Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 02:21

General

  • Target

    ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe

  • Size

    417KB

  • MD5

    5323d5a77f6ce194a9023df2dccd6d19

  • SHA1

    0a611ca0a52faedeca469c32d4e6d07365dcf373

  • SHA256

    ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb

  • SHA512

    523bfafe538e7bd8499cfed1a97963878e726e582b75180124cb18fb8678504fa1417ab746621ca83971c3f8860212ba294021a08bc2bb40de6ee4832dc23544

  • SSDEEP

    6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYqD:eU7M5ijWh0XOW4sEfeObD

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe
    "C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\qigiu.exe
      "C:\Users\Admin\AppData\Local\Temp\qigiu.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Users\Admin\AppData\Local\Temp\unkul.exe
        "C:\Users\Admin\AppData\Local\Temp\unkul.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:832
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2644

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

          Filesize

          340B

          MD5

          f0d4c528db1a5a3deab717cc3f4844a9

          SHA1

          3b46c4d928e3dce0afff3ea5ed8425af472b4995

          SHA256

          7a51e5f482fbe5350a629f76b31bdf3114f38fdce4f049920467feec74a12389

          SHA512

          68e238d9b7166e321cb722416b82121d9c0d3e3dbc8619b01f6a5b8edba52a058d33fe4cf649be4e22766259f7543806fd17049dc4753b7c08b2a2e07ef89b05

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          83b14cd481bad09a555912cfc128a031

          SHA1

          acd195b2fde79865810790f8979860c4c478ee1c

          SHA256

          42251923a6cffdde6d26dc66a4f3dc3f0d3de401fe74322927579dc67c42f28a

          SHA512

          af2053842f2c8dcf3f9f6f4da2c80a1346b0d4dbc00fdcca68067fb6dc6e7e62beaffb9c34a1789ecb5007ff152007cc019d32c4a919dda7b61003d06b05f9fb

        • \Users\Admin\AppData\Local\Temp\qigiu.exe

          Filesize

          417KB

          MD5

          e47a42f1dcab0a85d467e53f0307ba82

          SHA1

          f78548710301caeadc70da3c994e8028b3e5fb50

          SHA256

          b5ac6b7336547481d2e7067c403b8768550128c956adcb5a85ea0a2fdacd8698

          SHA512

          589bfb529c5ff9e3f61abe80d855d11a9b5e89453c8cef5f3d08340d1cee66770138464c4382ef371f8551d7dcc4f15cdba95472eef332d9570f984bd8a70ccd

        • \Users\Admin\AppData\Local\Temp\unkul.exe

          Filesize

          212KB

          MD5

          d75ad696fd114a013a2caa8f75596329

          SHA1

          eda724c207f338f062b1ee7866974462c3168744

          SHA256

          bbaa393592596c1ecba268a7c0589797710495829e63b7c5f5c0d6a62a2e3337

          SHA512

          9a6363a2d78989482ecdae0f63c3084b21c63d878ae6545af4226156c5953c74812af889d491865d68bb6a332f8921d2c8608abeb61f4e2ed46dc669fed0a32b

        • memory/832-35-0x0000000000240000-0x00000000002D4000-memory.dmp

          Filesize

          592KB

        • memory/832-38-0x0000000000240000-0x00000000002D4000-memory.dmp

          Filesize

          592KB

        • memory/832-41-0x0000000000240000-0x00000000002D4000-memory.dmp

          Filesize

          592KB

        • memory/832-40-0x0000000000240000-0x00000000002D4000-memory.dmp

          Filesize

          592KB

        • memory/832-39-0x0000000000240000-0x00000000002D4000-memory.dmp

          Filesize

          592KB

        • memory/832-31-0x0000000000240000-0x00000000002D4000-memory.dmp

          Filesize

          592KB

        • memory/832-37-0x0000000000240000-0x00000000002D4000-memory.dmp

          Filesize

          592KB

        • memory/832-34-0x0000000000240000-0x00000000002D4000-memory.dmp

          Filesize

          592KB

        • memory/2036-0-0x0000000000400000-0x0000000000465000-memory.dmp

          Filesize

          404KB

        • memory/2036-19-0x0000000000400000-0x0000000000465000-memory.dmp

          Filesize

          404KB

        • memory/2036-11-0x0000000002BC0000-0x0000000002C25000-memory.dmp

          Filesize

          404KB

        • memory/2992-32-0x00000000037C0000-0x0000000003854000-memory.dmp

          Filesize

          592KB

        • memory/2992-30-0x0000000000400000-0x0000000000465000-memory.dmp

          Filesize

          404KB

        • memory/2992-21-0x0000000000400000-0x0000000000465000-memory.dmp

          Filesize

          404KB