Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2024, 22:22

General

  • Target

    cf389a6edfd132de5bfeb2deb343d5e2.exe

  • Size

    401KB

  • MD5

    cf389a6edfd132de5bfeb2deb343d5e2

  • SHA1

    42a47204b264bf4c1bc00f38fb8a9b345dc40028

  • SHA256

    614c3bbd21decd89fa9045ef7960de748ddd0ab3574645441ca014f81e1002d9

  • SHA512

    92044df4ae0004069efe3ac598ad3dcc4414d5c4736143398200499d44c6402e0728dfcb8a9593a6f8e14ce96a9ac9f774451ae509a5d2eda724bbc523c9cfbd

  • SSDEEP

    6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohCR:8IfBoDWoyFblU6hAJQnOC

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe
    "C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Users\Admin\AppData\Local\Temp\axrot.exe
      "C:\Users\Admin\AppData\Local\Temp\axrot.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
        "C:\Users\Admin\AppData\Local\Temp\ukfooh.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Users\Admin\AppData\Local\Temp\moeqo.exe
          "C:\Users\Admin\AppData\Local\Temp\moeqo.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1388
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
          PID:1372

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

              Filesize

              276B

              MD5

              f0a542051f587925e773aed510551c0a

              SHA1

              bd0f7fe15646e1bb9b381ce964be431b56c83189

              SHA256

              ab4e945db38780543ff3997c5e9e5e2c58e974caf1f8c8e540897208d1991f90

              SHA512

              c9109665f93150eb7eebc895c0ad5357500f3c8707cd5d50a9548a732e15bb9efa948570e4f72c80ccf8a0ddb152f8972a7e202ada6faf05c1f877ce8c6dcc26

            • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

              Filesize

              224B

              MD5

              5a29d1f10053285c2d1f60faae33dfe2

              SHA1

              6baab06febca88249ee6e9a8a5e644961dd5b834

              SHA256

              59971e8d793ae473e572e6cf6cbd1d39594bbb28c18ac6ea4e452bdf243e3f4f

              SHA512

              5d7cbbcb9da7d02a84a4afd67bf0a93410e94aa50d7fde96478aacb4bdad9085ff3ec7435777e090ce4a399d8c9dccbd9e97c4d64eb7c47b6f5075924ec62998

            • C:\Users\Admin\AppData\Local\Temp\axrot.exe

              Filesize

              401KB

              MD5

              f2dd01151aac9dec5c94e0915854d166

              SHA1

              36df3452129b5c3fd834f307a53930867648f97b

              SHA256

              8f89a44e9800457ea0ff0724a17bfe52a0796797f70ea5cbe4188830c9345bb5

              SHA512

              ec102f17a6d90832ff3e3f9c1a91255e58f4a9753afcf683b15a5f79404b16d7cec5b28a308f598dba1f9df8f9ab853928b87e394c3f3dbb97715fce729d98ad

            • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

              Filesize

              512B

              MD5

              153b993f7150d69b54d15d6e043f5ab2

              SHA1

              b46e2c96c8af461bb4bd9613bd5c91aff7c60285

              SHA256

              f12543d9c55ccd4a62246dfb9fa5537b117d5c509cd199d505498ea0950bf7c0

              SHA512

              014f5db1efb4254053e6657d4462f7eaa586ec47e17c68d6c6c5b2f37fa265bd20a4e19924bc96c3f1c6a5bfd5bf104920b45d043fa258a35d7a01591bcd6cbe

            • C:\Users\Admin\AppData\Local\Temp\moeqo.exe

              Filesize

              223KB

              MD5

              0596b7e46278d25cfd1c98793f258fc1

              SHA1

              6d92961907b41ad0354e1fd1ade0f3433d5a5e11

              SHA256

              927ec232b92f27231c62cb865334a2aed934c67cfba606e3e6c66fce229d4c7f

              SHA512

              277af5f06be1743ce23734a95cdf760e50aade670be6778400c1f35231f69deff5dd984582ec737b147c4b72faebb5c39be276b29844ae6cb415753df0701f7d

            • C:\Users\Admin\AppData\Local\Temp\ukfooh.exe

              Filesize

              401KB

              MD5

              e77d27b9eae260ff545524c162422c90

              SHA1

              63d310c0ae42e1972e8037fa29834aa26d49b6da

              SHA256

              b8feb420b237fb0fdde21edc85bf6331fccad5b74c361f635e1a939a85c90106

              SHA512

              471fd5b23c562e271d03a2f6a3f005bd0025a4c402ab7e674c20fdbd478043a3dfc314c5c809e496b78916b2fea3f595c42d7dee955328a4502fd83731491e2b

            • memory/224-16-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/224-0-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/1388-44-0x0000000000F40000-0x0000000000FE0000-memory.dmp

              Filesize

              640KB

            • memory/1388-46-0x0000000000F40000-0x0000000000FE0000-memory.dmp

              Filesize

              640KB

            • memory/1388-45-0x0000000000F40000-0x0000000000FE0000-memory.dmp

              Filesize

              640KB

            • memory/1388-37-0x0000000000F40000-0x0000000000FE0000-memory.dmp

              Filesize

              640KB

            • memory/1388-39-0x0000000000150000-0x0000000000151000-memory.dmp

              Filesize

              4KB

            • memory/1388-47-0x0000000000F40000-0x0000000000FE0000-memory.dmp

              Filesize

              640KB

            • memory/1388-43-0x0000000000F40000-0x0000000000FE0000-memory.dmp

              Filesize

              640KB

            • memory/1532-40-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/1532-26-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/1756-25-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/1756-10-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB