urelas | 419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 00:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe
Size

141KB
MD5

c305d4ae239732b32d3abb574dbdc908
SHA1

d7b01f5963df1f64d9ab497ab26da9ceced170dd
SHA256

419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de
SHA512

4e529416c2a417725dfaa99410027685ddf22f02d319dc6b1da960eb130e3fa79c118a3e85b18d5ac319c1116b5dadc8de79d244683a6067b1d6171a862d2a35
SSDEEP

1536:P/oEkqfCZ10zcT9Yh8AIXcjyz9cOXfiXGImcatMrsWjcdf6odgR5APfIQ:P/5kqCxiXEcO3XfGf2tMUf6odgR5A4Q

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe

Executes dropped EXE 1 IoCs

pid	Process
3280	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 3280	4876	419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe	82
PID 4876 wrote to memory of 3280	4876	419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe	82
PID 4876 wrote to memory of 3280	4876	419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe	82
PID 4876 wrote to memory of 2956	4876	419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe	83
PID 4876 wrote to memory of 2956	4876	419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe	83
PID 4876 wrote to memory of 2956	4876	419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe	83

C:\Users\Admin\AppData\Local\Temp\419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe
"C:\Users\Admin\AppData\Local\Temp\419ee4c3985eb7c218985ea45f130bd6c8a7193ec0885f107cd2ccfe060365de.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
141KB

MD5
1b0c12ca4be6214bd8ddfd357feda853

SHA1
a24784bd98a5388ef5b5d38825daa90bf8271fc7

SHA256
1b2702253f0513df3ae2c1b283904c6026a2301cdc22030823ed84fd122c4cdf

SHA512
c838a013a5305398b63b8d59cf2ded8c65f846babf47dcff74ef71c5d8e37d6a709aa489be1601304e9c1675dc93b53872d871bcb8e15d53322ade6f282bb519

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0ecda9ecaa423d5a8481985b7d3d5a77

SHA1
ecc237c20c234cf9c0e20b39a39ab27244dc7971

SHA256
caed69520592602de846673610507a47e22e0fb108e8e88ba1a85b314607f0a9

SHA512
82ce4bfc411781d187b6151383064f18e22b37f5f03d783476fed1c8ba74ee38dc74b16badf96961e22d6b63ae31425ae785c17fa3bd5d767ae3b0bd9652fe3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
c1185ccde71c0f0be17d4db5b75e0cc3

SHA1
9067d6f5060a68bb43cc1f3a360f599045be8e9c

SHA256
5aa0b817051a0de5df4c382c62738be0fbf2ba9c44785a82d7bfbb505fba276b

SHA512
d67ce6b0d77dd95c7115ea65e3280de74753217fe34b98d686185e8bc3cbb3e55ce49aac64cf70f8ec9d339fe08cfe9423ed1a1d17c85cd8df1750fd3157a3f9

Download Submit
memory/3280-15-0x00000000009F0000-0x0000000000A17000-memory.dmp

Filesize
156KB

Download
memory/3280-20-0x00000000009F0000-0x0000000000A17000-memory.dmp

Filesize
156KB

Download
memory/3280-21-0x00000000009F0000-0x0000000000A17000-memory.dmp

Filesize
156KB

Download
memory/4876-0-0x00000000001E0000-0x0000000000207000-memory.dmp

Filesize
156KB

Download
memory/4876-17-0x00000000001E0000-0x0000000000207000-memory.dmp

Filesize
156KB

Download