urelas | d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe
Size

59KB
MD5

616ec0600eaa9455d84388d92418521d
SHA1

f59028b431bf73e26def5f9f0c0bf1e76a1a67a5
SHA256

d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9
SHA512

2da9ebf4082dc5dfe61e36500fa77e130019d239e8ef70a3c6dd9284ba37992ff3c16435b10ca2896c862342c15eefba0335d9fa6e0774aea4289207fcb6d735
SSDEEP

768:n5mhew0GpSyMe6hwUkdwJzh+qciaQRENEzxZbARtR06g2wqp4YPeznellmqGwxPS:nK0GjMeQG3iaQREuVZ6ro29p4YxbKdz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 1684	4572	d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe	87
PID 4572 wrote to memory of 1684	4572	d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe	87
PID 4572 wrote to memory of 1684	4572	d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe	87
PID 4572 wrote to memory of 4396	4572	d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe	88
PID 4572 wrote to memory of 4396	4572	d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe	88
PID 4572 wrote to memory of 4396	4572	d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe	88

C:\Users\Admin\AppData\Local\Temp\d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe
"C:\Users\Admin\AppData\Local\Temp\d34dcdf6762faf103f21e43caa60eb7e45ba0ba9f83ed25a8fed4f4dbe3862e9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
59KB

MD5
48c86dab0fc250a7744a7d289a889368

SHA1
d85bd8a8a33f9ccc7da9b17d78a37dd98fe84547

SHA256
766b827742cdc57de2df13a1e8ee7af4cb2005fd22783d88460d8d4db0e4d704

SHA512
7aee1b8402eee1980aa466ef9c166f55a006b69fad0ff55c091e11ed802f523047005726341d5c2201a87416a5bbcff4f38ed758f4604475eecbe7234391b85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55e10a9af74d3f3fa5ae3cb7ff5ad9d4

SHA1
449221fd8d7196a54de2bd583625d8d1b64db56a

SHA256
a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1

SHA512
4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
4941e111aae67d4b118cde8791469535

SHA1
58f389ab82a48b533a3ec81c06cabc64e2501a03

SHA256
80b3e3f0aecdbf8f2dcb52ecd4b543c9d3a3b0544df4c423e9630a88a92c0208

SHA512
f2bf91e7fbb58fa2af06a9575dd940ecf02801486730254c995ffbe2fbdd16d4fee018681fd33f862f4410ee554dad0196aee3c7073f8431abf476856698057e

Download Submit
memory/1684-10-0x0000000000460000-0x0000000000495000-memory.dmp

Filesize
212KB

Download
memory/1684-18-0x0000000000460000-0x0000000000495000-memory.dmp

Filesize
212KB

Download
memory/1684-20-0x0000000000460000-0x0000000000495000-memory.dmp

Filesize
212KB

Download
memory/1684-26-0x0000000000460000-0x0000000000495000-memory.dmp

Filesize
212KB

Download
memory/4572-0-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/4572-15-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download