Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 21:33

General

  • Target

    5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe

  • Size

    466KB

  • MD5

    78fc62e55e06943e83f4f22eede88966

  • SHA1

    0004be510b718d9f8e1d59cccde7b92696380775

  • SHA256

    5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd

  • SHA512

    e910115a511162739a8dfef794371aef551486c63dced8310a293c5d653bfaf2a84156a4a2fe46c1b2785975b7990dcb7852ad7aa488e946bd66a6b16d270ca0

  • SSDEEP

    6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhVOpdFRdmi:LMpASIcWYx2U6hAJVs

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe
    "C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\izcej.exe
      "C:\Users\Admin\AppData\Local\Temp\izcej.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Users\Admin\AppData\Local\Temp\vukunu.exe
        "C:\Users\Admin\AppData\Local\Temp\vukunu.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Users\Admin\AppData\Local\Temp\fipys.exe
          "C:\Users\Admin\AppData\Local\Temp\fipys.exe"
          4⤵
          • Executes dropped EXE
          PID:4732
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 216
            5⤵
            • Program crash
            PID:396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:1628
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
          PID:1620
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4732 -ip 4732
        1⤵
          PID:4844

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

                Filesize

                340B

                MD5

                859e8ddea4d18da5ec5e50cc770b8ddd

                SHA1

                4ca1a12961c54ab94119940e141f0b48ad4e65b8

                SHA256

                138493c37190810d388269dcde50ff3ef51c9e33739a0b82e2491e11c6ca03b7

                SHA512

                e061b81062c49280f11af67813047de655027d19fe22c14e8522e5cd22b83b41b5fd77aa77baecef6d66cd207b1fc4ec1b25ad1649b78fcbbfd3c0c22a967e01

              • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

                Filesize

                224B

                MD5

                ad7d70ef6ffccc27bbf845dadb98fba8

                SHA1

                b8397a8c53c61bb23092138bd31ff1129631668e

                SHA256

                73f895d1ab1cc11930937334696151a43efe8b751bfff3a8ee83241b7ed4cf92

                SHA512

                2b1b1539e80ab5d16159607927eca7cd5d55502033ba0c98c9d063d2db3c12b4a5d25d3fbaf2351880d181abfcd468cf02e868c66b603bbe168a8fcaeb45a1de

              • C:\Users\Admin\AppData\Local\Temp\fipys.exe

                Filesize

                223KB

                MD5

                84454cb6049881ec1b3642c92ef0b687

                SHA1

                056c6d2535f8fa2281fd3a20a3650316aad65795

                SHA256

                a1a2d68e477c7d014a92ab064efe3dcbb7539c7d39e1dc099a1690b79a54c8c8

                SHA512

                869afe3e24b8c12c4fc3789526d4d7dc7d415946c9dfefc2fdaebaa3144b350a7fdb6fc4fee92bd7e756c1c125c15268c49b0a91e5c47ef57acaa0c18cd74579

              • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

                Filesize

                512B

                MD5

                be51935ebf85123e37a43984b64e4900

                SHA1

                b9e7d121c5e750afc9bf4cced626e28f2a2026f3

                SHA256

                4b03cf80ef3e3f1a36b987597ce315464eade4115e4f400d48c7033ac1657dac

                SHA512

                df8bfe853087b1f6006f1ccda61f21f28193d00ed013684d62c8617e823573ab0eb767bebda3fe00dd7f752f7c6ab45dec3f28da001dc5d2ceba68205fc5dafd

              • C:\Users\Admin\AppData\Local\Temp\izcej.exe

                Filesize

                466KB

                MD5

                f4aa09c9b2b8b01b5680ccf3a98b0be5

                SHA1

                5a5e1f6681a07b5695e70e789c29d89417342438

                SHA256

                d3cd8a8794b191a00fb1cc3016ad1d610135fc09d88b02299127d46f5525013d

                SHA512

                dcd7f51651cadc5a1a63ff461d745a135207197d548da4a75a8ba38581b65cd52e9894dc55106a2fecec63cb69c972704526fe2594f4411b1ca66434229c0d8b

              • C:\Users\Admin\AppData\Local\Temp\vukunu.exe

                Filesize

                466KB

                MD5

                2bd90ee40c6a3aa648ecb03d22776698

                SHA1

                2791522e25619b7417ac750b1239fb7847615879

                SHA256

                9892a440e7a9f3f3520663682d9f40e541cea149271d070b21dd8b65f3c3c3d3

                SHA512

                6f05dfa3569257cee1675a876d7f04746db73c42711f0cda200e7675a0e9b9905b1d168b8750804d6f31f1180584be0db3926a6da6e828865371b9020457181e

              • memory/3012-0-0x0000000000400000-0x000000000046E000-memory.dmp

                Filesize

                440KB

              • memory/3012-15-0x0000000000400000-0x000000000046E000-memory.dmp

                Filesize

                440KB

              • memory/3988-23-0x0000000000400000-0x000000000046E000-memory.dmp

                Filesize

                440KB

              • memory/4616-37-0x0000000000400000-0x000000000046E000-memory.dmp

                Filesize

                440KB

              • memory/4732-35-0x0000000000400000-0x00000000004A0000-memory.dmp

                Filesize

                640KB