Analysis

  • max time kernel
    128s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 00:07

General

  • Target

    b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe

  • Size

    470KB

  • MD5

    4a5298ea39ded905fee91d92f993e5a8

  • SHA1

    ea62984293b5717220f54f19269cfd856d481cbf

  • SHA256

    b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263

  • SHA512

    b57e3b8a759bd62a0462bde84659441b64db7c3a12e08a9b5f6363ea3f855c2a9dec2a5dea221a27230523d54e4b216894bc4b77c756f8a6326b1e1a4870e978

  • SSDEEP

    6144:PEK25f5ySIcWLsxIIW4DYM6SB6mwrxcvkzmSOphmYHa:PMpASIcWYx2U6kQnaHa

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe
    "C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\reuzu.exe
      "C:\Users\Admin\AppData\Local\Temp\reuzu.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Users\Admin\AppData\Local\Temp\qozeso.exe
        "C:\Users\Admin\AppData\Local\Temp\qozeso.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3548
        • C:\Users\Admin\AppData\Local\Temp\abjas.exe
          "C:\Users\Admin\AppData\Local\Temp\abjas.exe"
          4⤵
          • Executes dropped EXE
          PID:4388
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 216
            5⤵
            • Program crash
            PID:2796
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 220
            5⤵
            • Program crash
            PID:1004
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:5100
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
          PID:4204
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
        1⤵
          PID:4340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4388 -ip 4388
          1⤵
            PID:4996

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

                  Filesize

                  224B

                  MD5

                  da843167b8bdfc6f7477976a7a7d4a42

                  SHA1

                  f8c20bf59448b35227b26099b63724091a0b68fb

                  SHA256

                  4697cba571b98d6b6c099546181734044ac5e7738785e267c07866075cff3d67

                  SHA512

                  4a02893e64b6ef9d24e76cca9717db6947c2e26ff3e829cbba3980be53ce8eaa599d4a29cee123cf8274bd63550526de94763278bd2da7702c16930aaefd6d89

                • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

                  Filesize

                  340B

                  MD5

                  392fe03859a4f294d2c15cb4fd401002

                  SHA1

                  2dacf37e880afcbe94f8beb123cf64ca3571336e

                  SHA256

                  c8c8530256248be7c054c1657b998440bc6b3371985033bcfdedd490dd14a99e

                  SHA512

                  c7752051a881f0038ec9effe69d896f24264bba22dd189e8a59f328ed56bc2d285e3b96bafb7eb02ed4463923d451377960582fee4bb7c43ce8e950f4c8b2f03

                • C:\Users\Admin\AppData\Local\Temp\abjas.exe

                  Filesize

                  223KB

                  MD5

                  4091050586686180c782b16c79c7d2b8

                  SHA1

                  b9b168e16f1e1cc731ba09983233b3810f6e887a

                  SHA256

                  6da6aaae31932108601ee627b099c7d365e874e37a32eec10cef788fba90a06b

                  SHA512

                  6bb8ec522a407e13eaff8eea9d938ab66f15d60d2048209a645c4d01ff609123918c25d81fde39f14127e462761f39b6dde064e81f67515a6a1bcef5169c56b7

                • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

                  Filesize

                  512B

                  MD5

                  6bf66ae60e32751c890307931922529d

                  SHA1

                  2d2a8e37de5a111c13d30c2b1d1194b95a5710e4

                  SHA256

                  0fd7d3d36f2c71ad9a8d00db273e424a8964b650ac8c8d5c81afc76f26b06205

                  SHA512

                  7538520615300bc708231e2b2354ce4e60148d016377189fc06c42b44100af00bfaec8e655559fa1931d5a1ad37d4f219a88d73da8ae437374bcecc734213a39

                • C:\Users\Admin\AppData\Local\Temp\qozeso.exe

                  Filesize

                  470KB

                  MD5

                  59a4ae54b766af8467f135cf98f88b39

                  SHA1

                  b8a073d4de9ad174f79bae455ea2903f09eaa0d7

                  SHA256

                  c77159fd85da67e8a82d7e3a59287c67a1aa0a4f09a068365ada71a95f286c87

                  SHA512

                  2379bc030393fd1624a2e507696adfd543b174b7876f001aaeafecd9025cba2662f7df1955ced0e03fa0abb92dc8dbbf273d32d44c4eae8b0a5a19d4dcc15f33

                • C:\Users\Admin\AppData\Local\Temp\reuzu.exe

                  Filesize

                  470KB

                  MD5

                  2873087efcc5ad82e7edaab61fc20ede

                  SHA1

                  0b26154719ba6c6136487f26e128e36d4f34d6ef

                  SHA256

                  ad79e65f08cfe2e0d76eb8a53f6c382f79102c02e3271fbfb5fdabd787f37162

                  SHA512

                  648b387e0947fc1ff65bf1998f03c868d69a9e3d8bc44d9a241e5949bfa5dbce43f63cd8cbd188a0475dd657a6d611e0b9fb95b5f27abdad83c9fec003bcdbca

                • memory/2280-0-0x0000000000400000-0x000000000046E000-memory.dmp

                  Filesize

                  440KB

                • memory/2280-15-0x0000000000400000-0x000000000046E000-memory.dmp

                  Filesize

                  440KB

                • memory/2412-24-0x0000000000400000-0x000000000046E000-memory.dmp

                  Filesize

                  440KB

                • memory/3548-37-0x0000000000400000-0x000000000046E000-memory.dmp

                  Filesize

                  440KB

                • memory/4388-35-0x0000000000400000-0x00000000004A0000-memory.dmp

                  Filesize

                  640KB