Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2024, 22:17

General

  • Target

    92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe

  • Size

    453KB

  • MD5

    7cf19309574d5bf7a7e8fd72cda93f93

  • SHA1

    4c5194df07a8625883204ccaf9b9f1a5e550d1f2

  • SHA256

    92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25

  • SHA512

    6428fa21509b031e36c4336c80e541fbeb07818a17f4435de203b88e239cc4fc1ec1020b97f3c663e7fbab4c9addf57f8f28f6cfe7717a7549b43acfcd476590

  • SSDEEP

    6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoz:PMpASIcWYx2U6hAJQn3

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe
    "C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\tymib.exe
      "C:\Users\Admin\AppData\Local\Temp\tymib.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Users\Admin\AppData\Local\Temp\ipfaju.exe
        "C:\Users\Admin\AppData\Local\Temp\ipfaju.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Users\Admin\AppData\Local\Temp\wadag.exe
          "C:\Users\Admin\AppData\Local\Temp\wadag.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:5060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:1380
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
          PID:2912

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

              Filesize

              224B

              MD5

              65cc4d9ba6ead3f011512c2fe89cd539

              SHA1

              0216586f28e2aeddb906e71d450b8b373d177862

              SHA256

              bf8a259d91234833c0761e819fd2586a7c955ed4ff802c981a12109d89a4b22d

              SHA512

              a9d63e92455245c34da2e749c60a0638887795f33e5e369417f6344903e6fc32388900b7546b49339f8cd08285275d422b1f7dced65dc35d6dab5d5b9b568ab6

            • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

              Filesize

              340B

              MD5

              a76e13bcc28ddab8b9f29db5cd0076a3

              SHA1

              1e86f77dbb2e8d033d56706203025ee77c844b61

              SHA256

              e1111640a0361091a433c072374681be71bd0b725e9a8082ff2a5d531b49c22f

              SHA512

              e131daf47e86ea2a08e4d8bafcaba04d2c5ef2c7853d9589f50b5c912e1a4c825739c170d32475d8e29e44d777e74042027d05d87431851923f7e02a07d41075

            • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

              Filesize

              512B

              MD5

              057da1d21a28c463978a7879cffa3b41

              SHA1

              19c14e44c74facaaa7ff7761159d29e1e6e36fef

              SHA256

              3f471c16aaa1991d07b92c03b25f6122860eaff5511b4cc0a4ca18618fd4ea9f

              SHA512

              b692d01d76265e5c8762b5ee34e30108837baf703556de6856be29207fdf113cfeb731438769d68ddd2d7236a530856bc5e07dc3bf289cee958cbbcae73285f7

            • C:\Users\Admin\AppData\Local\Temp\ipfaju.exe

              Filesize

              453KB

              MD5

              423a4931703c323e28ee1c05d7e3a621

              SHA1

              9317280dcff0b898446da264539a1d2a8ef01950

              SHA256

              98da8b4fdeb1519f240efd17142d44e47bafd3ac8d6a67ca4e899e89a9fba8eb

              SHA512

              a885bcd474e2243e91eee34b4c314043b7f73756c9b6daa908fb3343c95b2057a1f69d521645574ba61a55018f2018c7eae90da9b13fcc7ddf42c61646caac49

            • C:\Users\Admin\AppData\Local\Temp\tymib.exe

              Filesize

              453KB

              MD5

              9b8aed63feb8b65ea8764deb3128aac5

              SHA1

              fca27336de0b5c06523d82788b46395fc1d42381

              SHA256

              1e4c90eeb1f9b5044460d9d64076c39541992c332a7bd39773850b1ff8abd0d4

              SHA512

              a5ea00825976ced039bd81afdb3db588571917d49851ebc00f7f5a173964092714e5ce4c297c6783201864355031abe557217c817fab3b79bd0c15dd43910ecd

            • C:\Users\Admin\AppData\Local\Temp\wadag.exe

              Filesize

              223KB

              MD5

              61a15fc8654559aa3182464ea09b9454

              SHA1

              40883e4bcf63a1a55d5fb5f3aba2f426961394df

              SHA256

              9f05d5f35f91d1680e8a0fdd7960b18965f6aabaeca960f67bdb5c8cda939bdb

              SHA512

              13a12d15d9516c112d17342d560ed7590649f329a54912388bf2c13ca894c45f094136e3bda5245d9812b237e0dd5d2612c63b126de0e3468f209511193a8b02

            • memory/864-25-0x0000000000400000-0x000000000046E000-memory.dmp

              Filesize

              440KB

            • memory/864-40-0x0000000000400000-0x000000000046E000-memory.dmp

              Filesize

              440KB

            • memory/1032-15-0x0000000000400000-0x000000000046E000-memory.dmp

              Filesize

              440KB

            • memory/1032-0-0x0000000000400000-0x000000000046E000-memory.dmp

              Filesize

              440KB

            • memory/3044-24-0x0000000000400000-0x000000000046E000-memory.dmp

              Filesize

              440KB

            • memory/5060-38-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

              Filesize

              4KB

            • memory/5060-36-0x0000000000390000-0x0000000000430000-memory.dmp

              Filesize

              640KB

            • memory/5060-42-0x0000000000390000-0x0000000000430000-memory.dmp

              Filesize

              640KB

            • memory/5060-43-0x0000000000390000-0x0000000000430000-memory.dmp

              Filesize

              640KB

            • memory/5060-44-0x0000000000390000-0x0000000000430000-memory.dmp

              Filesize

              640KB

            • memory/5060-45-0x0000000000390000-0x0000000000430000-memory.dmp

              Filesize

              640KB

            • memory/5060-46-0x0000000000390000-0x0000000000430000-memory.dmp

              Filesize

              640KB