PID 3932 wrote to memory of 1372	3932	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	83
PID 3932 wrote to memory of 1372	3932	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	83
PID 3932 wrote to memory of 3800	3932	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	84
PID 3932 wrote to memory of 3800	3932	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	84
PID 3932 wrote to memory of 3800	3932	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	84

C:\Users\Admin\AppData\Local\Temp\59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe
"C:\Users\Admin\AppData\Local\Temp\59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
60KB

MD5
3a7498d3612d424544c5c59c1da7dfce

SHA1
a06e592445343149305841fca023bd70060b8b86

SHA256
8c293f9157fdf2a1a939fef976d9775b969377b8e0331d043ca8a7fc4be1f725

SHA512
939581cb7032a6d68d8acb933c5aa8d29bc40b32144e4b57809ec2d4f914f6ab76e58c38d30aeed523419af039a2a27ecd2d16516c80b292d1d4e1b55b67cb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55e10a9af74d3f3fa5ae3cb7ff5ad9d4

SHA1
449221fd8d7196a54de2bd583625d8d1b64db56a

SHA256
a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1

SHA512
4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
9077f9869275ddb205e1e83d58d8ccab

SHA1
d1679fd87486e865c6e0219d60045cba2ceb38d0

SHA256
d40f02bb7bf5c7215a59a75bbfe3c30cffdd1e884b6cdacd85e543ece79e4eea

SHA512
87a74e72809bf805c399de5925aa6b9c6922898450ff5d04e3d24bb2799e909e783cb1aa2f0afa611d54eef5366478cf3ee6f98edb1d56a08a2ea1dd8f3f47e4

Download Submit
memory/1372-10-0x0000000000D10000-0x0000000000D45000-memory.dmp

Filesize
212KB

Download
memory/1372-18-0x0000000000D10000-0x0000000000D45000-memory.dmp

Filesize
212KB

Download
memory/1372-20-0x0000000000D10000-0x0000000000D45000-memory.dmp

Filesize
212KB

Download
memory/1372-26-0x0000000000D10000-0x0000000000D45000-memory.dmp

Filesize
212KB

Download
memory/3932-0-0x0000000000F90000-0x0000000000FC5000-memory.dmp

Filesize
212KB

Download
memory/3932-15-0x0000000000F90000-0x0000000000FC5000-memory.dmp

Filesize
212KB

Download