Analysis

  • max time kernel
    157s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2024, 22:50

General

  • Target

    cf45b2e62fb61b7f2757cf2d1beb08a6.exe

  • Size

    1.1MB

  • MD5

    cf45b2e62fb61b7f2757cf2d1beb08a6

  • SHA1

    4d8223aea1671969511f00dca8bf4569753fd8f2

  • SHA256

    af464d9f2c1bb1caf81f3cb1dc3d67c7d577fdca066d0c650b995c54e9d74e70

  • SHA512

    aca24448c04e3917525ca1aa0b50193feaabeb409d164f427be44ea37c1b813ae7b4d1622d152828df92927b65bd2d05aac95c76b99ba155fc0716ea1656050a

  • SSDEEP

    12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Yh:tcykpY5852j6aJGl5cqBQ

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf45b2e62fb61b7f2757cf2d1beb08a6.exe
    "C:\Users\Admin\AppData\Local\Temp\cf45b2e62fb61b7f2757cf2d1beb08a6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\bapea.exe
      "C:\Users\Admin\AppData\Local\Temp\bapea.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Users\Admin\AppData\Local\Temp\ryelru.exe
        "C:\Users\Admin\AppData\Local\Temp\ryelru.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3812
        • C:\Users\Admin\AppData\Local\Temp\ejxuk.exe
          "C:\Users\Admin\AppData\Local\Temp\ejxuk.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3964
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:4728
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
          PID:4468

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

              Filesize

              276B

              MD5

              94af0bedc86fabfb20a3ac847dbc48fe

              SHA1

              aae6b2f051fd7a13dbde66b6d4823ea6d8b8c154

              SHA256

              7bae0ce2061162e445660ee0454ccdd5e8e5aab39ab213ef74287135d46b77df

              SHA512

              2d2c80174c4a281ffb8686e808f24fa1a6ee7283bfe7c32f8506b84bb9c0aa611ba3c404945fb1031a3704e2dff784d48704103d0596085072544d4b28963b95

            • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

              Filesize

              224B

              MD5

              d706183367d32130c7f086ac59ffaa26

              SHA1

              8aa08ef5db34905f51d8094fd012d75dfb6b3bc3

              SHA256

              fa1c12dfe14bb2a499446bc1cc88d135f38315de3f0f3b993b62755dc6a91c3d

              SHA512

              ce42d1275f46f016d2593ba48ab1a811d3edf5f913193fe26f4ea9e5381422afcea192823fb76b129cd20c3f50a87817b807616765c483322cf310cb43ceec8c

            • C:\Users\Admin\AppData\Local\Temp\bapea.exe

              Filesize

              1.1MB

              MD5

              433bf3f9b8f05aeb15ca57973814dc65

              SHA1

              9426861f8fd6fd68b23ce037a713ce4f7ad3fe56

              SHA256

              14d40da44766ea30a415967986f308f91d8e3973b3a6e76f9039c0911ac52d36

              SHA512

              722741bec5cf964114112cc27de7045c9de0e5b4c6755cdedafe3d6061c88fc796c5cd6a77b4589c3a0bec02a576726ef2c02b525fd16b7f42de2ec208011003

            • C:\Users\Admin\AppData\Local\Temp\ejxuk.exe

              Filesize

              459KB

              MD5

              ae440e2dc7019b42193400e93e3518fb

              SHA1

              06463df1899e18a7be82ec1175df539061471076

              SHA256

              d651f9dd590548785e15a506dd34758597fabd38087910999ee7aae4b9afeaab

              SHA512

              4eb2eb7e3c68a2a42a165697086480561b7635915830bee6214611f878b60c1f95a3a8f43d8648ce9872224fcee2588b87475a4206c5e06a7d6ea970331f4452

            • C:\Users\Admin\AppData\Local\Temp\gbp.ini

              Filesize

              104B

              MD5

              dbef593bccc2049f860f718cd6fec321

              SHA1

              e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

              SHA256

              30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

              SHA512

              3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

            • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

              Filesize

              512B

              MD5

              f4bebc8008becd98fe31bd373af1d9e3

              SHA1

              95ea7fe44330caa7451a0c58776caa51d58cf8a2

              SHA256

              76ef04bee62deb52b1cb3257063be126d8a0330808ab655bede16bc86e968568

              SHA512

              d14b812fa6a01a48a80ca84115ccd2a9d462bda5197b3c06d8147af24ad9b9af0aa980b8cd89f116e700c051776b37c1c16317499975199ba2c3232b78a7c1d3

            • C:\Users\Admin\AppData\Local\Temp\ryelru.exe

              Filesize

              960KB

              MD5

              8764e3fd48076d45b90f239ed75b4884

              SHA1

              c6d655af1f983c6a4b549c1451f2f8336db5a555

              SHA256

              18b60040282f75f5328099fe9f1f1b5fa17bd1932521ccc50544b49a9342b325

              SHA512

              cd8deca6143a6c15a0d9fba81d153d95ea3e7a00511d242ce50ed015bd6f9c598269bc00a93d058148e27259ebbda31816ccf4665d7a358f4c0982ddbd1816a8

            • memory/3116-0-0x0000000000400000-0x0000000000524000-memory.dmp

              Filesize

              1.1MB

            • memory/3116-15-0x0000000000400000-0x0000000000524000-memory.dmp

              Filesize

              1.1MB

            • memory/3812-25-0x0000000000400000-0x0000000000524000-memory.dmp

              Filesize

              1.1MB

            • memory/3812-39-0x0000000000400000-0x0000000000524000-memory.dmp

              Filesize

              1.1MB

            • memory/3964-40-0x00000000024E0000-0x00000000024E1000-memory.dmp

              Filesize

              4KB

            • memory/3964-37-0x0000000000400000-0x0000000000599000-memory.dmp

              Filesize

              1.6MB

            • memory/3964-43-0x0000000000400000-0x0000000000599000-memory.dmp

              Filesize

              1.6MB

            • memory/3964-45-0x00000000024E0000-0x00000000024E1000-memory.dmp

              Filesize

              4KB

            • memory/4744-24-0x0000000000400000-0x0000000000524000-memory.dmp

              Filesize

              1.1MB