Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 12:00

General

  • Target

    c08c38b909af8bcd4ff86db7ce941b18.exe

  • Size

    95KB

  • MD5

    c08c38b909af8bcd4ff86db7ce941b18

  • SHA1

    a288da54333f293907e103be53af9508c165adc4

  • SHA256

    3ed6a6178dc642ad7d4fb33f0f13561b15012d5c031424f5ee6f20ee92aef83e

  • SHA512

    e786bec2a5f7fc3ea8c6b5d53e2c97ef773588c12e28cfe08ddc82d3cbe0f87e41728fb59d5a7fd9a634b74ab617a2f22810243dcb2a081ae45782601e04e046

  • SSDEEP

    1536:nwhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3M9c3:nqV9MziU4piRun7C3CP3Ma

Score
10/10

Malware Config

Extracted

Family

urelas

C2

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe
    "C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      PID:1520
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      PID:2520

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          02167b944a214fee3d34f9a7e356dc6a

          SHA1

          ca5b3f38a7151268726401593eb35f9b67bdde97

          SHA256

          77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

          SHA512

          c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

        • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

          Filesize

          274B

          MD5

          0f11887a5b30f2407e8ef79ec28901b8

          SHA1

          29e8234eb652ba220aafc35c0f5c3b0444d9fd43

          SHA256

          1fc3b2039b132ae771964254d6e3fe2a4c172374f8d865159d3ab23acfa713a3

          SHA512

          5f15b26b16e551ecf20d388a4a3d1554e09a7cbfdc2824877fb58457264a06c23811ec30517cdb6d6d4d60b2dc9f471f95bac81078af8474593329a1ce25631c

        • \Users\Admin\AppData\Local\Temp\huter.exe

          Filesize

          95KB

          MD5

          add8f874c84f0d94e44c50d21bf24490

          SHA1

          6a966a0bc637828e2a8c68d20e2305f3e36be0dc

          SHA256

          24fcc8f0b8c21b2e1d20f6454ea1862142012b50d91c42cf71bcfae421e762b3

          SHA512

          253a029290c6b859964684dec2bc16d3315fdee88a7add42198a6dd46937477ce14f16d6531be9df4095f163125474ba3ba100abd27a2388d8e6e9a2a797b341

        • memory/1520-20-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/1520-22-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/1520-28-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3048-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3048-6-0x0000000001D80000-0x0000000001DB6000-memory.dmp

          Filesize

          216KB

        • memory/3048-17-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB