urelas | 200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe
Size

59KB
MD5

70cd4a5c55eba9390954b36f80804930
SHA1

aed798f1974309adccb7a022d5614a835977ee86
SHA256

200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42
SHA512

ed22cdb09c3e1a6bbd118345fd8d34e0dbe27435b26d74ca16fce6018c8081cd4e73155de0801747caccf17fced8f065ff96cb52cc0819676aeb042911ce8620
SSDEEP

768:jb4zb59Yix/RoyH+5flZirYqc97vFvrpaZG3DHvTdA9GgnOuS5Z3WXcKIZx5uDt:jbQx5oPsr2vFxDPhAvzgdWLIZ7yt

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe

Executes dropped EXE 1 IoCs

pid	Process
316	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 316	2112	200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe	85
PID 2112 wrote to memory of 316	2112	200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe	85
PID 2112 wrote to memory of 316	2112	200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe	85
PID 2112 wrote to memory of 4504	2112	200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe	86
PID 2112 wrote to memory of 4504	2112	200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe	86
PID 2112 wrote to memory of 4504	2112	200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe	86

C:\Users\Admin\AppData\Local\Temp\200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe
"C:\Users\Admin\AppData\Local\Temp\200e33e4c1a9b371c66ddbb036b92279e3ed2f65e81752c9b4e29a471c16bb42N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
59KB

MD5
da5aba779f047382689dc891c4d52a85

SHA1
1fb01152c2ee6e9e77388be0f62b813ea6e92d91

SHA256
951fcf9f5a400df5647debe4336dc96eaceb00a05ea957d37b2c12f733d27195

SHA512
1bf0201274df3d3054fa029150df1e4535d07c70bfc33e7529c9c7b7b1fc6d8182e92ae750447addb2c2d4be270909c8a9911ba9e828b512896b3aadaf5e48a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f02bf69ff6351970bce3b50742a769ed

SHA1
577db2279b6489628583d770f441f3316ff2a560

SHA256
df6e69fc42308fb3e8b6ec778c1ba6afa4ec11d0414c86299df8b573a51f13c0

SHA512
42a7fc0af80713ece991b51ce908444414162de5cb704d1e538794db7fca217fe3d9bfde19d7661f62ccd1d8ec3de362675094f364daf48624ace9e9e2239979

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
42d416e7544b1cdd5fcd0ca88f92a145

SHA1
5e4998fa5e373840fdd6b60cd6311261f576a06f

SHA256
1453a9eb20c048bab5c27c3c86623052825243ff7ea90cd35a87ee637a9f23f8

SHA512
1c4c884ecf2c40b69c54f0fc78b7b68b4c098e7f7e8f973101a2bd0e631f3f81fcc846cf47ea96e9541baa2ceae87b6df5471afb498e524bfcf7e1a15b03bcdd

Download Submit
memory/316-10-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/316-18-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/316-20-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/316-26-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/2112-0-0x0000000000B60000-0x0000000000B85000-memory.dmp

Filesize
148KB

Download
memory/2112-15-0x0000000000B60000-0x0000000000B85000-memory.dmp

Filesize
148KB

Download