Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 03:16

General

  • Target

    bfb2d0ba26e58380d9726ff90275fd8d.exe

  • Size

    236KB

  • MD5

    bfb2d0ba26e58380d9726ff90275fd8d

  • SHA1

    51b2ae4a3eb1d814eb6c6e288ba51a14d7667b0f

  • SHA256

    0f09f3e21430744c3c858ea52acccae0a78e5f4877db67888907d0b524694c2b

  • SHA512

    d71772f65ff878657b2febbe785ac5c8e4351b2804220c8fa3ba748f674d11ef3eebdc15f80d20cac9336b4ae03370c4bbae96b2e944e4f86b1ab20fae415769

  • SSDEEP

    3072:K8ASpvo0LKrXEX65ezpxJ2kbJ7mv73E2o/9sY2R:ZASpvo0LKkRzpxJ2kRqroiR

Score
10/10

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe
    "C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      PID:2632
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      PID:2536

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          7295fb9368a0ef278de4b9755bf9fa1b

          SHA1

          db5fa220d77ed7824ae0a4f822e0ce46010a5d77

          SHA256

          dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98

          SHA512

          dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

        • C:\Users\Admin\AppData\Local\Temp\huter.exe

          Filesize

          236KB

          MD5

          ab256c064d4f0976a2f3b2d793c537a8

          SHA1

          fe1884631a196957a7fc210267e2bab34d7a4ad1

          SHA256

          0f8b69ab136d0985dc56a6d6184d620410dec86eb37d3ed3e3f3686326e9ebad

          SHA512

          8130cc242e0ca5d84c7d8b4034e05231587c4cd925818f4abddd0dd52f2c0e74013d963ca4591c3d0f28487c5c48d93f4a8a6a90cfb5697d9422b4a7a6d86f05

        • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

          Filesize

          274B

          MD5

          9b2b6a72b0390126bd9f0c14bcbae8db

          SHA1

          d37185b590933823b126ccf44a019173d5d2ae30

          SHA256

          ab9629033942bae26ad02445573bcf94471b439859cf7074c24d11372a29a507

          SHA512

          aebef38a95a92b56897cd23fb4a0b72de9baeb203a86b62a923422459e7a5f4a9cb0b607e43d83273ebc795636fae2723a07f78e5476e31e6d6ca48172c58358

        • memory/1908-0-0x0000000000830000-0x000000000086D000-memory.dmp

          Filesize

          244KB

        • memory/1908-8-0x0000000000410000-0x000000000044D000-memory.dmp

          Filesize

          244KB

        • memory/1908-17-0x0000000000830000-0x000000000086D000-memory.dmp

          Filesize

          244KB

        • memory/2632-18-0x00000000003D0000-0x000000000040D000-memory.dmp

          Filesize

          244KB

        • memory/2632-21-0x00000000003D0000-0x000000000040D000-memory.dmp

          Filesize

          244KB

        • memory/2632-22-0x00000000003D0000-0x000000000040D000-memory.dmp

          Filesize

          244KB