urelas | e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b

Analysis

max time kernel
92s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe
Size

57KB
MD5

925597f9fefce73dd4bbd37750f223f0
SHA1

29d996364960f85edc3924fe6a370e04af6b2ea0
SHA256

e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b
SHA512

7e3e1807ea2aca5f662d78c36a7dfa969be3708bc14c2a4532d0bc6f61de3f1014112c29f62939c58a57dbb046bc252ecc4d8c1ce0e3f55bb13f57b2ae88535f
SSDEEP

1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8N/U:MOemdTd1o74qlmbbJ+x+Ik3U

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe

Executes dropped EXE 1 IoCs

pid	Process
1132	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 1132	4316	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	84
PID 4316 wrote to memory of 1132	4316	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	84
PID 4316 wrote to memory of 1132	4316	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	84
PID 4316 wrote to memory of 116	4316	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	85
PID 4316 wrote to memory of 116	4316	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	85
PID 4316 wrote to memory of 116	4316	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	85

C:\Users\Admin\AppData\Local\Temp\e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe
"C:\Users\Admin\AppData\Local\Temp\e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
57KB

MD5
17717fee092903096e4b52316127d17e

SHA1
fe60de97f92472bd6d376eed98979cb39f6f0dee

SHA256
5a5bdaf985cd171c42221fcaaecf48b1bf6266e4e7141b4f4150a32e01d0cebb

SHA512
cf193efda69411bab9c01a32f6e91efb399e094eb78659b4885ce7a375564f13981da9e522e1b6765c38015ade976eaedb5da4039ec879f3231d1e6a59150dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7cdc8777d33db85bc19aefb64879a7f7

SHA1
f2d494d4dfe93a05eb58513935196e8578648adf

SHA256
9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336

SHA512
34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
9fa71dfe7f6ca6af48f2103ae73a6a2f

SHA1
ca298bfe5ae31932fb7a2c7fac91f3e1cf70bbda

SHA256
2d50874845add853f504652a17739285762ace1ddcf6b11bb6cac6478148e3e0

SHA512
dcaf82db44233d8559bc07b3501eb3495a8a391695a689a9ea41e955e02954321db3ef9825a98f1f280d7073a43bc0b892a0556ca7de4ee5c8f9f2d18615a8f6

Download Submit
memory/1132-10-0x00000000003F0000-0x0000000000416000-memory.dmp

Filesize
152KB

Download
memory/1132-18-0x00000000003F0000-0x0000000000416000-memory.dmp

Filesize
152KB

Download
memory/1132-20-0x00000000003F0000-0x0000000000416000-memory.dmp

Filesize
152KB

Download
memory/1132-26-0x00000000003F0000-0x0000000000416000-memory.dmp

Filesize
152KB

Download
memory/4316-0-0x0000000000DB0000-0x0000000000DD6000-memory.dmp

Filesize
152KB

Download
memory/4316-15-0x0000000000DB0000-0x0000000000DD6000-memory.dmp

Filesize
152KB

Download