Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2024, 23:47

General

  • Target

    c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe

  • Size

    487KB

  • MD5

    7b4680c1c19a6d291953f25d24e76b45

  • SHA1

    43ce5530346df5fe3bcb773bc00a40b934ad2a1c

  • SHA256

    c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0

  • SHA512

    8394837fd731945faad3c593a7b85e1220bd0fb048fae25fa04551a3f64e5dd33c4d99f07d8c15d9b33f36c7161466e18763b9cb629ec99d11a6c32276ea5834

  • SSDEEP

    12288:Vpbvglu0agWSFnxAEwKyLH8l+O9H6s2si2XfxKTbe+:VpbXi5xzFUBaazsiofx83

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe
    "C:\Users\Admin\AppData\Local\Temp\c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Users\Admin\AppData\Local\Temp\onwyx.exe
      "C:\Users\Admin\AppData\Local\Temp\onwyx.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Users\Admin\AppData\Local\Temp\riduj.exe
        "C:\Users\Admin\AppData\Local\Temp\riduj.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1704
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2084

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

          Filesize

          340B

          MD5

          58350343aa0b4f8f67a75c5b2c5c133a

          SHA1

          e1fd6002d93954622545031b127c7ec30fc898de

          SHA256

          768c43becf6daa0bfea4b94d194f9b090b67ac32e5ebfba43ebf7f379e1f1039

          SHA512

          baf33270115d230ef01f8579661bc1d6d8db2ac9bac4cb215f0d1d915360e53fee8dde2e66ec2d841fcb70ac8ec2c1d7560aa83a35841e77c744fefeb28bd09f

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          8c7306a2041836d13210aea78af39c53

          SHA1

          b7080f4175e56926175f58590295e7cd42d7678f

          SHA256

          b5571589ab0fc06aff1ed55624c5b88eb52def6e5469004d4290821c5632e630

          SHA512

          58eecfded9a5dbc3546e53d666a8835bbb93b7da564b5616f768d254a397805809ebefc2399ec74c46f1959b73c671e2ae881d7819a7418a190549fe766b84b3

        • C:\Users\Admin\AppData\Local\Temp\riduj.exe

          Filesize

          217KB

          MD5

          195c49a5724b31ef3caee94c83696655

          SHA1

          b8ccf58c8fc75ad4fdc49694c89da107a29b7f9a

          SHA256

          d39631c1f117e47db01a05ea2cca7fed2ef4ec5a23bf7f908a32f1e11a7113f5

          SHA512

          94a5d92a4ab1dc236f03d9d1e15f558a72376f7760ab052a1234f7a63771dd6e131139d721371a9c7d4f8877b934c162d7a12fff6dd93f62e5ea80b66bfef647

        • \Users\Admin\AppData\Local\Temp\onwyx.exe

          Filesize

          487KB

          MD5

          58bb2e6d125fed516ca688e5a0786dad

          SHA1

          1b21da6c00b526ca4f08bbea15991a7b3c3804d6

          SHA256

          689cd59cb0c9abc0fea97674299f078d724b8eecf7994968a59490796fb09bf1

          SHA512

          00f5bf0c319f7b778593d5955dc937d5d6b2f7a6f50ffa875ff9a80b5b6f07732da4ffb373bcc492f1641e66a870ab615211ede169693a47f114d7985da4b60e

        • memory/1596-25-0x0000000001040000-0x00000000010C5000-memory.dmp

          Filesize

          532KB

        • memory/1704-27-0x0000000000880000-0x0000000000934000-memory.dmp

          Filesize

          720KB

        • memory/1704-28-0x0000000000100000-0x0000000000102000-memory.dmp

          Filesize

          8KB

        • memory/1704-30-0x0000000000880000-0x0000000000934000-memory.dmp

          Filesize

          720KB

        • memory/1704-31-0x0000000000880000-0x0000000000934000-memory.dmp

          Filesize

          720KB

        • memory/1704-32-0x0000000000880000-0x0000000000934000-memory.dmp

          Filesize

          720KB

        • memory/1704-33-0x0000000000880000-0x0000000000934000-memory.dmp

          Filesize

          720KB

        • memory/1704-34-0x0000000000880000-0x0000000000934000-memory.dmp

          Filesize

          720KB

        • memory/2276-17-0x0000000000D20000-0x0000000000DA5000-memory.dmp

          Filesize

          532KB

        • memory/2276-0-0x0000000000D20000-0x0000000000DA5000-memory.dmp

          Filesize

          532KB

        • memory/2276-6-0x0000000000B30000-0x0000000000BB5000-memory.dmp

          Filesize

          532KB