Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 03:16

General

  • Target

    bfb2d0ba26e58380d9726ff90275fd8d.exe

  • Size

    236KB

  • MD5

    bfb2d0ba26e58380d9726ff90275fd8d

  • SHA1

    51b2ae4a3eb1d814eb6c6e288ba51a14d7667b0f

  • SHA256

    0f09f3e21430744c3c858ea52acccae0a78e5f4877db67888907d0b524694c2b

  • SHA512

    d71772f65ff878657b2febbe785ac5c8e4351b2804220c8fa3ba748f674d11ef3eebdc15f80d20cac9336b4ae03370c4bbae96b2e944e4f86b1ab20fae415769

  • SSDEEP

    3072:K8ASpvo0LKrXEX65ezpxJ2kbJ7mv73E2o/9sY2R:ZASpvo0LKkRzpxJ2kRqroiR

Score
10/10

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe
    "C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      PID:796
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:5016

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            7295fb9368a0ef278de4b9755bf9fa1b

            SHA1

            db5fa220d77ed7824ae0a4f822e0ce46010a5d77

            SHA256

            dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98

            SHA512

            dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

          • C:\Users\Admin\AppData\Local\Temp\huter.exe

            Filesize

            236KB

            MD5

            7c69c71697cabe4e758ed1275bae6192

            SHA1

            2fa83281d17947e863bd48fcff5bcce24f2f4b1e

            SHA256

            f3e90a7f922fda72f1007cd5ecc88e9633128af01712e724c4b9e76c765a3bf7

            SHA512

            27259912a900d1d2ccc3e615396a8b818c98090959b57f71a7945ac829a9bb433bd1e1cb13944667b13c9ebfc2ed4ffc4df357e0b3f186b0f2c1caa29f68281f

          • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

            Filesize

            274B

            MD5

            9b2b6a72b0390126bd9f0c14bcbae8db

            SHA1

            d37185b590933823b126ccf44a019173d5d2ae30

            SHA256

            ab9629033942bae26ad02445573bcf94471b439859cf7074c24d11372a29a507

            SHA512

            aebef38a95a92b56897cd23fb4a0b72de9baeb203a86b62a923422459e7a5f4a9cb0b607e43d83273ebc795636fae2723a07f78e5476e31e6d6ca48172c58358

          • memory/796-10-0x0000000000A50000-0x0000000000A8D000-memory.dmp

            Filesize

            244KB

          • memory/796-17-0x0000000000A50000-0x0000000000A8D000-memory.dmp

            Filesize

            244KB

          • memory/796-18-0x0000000000A50000-0x0000000000A8D000-memory.dmp

            Filesize

            244KB

          • memory/1932-0-0x00000000002D0000-0x000000000030D000-memory.dmp

            Filesize

            244KB

          • memory/1932-14-0x00000000002D0000-0x000000000030D000-memory.dmp

            Filesize

            244KB