Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 01:02

General

  • Target

    d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe

  • Size

    339KB

  • MD5

    9458e8269e981283386b04277dc91776

  • SHA1

    512499b1a5884ec2b32074f9fde4683c6eb6f0e7

  • SHA256

    d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968

  • SHA512

    f6f9eb7d66f0ab8d358d5217651ec9fa984b6fc40d5f1e210656c8cb1e71d51a40ba400f2aeaa04b0af24d75be8539dfb9d604bceb4633626d8e35a9148b1047

  • SSDEEP

    6144:i5tYTzqklVw910CIWrC9foCChVN6XCLWk6aMWgziMV1AXj16NYuLDuUcOibi5EBb:iUPTCBC9A/VIXCCkMWguMcj0vbd5E0/Y

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe
    "C:\Users\Admin\AppData\Local\Temp\d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\zujid.exe
      "C:\Users\Admin\AppData\Local\Temp\zujid.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Users\Admin\AppData\Local\Temp\foykn.exe
        "C:\Users\Admin\AppData\Local\Temp\foykn.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2620
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2992

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

          Filesize

          340B

          MD5

          6c989d40332ecbec37ef36c1ebb87052

          SHA1

          ad28ab74a59dcf6480d984813775f1bdb93d2bd6

          SHA256

          807ae5e7038f6247122ddbb681e8fac69cb6f0816dda032631be396024a06769

          SHA512

          f53a4facda108a72db41daedd14a78655810d65445c14dbb2f869980728e6fd358c822eb73ef6bb22da16baf360d5223c78b80f4f5c40d80756a27a980e45f20

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          b72b4dd03476bb02f216c46f061048cd

          SHA1

          8098dcd2c40f7a95cba34ed97411617a9b9c5ff4

          SHA256

          64c49a903fba8d28b68f95717b1b7f834d7060550aae38db07992d2e9ebc8aa7

          SHA512

          14e8e50b441db0260c0f0491838df418b72682c11cda1f68b7dcbbca4a76f7dee5b16f2dbf2bd713ea37a5034ca69f9b75a47b648e39205333a52d89399b9514

        • \Users\Admin\AppData\Local\Temp\foykn.exe

          Filesize

          226KB

          MD5

          36ba7820d561cfc5ad273c7f0dc33488

          SHA1

          285ff766188a294aca60630e7043ae89726b5e28

          SHA256

          9b00b16c3d95336feea37dd3c7f2cd2fb171839a97d6eacd617a58df26de7ee8

          SHA512

          5f0f078c1000f760464a0691d15fc0ef99df3023a52dbd06203011f29ba98e26a30c7719eac110ec2658ff2c96dafe08e3867d11e62eafe83afbf969d80bd8c3

        • \Users\Admin\AppData\Local\Temp\zujid.exe

          Filesize

          339KB

          MD5

          99dbeccf5824dcb7eab1f37a4542dd9c

          SHA1

          eca512937bbefdc6dadf0d8d360edc884134a7fe

          SHA256

          b22e662c1c296d931f19485fd93ded1f4844b5c85a8910f94f565c5a95e936b7

          SHA512

          b42dd0f445d05d206f78977152b6724c0df9ff1152f1929aabd5768c352bb4d3a90aa125cb9dc827bc6a53f9d5cc74b3f84be112b16165a6dc6c749286013da8

        • memory/2320-17-0x0000000002580000-0x0000000002607000-memory.dmp

          Filesize

          540KB

        • memory/2320-0-0x00000000000B0000-0x0000000000137000-memory.dmp

          Filesize

          540KB

        • memory/2320-16-0x00000000000B0000-0x0000000000137000-memory.dmp

          Filesize

          540KB

        • memory/2620-40-0x0000000000890000-0x0000000000940000-memory.dmp

          Filesize

          704KB

        • memory/2620-37-0x0000000000890000-0x0000000000940000-memory.dmp

          Filesize

          704KB

        • memory/2620-38-0x0000000000020000-0x0000000000021000-memory.dmp

          Filesize

          4KB

        • memory/2620-41-0x0000000000890000-0x0000000000940000-memory.dmp

          Filesize

          704KB

        • memory/2620-42-0x0000000000890000-0x0000000000940000-memory.dmp

          Filesize

          704KB

        • memory/2620-43-0x0000000000890000-0x0000000000940000-memory.dmp

          Filesize

          704KB

        • memory/2620-44-0x0000000000890000-0x0000000000940000-memory.dmp

          Filesize

          704KB

        • memory/2956-21-0x0000000001010000-0x0000000001097000-memory.dmp

          Filesize

          540KB

        • memory/2956-36-0x0000000001010000-0x0000000001097000-memory.dmp

          Filesize

          540KB

        • memory/2956-18-0x0000000001010000-0x0000000001097000-memory.dmp

          Filesize

          540KB