Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2024, 22:09

General

  • Target

    8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe

  • Size

    367KB

  • MD5

    55e2b28e5b61d0269ad3e4c5c0e05180

  • SHA1

    9bdeca964f12f062832e82d3d2bf9847a274040a

  • SHA256

    8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36

  • SHA512

    3218ab53f7391bfc625d074babc05c56c2948f78920793bb25febdfb55c2334edb422e7db52907cdd45891a49130ab6a6ae94d9ea742a3c317d47b41409d9410

  • SSDEEP

    6144:OuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pL:OzGL2C2aZ2/F1WHHUaveOHjT3

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe
    "C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\zybon.exe
      "C:\Users\Admin\AppData\Local\Temp\zybon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Local\Temp\mylow.exe
        "C:\Users\Admin\AppData\Local\Temp\mylow.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:632
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2620

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

          Filesize

          340B

          MD5

          b652ce937e0c122bd97f3d0ce6dca2cc

          SHA1

          9d2d5ae6790eb024997332be1601baebae93d698

          SHA256

          079f20efb72e006948103e222c1ab454336f81a4a155a23d02d4b0eab67e4500

          SHA512

          628c2a75afcec7499bc103fc3cec36c9eb9d9e98f8b4c0fff4ca40ee63172fea098ebe7acc72adb3cabfdf941424abb4e98ae4e7db65127e8cc3b6af706438a9

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          9616e57dd48c5c3fe324766d21a64cf6

          SHA1

          22a7bbdb894d8d555b8a12bb3183f8d5e079f27b

          SHA256

          3e96daf233e34a7ae604a68164724ed4ea5571df9f95d847cccf60412008de0d

          SHA512

          10e3f663bb908e4bd9c88a83891cd0d1249cbcfd062839105f0dd8d5803107602e178aae9c5e9abbc93297a9762b92f5ad4a9e1f05e0398496b7ab51ae557ebf

        • C:\Users\Admin\AppData\Local\Temp\zybon.exe

          Filesize

          44KB

          MD5

          7bab6a396207ce7ca9a7284e8a4d2ef0

          SHA1

          de0380e89df31e2ad348bff69773885cfe6e20d6

          SHA256

          08e0780631515ce83bc71661e4dfa67d1e82ee83428faf847e6bdb8f8eb56107

          SHA512

          89cef161ce1e36ec53607a1cfcd09b30a2d38e07bc69accbace74d2c5516739740ad20363acb68efa0d164f3ae36becbb91b56548188dd5c35a599290c5c8188

        • C:\Users\Admin\AppData\Local\Temp\zybon.exe

          Filesize

          367KB

          MD5

          b90cabdce11eafd910a7bf9ec8a3ba4b

          SHA1

          cabfe274186858d82ec957f62ad9729d6cc4d3cc

          SHA256

          d4bd89ac0bacafc4cd1f72809b5e9ee7a677bd3ac9c576f66f09653ea92b99df

          SHA512

          fbda802152c4cf1a1b2b29568bf267f0e35b8fe85b57186d41d7b9a552d3755b28ee6bf69eabbd7cb3ce352738ab70e8efe83ed68a573f185956664a582269ad

        • \Users\Admin\AppData\Local\Temp\mylow.exe

          Filesize

          303KB

          MD5

          e229b37bbdb6f72168884cab28b02be4

          SHA1

          28c6beb1c82e6928023dc3f131b37434de711439

          SHA256

          dacb1a8ae43e9cde31e3aa20327321cefe772f6ebde2fe412a9049db650321ea

          SHA512

          aa7cdcccdd2695bd0138e4feed7ce6df37dd3b947f65cb40320ddde8551a41ebe5aca078210fba2603de1e29702af6b953da1eff3b4ee0501731f0d37d6a7fa7

        • \Users\Admin\AppData\Local\Temp\zybon.exe

          Filesize

          367KB

          MD5

          4336d443b29538c747bae73fb2f3d3a1

          SHA1

          f00690a10f9ee4b5eeda7682f5e253c47d0ff4c3

          SHA256

          f782775be0e407d240d03f74f57eea5fcb367dfdcea868f68b83f4b1f851703b

          SHA512

          89857223f5b52f6c7551c4ea03deeeac43222a166c35387a2eca82fbb5b36c97c27ef4b9304b004276ff8752ed0a3c6be2372f2ea029a85fb42190746a14dc08

        • memory/2364-0-0x0000000000E80000-0x0000000000EE2000-memory.dmp

          Filesize

          392KB

        • memory/2364-18-0x0000000000E80000-0x0000000000EE2000-memory.dmp

          Filesize

          392KB

        • memory/2364-6-0x0000000000550000-0x00000000005B2000-memory.dmp

          Filesize

          392KB

        • memory/2836-17-0x0000000000CE0000-0x0000000000D42000-memory.dmp

          Filesize

          392KB

        • memory/2836-29-0x0000000000CE0000-0x0000000000D42000-memory.dmp

          Filesize

          392KB