Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 15:14

General

  • Target

    c0ea1f02d98705fa23f0f37da08b0b14.exe

  • Size

    207KB

  • MD5

    c0ea1f02d98705fa23f0f37da08b0b14

  • SHA1

    5a688d0be7e642aa3d7541252b9b59cf0ba217f2

  • SHA256

    69e8d0b8e0fc8511858eabb85e1d4b5d23eaa9b3dd8adbf96b681aa1476b9cec

  • SHA512

    3d445a1a2234affe526ce3c6f119291fb731c846706e1b0c7d6608c9bc0ce8864f167e552761cba109015576c95b9cdf152d35a3d3734649cf3c785ce496ea3e

  • SSDEEP

    1536:1BucKHs7K2HEG7BpoWiZBYHs977q+7INVdU2Aneb61TVcz+3MJb6rcR6:PuchogM57bIL+eb61TVa+3MJb61

Score
10/10

Malware Config

Extracted

Family

urelas

C2

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe
    "C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      PID:1128
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:4728

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            02167b944a214fee3d34f9a7e356dc6a

            SHA1

            ca5b3f38a7151268726401593eb35f9b67bdde97

            SHA256

            77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

            SHA512

            c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

          • C:\Users\Admin\AppData\Local\Temp\huter.exe

            Filesize

            207KB

            MD5

            2d8d926236c18f2f6bdabc62eb8f63b6

            SHA1

            754492fda4e35ea4896ffebfb82db2fda8a9d55f

            SHA256

            9d283031712325b95d21b4238738ad0d3f517948f404523dcdc107ae77d666c6

            SHA512

            b0e2de6f5f1c810d28e35f0044f721134c08752b79b09d10d6142a8b065479e0a264cf33a7c25d7daf1813d7da5303f7db6ad868f59bae67c8ef08d2bba0d34c

          • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

            Filesize

            274B

            MD5

            e0fd68b180ca3b880f1253ea525cd8a7

            SHA1

            2455eb699ff3fdd82160f752d48fe86ddc7462f6

            SHA256

            3be0e7364b79421b9f0ce4189d9131cf63d9563968912eb438b3e6af528d7631

            SHA512

            789099ae0edf8d5b33be0b52c6272a9f893145594ddef40e918a63bdd39e03832c8040be0cbfeeb41b7ad847acf8133af08bb6ac92a381cd0ef85144726c5021

          • memory/624-0-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

          • memory/624-16-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

          • memory/1128-19-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

          • memory/1128-20-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB