Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 00:32

General

  • Target

    c61e4c357290a31faca4db045b53cc112cad3ac615f167ed3e54bf837bc13afe.exe

  • Size

    201KB

  • MD5

    3d20deb54ee3306d88850606dedb6737

  • SHA1

    44a0359d73aaee8be34498397595ec796e7f83b3

  • SHA256

    c61e4c357290a31faca4db045b53cc112cad3ac615f167ed3e54bf837bc13afe

  • SHA512

    58f6f6c14c17db51c436c1c2b7b166a5a91fa07cf184358a4a643de46557fd5e4c88d5c00ac775ca76f5d3ba6f3a1c40a6c278e4fedb723de3326cff2d0fda5a

  • SSDEEP

    3072:llfTVlvfdEDRmyc+XA60Kj4omjuVZ6rNp0Vh:lpTV9rZllomjuCNp0f

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c61e4c357290a31faca4db045b53cc112cad3ac615f167ed3e54bf837bc13afe.exe
    "C:\Users\Admin\AppData\Local\Temp\c61e4c357290a31faca4db045b53cc112cad3ac615f167ed3e54bf837bc13afe.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2168
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      PID:2292

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          fc7c2ef888930c9e3d5e328202990a11

          SHA1

          336cbc6a838acad79206b98e9eb2414736e718ed

          SHA256

          79115937973fc5e46c104e0eff35fe65ece75db6224847bcd152057b496ed517

          SHA512

          a426d6b66e7576aa639692147f14d8c6c8b580b16ac2b17d2c8e68e01f423d11205fb806074b26273f1ca267f85bc6edd91f932e7d5deeb95811cd20622690e7

        • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

          Filesize

          338B

          MD5

          f64070642a1a720d7a17e819dc4385e2

          SHA1

          f95d5d6ab332a0eacf2254bf0abcf08a924c34bf

          SHA256

          e28fcc2140ea98d7549421823c158593a8a668bc272bf5ad0ee2a4cbfc4ad1c6

          SHA512

          ca3ba9b70ba45567ad3d86cd176fdd1aaf4ef0c9ccb4df2182b9d3ee7dcdeffd08f6076edc426958b1e243791708fea93cf0284eaed1feeb309ce16a29fc43fa

        • \Users\Admin\AppData\Local\Temp\biudfw.exe

          Filesize

          201KB

          MD5

          a879643cbfd03f6f07941e055a6e0e49

          SHA1

          0b27f7a1730f1a120407d6c739079165b32c0e4a

          SHA256

          4cadce1deddde47fed223c91cff638269315f2f54ea1c2d21699f595f5bd4470

          SHA512

          cbb6e1a27d794fef796381771adf9a2aa8466b9745d2a13a9f6b1fdbe75c791e4231f3fcde2ffe6ea53071bc98bf9aa5b9d0a7bab321c0a69bfb5f703d17daee

        • memory/2168-18-0x0000000000E30000-0x0000000000E68000-memory.dmp

          Filesize

          224KB

        • memory/2168-22-0x0000000000E30000-0x0000000000E68000-memory.dmp

          Filesize

          224KB

        • memory/2168-23-0x0000000000E30000-0x0000000000E68000-memory.dmp

          Filesize

          224KB

        • memory/3020-0-0x00000000002A0000-0x00000000002D8000-memory.dmp

          Filesize

          224KB

        • memory/3020-15-0x0000000000530000-0x0000000000568000-memory.dmp

          Filesize

          224KB

        • memory/3020-17-0x00000000002A0000-0x00000000002D8000-memory.dmp

          Filesize

          224KB

        • memory/3020-21-0x0000000000530000-0x0000000000568000-memory.dmp

          Filesize

          224KB