urelas | 70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181f

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe
Size

141KB
MD5

ab8d41e8e3e63a68daa652ac6eba70e0
SHA1

931a9f6e214e62b774707afaf29c05429a1f6fce
SHA256

70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181f
SHA512

750bef7183b003d8e61e0e147bb9fea8db7b984e8105dde0b09e3e94eb5b864d39c733728da0b0dba5da0feeeb161126148edc19d9b2ca28c9665e075284fccb
SSDEEP

1536:P/oEkqfCZ10zcT9Yh8AIXcjyz9cOXfiXGImcatMrsWjcdf6odgR5APfIQ:P/5kqCxiXEcO3XfGf2tMUf6odgR5A4Q

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe

Executes dropped EXE 1 IoCs

pid	Process
3660	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3660	2948	70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe	84
PID 2948 wrote to memory of 3660	2948	70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe	84
PID 2948 wrote to memory of 3660	2948	70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe	84
PID 2948 wrote to memory of 3432	2948	70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe	85
PID 2948 wrote to memory of 3432	2948	70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe	85
PID 2948 wrote to memory of 3432	2948	70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe	85

C:\Users\Admin\AppData\Local\Temp\70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe
"C:\Users\Admin\AppData\Local\Temp\70bb5d2d8911581197f8b5f790797cc820b3734d6a1cfaa1a4050bb0ecf5181fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
141KB

MD5
71a0c4698b30b9f059081d70ab0d510a

SHA1
01fae9396236bafa336ef519d078584f19263854

SHA256
f9bb2dd05018dd03040d2c8a504d0bacbe1232eaa6996b59885611b82ca98ab2

SHA512
0ba0964823d288afbc68baed8682f73020a60a6e46d68b321493667dcbafed19a87f39f418654ae49cb602aaffd735b2e198ab97e8e40dfbc403209a47fa2996

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0ecda9ecaa423d5a8481985b7d3d5a77

SHA1
ecc237c20c234cf9c0e20b39a39ab27244dc7971

SHA256
caed69520592602de846673610507a47e22e0fb108e8e88ba1a85b314607f0a9

SHA512
82ce4bfc411781d187b6151383064f18e22b37f5f03d783476fed1c8ba74ee38dc74b16badf96961e22d6b63ae31425ae785c17fa3bd5d767ae3b0bd9652fe3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
4c59cc0023e519772a1b50d14818b97e

SHA1
332a27f50551f9042d3c5022148a82b3acd91274

SHA256
89fff26ba7e63838156518bf0065b0fb763bdfd4c55c497ea79582cb01c60600

SHA512
c1c495b1d13693f38d81472bec073a44324609595d9f3949f8ba91ac23ca8d923aa3514bc71527ee0e4a983b3da08c0c5026966a0fe167d84e81d810089ea875

Download Submit
memory/2948-0-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/2948-17-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/3660-13-0x00000000006A0000-0x00000000006C7000-memory.dmp

Filesize
156KB

Download
memory/3660-20-0x00000000006A0000-0x00000000006C7000-memory.dmp

Filesize
156KB

Download
memory/3660-21-0x00000000006A0000-0x00000000006C7000-memory.dmp

Filesize
156KB

Download