Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 05:44

General

  • Target

    bffd92387ce2f42ec3bef3676dc450c5.exe

  • Size

    403KB

  • MD5

    bffd92387ce2f42ec3bef3676dc450c5

  • SHA1

    c084cba4905f8930d67938a4cc939b3e78a18b3a

  • SHA256

    14f8f5e1845ef3a5e480b4d8eb1d6927cdebb85bb149c7c5f4bab48e913e9004

  • SHA512

    e8a1ae160ccc1bf89aa1987af2f65da25b78737d71b1b5dec6a89ec5598433fb7a51506da44e8d76811a32822f3ca1bd6d5644c8d911749513ecae073a23ad22

  • SSDEEP

    6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohI:8IfBoDWoyFblU6hAJQnO6

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe
    "C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Users\Admin\AppData\Local\Temp\jifyi.exe
      "C:\Users\Admin\AppData\Local\Temp\jifyi.exe" hi
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Users\Admin\AppData\Local\Temp\juboce.exe
        "C:\Users\Admin\AppData\Local\Temp\juboce.exe" OK
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\AppData\Local\Temp\huiqt.exe
          "C:\Users\Admin\AppData\Local\Temp\huiqt.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2496
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
        • Deletes itself
        PID:2088

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

            Filesize

            224B

            MD5

            6eff6bacee80448346f6332df43a9b76

            SHA1

            f7b7c8b9b9b8943ac907cfae58299941819d30ed

            SHA256

            5d75fa2e2104684e6300dccc103f0e7af138556d95b5f9d0d260ec89153b4fef

            SHA512

            72f6d1c1fab34124172db8a44740e725418b0bbddb91d37d12523f5c7c1cc9041d05745089f8d6d6ae8e76f22fba27ad6dd182637834cd3aa95565814e4b5f01

          • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

            Filesize

            276B

            MD5

            f847b5d9d2475fb8fa19d0287199e436

            SHA1

            bd25e1e5bbddc343e6233ce1051d979dac880002

            SHA256

            2e4736cae2231b7b9583c1e768aec1712bc99247eff4662152c7eac6a3ad8b68

            SHA512

            c6a19eb2e99857c697a3c71b04ecc9ec1751d4785d753e59c69cb3891821ecc09451814ed23aa5571e39bbcd69b4e0b7fe47a7c69e9c8b2f312412dc3638fb14

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            6bc18f939cb5b9b400e5b7fdc296bc0b

            SHA1

            7cf463319130f8c24bf224a45639313182e829b6

            SHA256

            a40dde9a81a24cb3d72c661a1b8077b76a3a6371149213833efc179a67404620

            SHA512

            043274de024d9284b07bf6ab4c63967e090e19792090d6a9c372b4b044c6e1d02f3c8411162c3141ed8af9513657e92a0e813ad4c0a04ef79654052548d77320

          • \Users\Admin\AppData\Local\Temp\huiqt.exe

            Filesize

            223KB

            MD5

            685da7bd1286817247ce5b1d32e90428

            SHA1

            1d4cf39b8144e58a9024cc7d809140368ae4ddc2

            SHA256

            17e4f1128f7a48b679328629d521e8595ad37935683406574ce387294303a5da

            SHA512

            24c6e2ec6580fe85119528d4bf8b1eb86da0f089a61f14a50ceacf31781734fe96d0edc4368e2e41681afc0136dd75ee4c21aaaf49106f057baf17b030189386

          • \Users\Admin\AppData\Local\Temp\jifyi.exe

            Filesize

            403KB

            MD5

            8e799cd1ede1ce2da654b9ebe4e96872

            SHA1

            0d5e2d90e0550e0d255076667ec604be33c66ed5

            SHA256

            d098c1fb0714634603d50bbdaec0bd9f70ab9baecf5869b6521bbf83f6cfbe8e

            SHA512

            581e6c1cbe936a9c1e0e7f9ff3567f2eef04617e4aa6162a7f34b10475def5bd1202e9a5e786d3e95b40fb8dd3c30ae8c387d31a7b8c9e0ab0cdb9135fcd24e1

          • \Users\Admin\AppData\Local\Temp\juboce.exe

            Filesize

            403KB

            MD5

            53791e86a69b6433ea0b7eb63e7ba3d1

            SHA1

            74bfbfa87010bf79db162146a295f720bca0c263

            SHA256

            045a11efe0bf7ec498ee4efdf7d27c0ee9d9d01aab07f4946df595aabd7a9f22

            SHA512

            543d9daaf957c304c9ff8d8be05a08669a3e9ad8eb54c584be934460fde9c7ddef1892fd6dc78ffbfc4a330a2b48f2bcf420d96d58a5604b3acd81df93b13223

          • memory/2496-62-0x00000000002E0000-0x0000000000380000-memory.dmp

            Filesize

            640KB

          • memory/2496-60-0x00000000002E0000-0x0000000000380000-memory.dmp

            Filesize

            640KB

          • memory/2496-61-0x00000000002E0000-0x0000000000380000-memory.dmp

            Filesize

            640KB

          • memory/2496-53-0x00000000002E0000-0x0000000000380000-memory.dmp

            Filesize

            640KB

          • memory/2496-54-0x0000000000020000-0x0000000000021000-memory.dmp

            Filesize

            4KB

          • memory/2496-58-0x00000000002E0000-0x0000000000380000-memory.dmp

            Filesize

            640KB

          • memory/2496-59-0x00000000002E0000-0x0000000000380000-memory.dmp

            Filesize

            640KB

          • memory/2684-36-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/2684-52-0x0000000003B50000-0x0000000003BF0000-memory.dmp

            Filesize

            640KB

          • memory/2684-51-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/2920-0-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/2920-10-0x0000000001F30000-0x0000000001F98000-memory.dmp

            Filesize

            416KB

          • memory/2920-19-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/2948-22-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/2948-33-0x0000000003680000-0x00000000036E8000-memory.dmp

            Filesize

            416KB

          • memory/2948-34-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB