Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2024, 22:35

General

  • Target

    9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe

  • Size

    158KB

  • MD5

    49b3eb1ff407bfcb643629dc760aec7d

  • SHA1

    a5fcc5d88070f44bb5e390caa85a21fa575c60db

  • SHA256

    9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08

  • SHA512

    e28c82755131c7d5a496b18ec0a5457f25589a5a570b102d8d12a3d633ebce9853a260f3a811b56412d110ced486cb9abba96a5cdf5701a6b23ebc3d8c416587

  • SSDEEP

    1536:8iVlUPlfHeARjOsOAe2zBN7lE4U1sgzAom8JsuPIclSXsWjcdd6YGJYwYcl:nVlUPZRxfxE9Vs5cfdd6YGGIl

Score
10/10

Malware Config

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe
    "C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2956
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      PID:2568

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          a250860c0687ed9dda488805c025a2d2

          SHA1

          0c181ed3b46463d35631ca169f0928c33a1da389

          SHA256

          3947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37

          SHA512

          0286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a

        • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

          Filesize

          338B

          MD5

          868e95bbc0c9998d8dfe3e1f80431636

          SHA1

          06cf6850d8448eb5b2ef1333a724881813322165

          SHA256

          e46e57c26b2079a85858b9e44b98e4efb6d3bfcea2c54f7e912aa8346ee9de4c

          SHA512

          209468d8fb982a21b02da9dadfadc2406b247aee2998de57f0e3ed7a3520936683f1a880cd38b749404750298b74cc3efb53ba4c3f3ffe881156924c9ad495e3

        • \Users\Admin\AppData\Local\Temp\biudfw.exe

          Filesize

          158KB

          MD5

          6b134de347829004a74ab81d52d64b69

          SHA1

          ed2b4aa0ac81ef6e85dc6ade7b8ec88db2869e5a

          SHA256

          2580e02f2dcb893fcd5389a8cd73c8269de1844254cf914b357f83340703733d

          SHA512

          839e84b4e1d105df724ecb47ec9596f0efc430e823a449df6d9578c8b1964a62b0ee3c62a7254330da7a35eb2ba987353739d5e898564905281bee92bd02ed91