Analysis

  • max time kernel
    148s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2024, 22:50

General

  • Target

    cf45b2e62fb61b7f2757cf2d1beb08a6.exe

  • Size

    1.1MB

  • MD5

    cf45b2e62fb61b7f2757cf2d1beb08a6

  • SHA1

    4d8223aea1671969511f00dca8bf4569753fd8f2

  • SHA256

    af464d9f2c1bb1caf81f3cb1dc3d67c7d577fdca066d0c650b995c54e9d74e70

  • SHA512

    aca24448c04e3917525ca1aa0b50193feaabeb409d164f427be44ea37c1b813ae7b4d1622d152828df92927b65bd2d05aac95c76b99ba155fc0716ea1656050a

  • SSDEEP

    12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Yh:tcykpY5852j6aJGl5cqBQ

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf45b2e62fb61b7f2757cf2d1beb08a6.exe
    "C:\Users\Admin\AppData\Local\Temp\cf45b2e62fb61b7f2757cf2d1beb08a6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Users\Admin\AppData\Local\Temp\joyfv.exe
      "C:\Users\Admin\AppData\Local\Temp\joyfv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\jirodo.exe
        "C:\Users\Admin\AppData\Local\Temp\jirodo.exe" OK
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Users\Admin\AppData\Local\Temp\juzol.exe
          "C:\Users\Admin\AppData\Local\Temp\juzol.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:292
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:2504
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
        • Deletes itself
        PID:2476

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

            Filesize

            224B

            MD5

            48ff01f7b66b7b85248117aa627359b4

            SHA1

            968ab16d95eb4dc6ac5863a8868a652b78015e61

            SHA256

            303a26b3e5398ced0eaa717cbe5d1aa73d7fba78e24145173463969686548059

            SHA512

            922b7d665cfdac62463e36a732119c649bf3ba1d40495e457362df17978c23914f6d47351cf9286d9260e7b5fd370b0676c238181f5681d191c0dcfd49dcfcf9

          • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

            Filesize

            276B

            MD5

            94af0bedc86fabfb20a3ac847dbc48fe

            SHA1

            aae6b2f051fd7a13dbde66b6d4823ea6d8b8c154

            SHA256

            7bae0ce2061162e445660ee0454ccdd5e8e5aab39ab213ef74287135d46b77df

            SHA512

            2d2c80174c4a281ffb8686e808f24fa1a6ee7283bfe7c32f8506b84bb9c0aa611ba3c404945fb1031a3704e2dff784d48704103d0596085072544d4b28963b95

          • C:\Users\Admin\AppData\Local\Temp\gbp.ini

            Filesize

            104B

            MD5

            dbef593bccc2049f860f718cd6fec321

            SHA1

            e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

            SHA256

            30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

            SHA512

            3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            631a185b769cb4bdf45a58d813301eb0

            SHA1

            3cb647176f9e53be55d08f21999adbc924153c4e

            SHA256

            12369188820b2923beca0771dea9f539ac2e27bb4745d9083eb733a3a2eb3799

            SHA512

            37e50e60659df586080e126d49e412f908931eda58a4e95878ea2e9efc851460145d53c889aec9016d2653e4742709624b10b698da60eb3b9db510d840927e12

          • C:\Users\Admin\AppData\Local\Temp\juzol.exe

            Filesize

            459KB

            MD5

            878fad572893a0d39105db1311a6f1ad

            SHA1

            1a3e05fe236cf12f9ea7aecc790f28bc677ec2e7

            SHA256

            f2b2371d2cfeb5604e3b17545ef5e8e9d7525c60a2287fb0225a21f855e2f107

            SHA512

            0749e433191218242f5bd5aa4fa4da62016fe6debe46576157370f1740209c455c91b9ec44cd646b797cf44e10556e09035625ee73d6149fe8708ec2415ee743

          • \Users\Admin\AppData\Local\Temp\joyfv.exe

            Filesize

            64KB

            MD5

            973b29841de25f207b530337264cf6f2

            SHA1

            8b388d50370c2d811d906a116d74f7e1bef508e3

            SHA256

            695caedf41fc24f0bba407d4aaa9799b3d6ff74853d3d4c1d913e4f5c2995721

            SHA512

            c4643bf47c6223fbf1dbf7f3318ef01666b4cdb8d12cf10e14e879bd3c2144ee25cf65f0980148b60e340db4bd501ba039a626eb219afc96952fd0c8e8daa3ea

          • \Users\Admin\AppData\Local\Temp\joyfv.exe

            Filesize

            1.1MB

            MD5

            ea985d70a6187270f676151b533816dc

            SHA1

            72ca94cc4431a8d466db70002cdc408630cfd694

            SHA256

            40e5b437c904b825f7a60a4fef6035cd9b74dbe23857003f87c9f08cbec42498

            SHA512

            7940d27fd2975ed2e1276de27e4f2f0248dac245575753f07e41a07693024eb213087805a8a3e0272ce5c49d143e4ba11690ea68cb864726003d2754d74bd3fe

          • memory/292-62-0x00000000003B0000-0x00000000003B1000-memory.dmp

            Filesize

            4KB

          • memory/292-59-0x0000000000400000-0x0000000000599000-memory.dmp

            Filesize

            1.6MB

          • memory/292-54-0x0000000000400000-0x0000000000599000-memory.dmp

            Filesize

            1.6MB

          • memory/292-55-0x00000000003B0000-0x00000000003B1000-memory.dmp

            Filesize

            4KB

          • memory/1244-34-0x0000000003750000-0x0000000003874000-memory.dmp

            Filesize

            1.1MB

          • memory/1244-33-0x0000000000400000-0x0000000000524000-memory.dmp

            Filesize

            1.1MB

          • memory/1244-22-0x0000000000400000-0x0000000000524000-memory.dmp

            Filesize

            1.1MB

          • memory/2772-36-0x0000000000400000-0x0000000000524000-memory.dmp

            Filesize

            1.1MB

          • memory/2772-52-0x0000000000400000-0x0000000000524000-memory.dmp

            Filesize

            1.1MB

          • memory/2772-53-0x0000000003DE0000-0x0000000003F79000-memory.dmp

            Filesize

            1.6MB

          • memory/2772-61-0x0000000003DE0000-0x0000000003F79000-memory.dmp

            Filesize

            1.6MB

          • memory/2836-2-0x0000000000400000-0x0000000000524000-memory.dmp

            Filesize

            1.1MB

          • memory/2836-12-0x0000000002FE0000-0x0000000003104000-memory.dmp

            Filesize

            1.1MB

          • memory/2836-21-0x0000000000400000-0x0000000000524000-memory.dmp

            Filesize

            1.1MB