urelas | c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe
Size

68KB
MD5

6dfe25a15012dbd95fbc45ec80f7b975
SHA1

92f370c5832610a2de6028af204c1b65ca14efee
SHA256

c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f
SHA512

a5acdf162d7a3d0dba545cb44d701e551bc4f9f8530b924b85b55882cff58136e9cbe48899236a04bb177dc0bfbaa8f7bb87b7e40af458f7ea00a25288202ed4
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCarH:yLAYUzmdD0sMQl7d7IuhCaD

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe

Executes dropped EXE 1 IoCs

pid	Process
3376	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3376	4048	c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe	84
PID 4048 wrote to memory of 3376	4048	c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe	84
PID 4048 wrote to memory of 3376	4048	c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe	84
PID 4048 wrote to memory of 2388	4048	c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe	85
PID 4048 wrote to memory of 2388	4048	c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe	85
PID 4048 wrote to memory of 2388	4048	c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe	85

C:\Users\Admin\AppData\Local\Temp\c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe
"C:\Users\Admin\AppData\Local\Temp\c54bde19a8f05f8f5a4914f30df8c1f6bf9e3d6ca01804ad3a52ac02ca69160f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
68KB

MD5
5cdba400f242c849aa4ef70cc5ca3280

SHA1
6418c7caf2db031ad1abfe189f831d46dbc0398d

SHA256
c781fe9588fa6f1981431e630249509fef2c272fe5c90e00612845fa9e5ffe43

SHA512
dce9f81fa11928c00172259550d1f3e70168001ad98016fbbf086262d2ee85812a955f4e1329a40b55e6657457b50cb04a2a62eba4dd1c6f499c0929b171efd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
128fa6d186dfe4aee9754c9e5c98ae3e

SHA1
4d73daced277eb4ccfb7d7791ac877acec111af2

SHA256
994abfcee0493355ce8bc9508ea00df8d41c56453cbc41dca6025f88e995a34c

SHA512
03f9b22e9f95e5ad9483019276b8c0e94e0cb03d98ca4afa0e1a2065c767aae340dede88078378b752eb521b48b6ad8dc1305b969e7d45324b3af88dd98b0f4c

Download Submit
memory/3376-12-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/3376-21-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/3376-23-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/3376-29-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/4048-0-0x0000000000BD0000-0x0000000000BF7000-memory.dmp

Filesize
156KB

Download
memory/4048-18-0x0000000000BD0000-0x0000000000BF7000-memory.dmp

Filesize
156KB

Download