Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 21:56

General

  • Target

    6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe

  • Size

    487KB

  • MD5

    5992f18b0da0a0c2622f890a14a278be

  • SHA1

    cfcb2c1ad64418c209aa71f3be827d79582f3cd7

  • SHA256

    6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee

  • SHA512

    b7f711a0fb80e20b0b5a696c399afae5ab790e3c4cbcaf272e45d35965d269641189310b7856df557b8896ce8954423eb4246ed55c9ba85f849063f3f34f29e6

  • SSDEEP

    12288:Vpbvglu0agWSFnxAEwKyLH8l+O9H6s2si2XfxKTbeP:VpbXi5xzFUBaazsiofx8K

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe
    "C:\Users\Admin\AppData\Local\Temp\6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Users\Admin\AppData\Local\Temp\dyrea.exe
      "C:\Users\Admin\AppData\Local\Temp\dyrea.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Users\Admin\AppData\Local\Temp\noguh.exe
        "C:\Users\Admin\AppData\Local\Temp\noguh.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1708
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2736

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

          Filesize

          340B

          MD5

          fbb9e6fa9d9aba36212379a340f155a0

          SHA1

          17c9a13635ed2e164f34eb277b2956e25e1b3104

          SHA256

          d0f4d264decea9079ac02fa1e07785d1045be65ee8fb063666b020853bf85eff

          SHA512

          f375ca7e85339e85139e3a940b38c0af14c1ae19e694481dade54055f2361b01b2bfe4badc9b5d0ffa834b29dc882d3dc690e28bd9031ba1d48bfd03a24d6bac

        • C:\Users\Admin\AppData\Local\Temp\dyrea.exe

          Filesize

          487KB

          MD5

          0b4ffa8532abc8e9b14b205eff6bcbc0

          SHA1

          b4a2add593a2da09a9575356b5591c9933618783

          SHA256

          a812d315086e74ba49063bcb6b621fbe8a68164dc4ea3b047ab7636be26d502c

          SHA512

          e4bfb04bcb2306cfda8c29a72d0e345a1525805d4a4afe22408fb83bd62b062369869334fae9952657f76df5be4b36c0fcf4188719bfe6c6bdbb223d81c810a1

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          ac4451cdaed6b118005cb283e5450f4d

          SHA1

          95d7f96d06b9b4123a5a68cc8773aa9e0213743b

          SHA256

          6697531f92a344acd8bac120bb5322e8f21d0ea65480a5ecd99313d268598a27

          SHA512

          a38236b908d47be11e062b35d555bf4a738d358d7ae73cf5030f6f3118ca543bb03d62c2e41d11f219367f15f3596695b91082839c09b127fdda7397a6e11ad4

        • C:\Users\Admin\AppData\Local\Temp\noguh.exe

          Filesize

          217KB

          MD5

          35ca41b3c4c54d5261258259a81439a2

          SHA1

          16027a2792d9b0a5faca514b389327539782c496

          SHA256

          50f48939c8697cc5662255d233ddeacfb6a4703acc9b8a0fd71ecae55536e43c

          SHA512

          3cc3870be2a1eb2ef006efc91fdf9ec1e3ac86848b0b944effb5d85abf4cbf26140691fb5b1716d595a6e2c3b2acf389a9d697e173b5dc001f91d355de49c47d

        • \Users\Admin\AppData\Local\Temp\dyrea.exe

          Filesize

          487KB

          MD5

          70031312a8db672b51804bfe2af57cf0

          SHA1

          6f630a7e16fab19bbd7c419a57e3ba5244200c42

          SHA256

          b9e39ce25d28d62d43dda2847f32cd2eaac737564c2f2d8aec91660bdb87d68c

          SHA512

          a36ccd055f51871afdee64aeb29005ab2d7e4043e99e8271ffbb7f5a87fefbfb185f765bc0d30bb9594876a02735b829701679982a7f63c9af54078be18d473c

        • memory/948-0-0x0000000000940000-0x00000000009C5000-memory.dmp

          Filesize

          532KB

        • memory/948-17-0x0000000000940000-0x00000000009C5000-memory.dmp

          Filesize

          532KB

        • memory/1708-32-0x0000000000250000-0x0000000000304000-memory.dmp

          Filesize

          720KB

        • memory/1708-28-0x0000000000180000-0x0000000000182000-memory.dmp

          Filesize

          8KB

        • memory/1708-27-0x0000000000250000-0x0000000000304000-memory.dmp

          Filesize

          720KB

        • memory/1708-31-0x0000000000250000-0x0000000000304000-memory.dmp

          Filesize

          720KB

        • memory/1708-33-0x0000000000250000-0x0000000000304000-memory.dmp

          Filesize

          720KB

        • memory/1708-34-0x0000000000250000-0x0000000000304000-memory.dmp

          Filesize

          720KB

        • memory/1708-35-0x0000000000250000-0x0000000000304000-memory.dmp

          Filesize

          720KB

        • memory/2340-25-0x0000000000FE0000-0x0000000001065000-memory.dmp

          Filesize

          532KB

        • memory/2340-9-0x0000000000FE0000-0x0000000001065000-memory.dmp

          Filesize

          532KB