urelas | ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe
Size

68KB
MD5

facad75e1380f7fc64a615c1ebdd81b0
SHA1

0f352ecd5f26961f4328671fcfbef6e657351ca1
SHA256

ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855
SHA512

90456a3d891a22c844d6775a541890e4179a28008d9522f88b4443f5d3f282709fee557b465b0182f3d93e5e129f428816fa64d5c06c34d1bc613aa0e0c575db
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCare9:yLAYUzmdD0sMQl7d7IuhCai9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 2420	4988	ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe	84
PID 4988 wrote to memory of 2420	4988	ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe	84
PID 4988 wrote to memory of 2420	4988	ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe	84
PID 4988 wrote to memory of 4608	4988	ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe	85
PID 4988 wrote to memory of 4608	4988	ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe	85
PID 4988 wrote to memory of 4608	4988	ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe	85

C:\Users\Admin\AppData\Local\Temp\ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe
"C:\Users\Admin\AppData\Local\Temp\ad8b452c8ba4ae695e8ffd18f460ab8204bffb082cbed03479c39b0affabc855N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
68KB

MD5
5fc31b02baf23a170dab4faee00e5d9d

SHA1
39d31fa7547b0127fa50e6d777fcf60d17b121f9

SHA256
f62600103fc21ebeb4a2bfb67271c648b0a3ba4a4ebcd5e82a9330dee2543866

SHA512
d8fdca6786653df7536d5ae0f956f823bc1fb1490776c1642ce5c734de0a5cd6846dc4d9661fd576f1ce1b18e50d426a2316390646b141ec32b88a9620de3dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
46c4e0fc747577949345ae92efb6eb4c

SHA1
26a9ba9009d4389eb6688e365a80864ea1055f0b

SHA256
ccbb1e0c857caa2ebfd4e9f374541cbebb0f8f290546e234a83097252fd77a1d

SHA512
08c3f2c62ea277c7e8b9a21af8e20519994e872453062058e84d3d331f116b183a71719e3f5938b4152ef66b8607883ac209e13d7a5bc648d79b8fdca71e0991

Download Submit
memory/2420-14-0x0000000000620000-0x0000000000647000-memory.dmp

Filesize
156KB

Download
memory/2420-20-0x0000000000620000-0x0000000000647000-memory.dmp

Filesize
156KB

Download
memory/2420-22-0x0000000000620000-0x0000000000647000-memory.dmp

Filesize
156KB

Download
memory/2420-28-0x0000000000620000-0x0000000000647000-memory.dmp

Filesize
156KB

Download
memory/4988-0-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/4988-17-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download