urelas | 744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452ab

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 23:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe
Size

57KB
MD5

0101aa591c2e0158864b6dfde334cb50
SHA1

45167c228ad1264d5aab3f4f4a58f05503f503fd
SHA256

744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452ab
SHA512

30a91cfca1228995ab89b2ba51e8faf8978e6b63fe39f067149fe2c752081eb502f97630b3211a96d972cea0fa5e1c01b9f5408da99dc9a8467702d0e4b1dae8
SSDEEP

1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8o:MOemdTd1o74qlmbbJ+x+Ik+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe

Executes dropped EXE 1 IoCs

pid	Process
3716	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 3716	1456	744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe	83
PID 1456 wrote to memory of 3716	1456	744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe	83
PID 1456 wrote to memory of 3716	1456	744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe	83
PID 1456 wrote to memory of 4576	1456	744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe	84
PID 1456 wrote to memory of 4576	1456	744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe	84
PID 1456 wrote to memory of 4576	1456	744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe	84

C:\Users\Admin\AppData\Local\Temp\744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe
"C:\Users\Admin\AppData\Local\Temp\744c7dca2af0f3454c52b669750f9411ec1dc3cf6692afe45276f4d720c452abN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
57KB

MD5
5e7fcf37c630fc606c63ce18b87f61a9

SHA1
4a7cb0e5398a478c6ed0e97a7e02553c906ccfe8

SHA256
342f014ad74f0fde1214071dc0f57e2272778fe909035da2691895d0565a2ab6

SHA512
7e1e476a0d05c35ba002c0439fa61f1493d7b7240510869f196a86c21ced75d819b6da24870e0b49cd9590bdb9e63ec2c2cd2279e54e94f9b19674986b2d3860

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7cdc8777d33db85bc19aefb64879a7f7

SHA1
f2d494d4dfe93a05eb58513935196e8578648adf

SHA256
9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336

SHA512
34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
fb0485db7dc4aaa615a6b42b086b64cf

SHA1
5b852e121c6c606b16793db3d7588deeb8885a76

SHA256
4255f3e9756e39c63c69f79756839811c144579452bb3246fe5b61df535730d6

SHA512
35aa3aaa2f9e7a5d762653f35455b0df074bb9ea83e0507a9998e058d3dc1927d39e48790fea69bafea8a27d85f7755280998c5f22cbf46668e35b91f675c28b

Download Submit
memory/1456-0-0x0000000000B20000-0x0000000000B46000-memory.dmp

Filesize
152KB

Download
memory/1456-15-0x0000000000B20000-0x0000000000B46000-memory.dmp

Filesize
152KB

Download
memory/3716-10-0x0000000000470000-0x0000000000496000-memory.dmp

Filesize
152KB

Download
memory/3716-18-0x0000000000470000-0x0000000000496000-memory.dmp

Filesize
152KB

Download
memory/3716-20-0x0000000000470000-0x0000000000496000-memory.dmp

Filesize
152KB

Download
memory/3716-27-0x0000000000470000-0x0000000000496000-memory.dmp

Filesize
152KB

Download