Analysis

  • max time kernel
    153s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2024, 21:14

General

  • Target

    750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe

  • Size

    369KB

  • MD5

    0b524fc54b4e624bdfd780d36da697c4

  • SHA1

    8f091a1d18120e94b70338dab5cdec817a5a08de

  • SHA256

    750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b

  • SHA512

    bf8e7719cb627ba5b41a031235cfe720f1fa1e7e909f6072601cfdc2e0185896f0e3020725c0b3eb354a1e9c118f5706495b1b632ef02a11013adbabdfb5a4b7

  • SSDEEP

    6144:QYml0tyeXfs81owi4yoshiGGrcxV8HkaIHkvxDzU+0md/XAKqTr:NmXEfs81VJbryVYkaIHkvx/UX0AV/

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • UPX dump on OEP (original entry point) 7 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe
    "C:\Users\Admin\AppData\Local\Temp\750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\pygoc.exe
      "C:\Users\Admin\AppData\Local\Temp\pygoc.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\ohkir.exe
        "C:\Users\Admin\AppData\Local\Temp\ohkir.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1888
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2636

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

          Filesize

          340B

          MD5

          9eb0662062290c9925510552d7049754

          SHA1

          f9c1f3c9b51d68a50f51e4b2d39302d95f5263ff

          SHA256

          49c60b3efcd404aead3541b79d0f9eb19f05d5461726ca5000a13123fde8f1df

          SHA512

          3d879450fda5c8543405fffabc01c091d293217aabe82c1ac85af440d5e18356418dc78caae227e3fb425e792c9aec6ffe094cf424e2b0b9b7fbfafaa042cce3

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          04574147939b1cae56bfbb43774102f6

          SHA1

          e41702d1c5c3543b9e0bb092c579729b17688ded

          SHA256

          637b7c17a2710c2d4fe1177375346420fb792601f74b22f1e861b8fefadecb6d

          SHA512

          7c91c840fa19c6cf5b3534a670f8fc748b9dd377d1db15bc335d9f5b933ca679969a272442cd135aa1c680e21aa50891bed76c71d034ecef91ea0ab9b21eade4

        • \Users\Admin\AppData\Local\Temp\ohkir.exe

          Filesize

          218KB

          MD5

          3e2c3fcbe665bd3e3a1b1a8728db28a0

          SHA1

          11cb41fef079acf33a425a6df62c1546ad7c4fc8

          SHA256

          08706903c691ff14b5fb5a509988ed039a51311d2ce1b463c624dad007881804

          SHA512

          464c9acf7fdf670559e7b6d7178a8a4e3e597c1da0bbe2c77ea5e982fff2e0aec9a94c5a09fa244c5a467aac60d4035a357d869b793f23f8b7c3c250fd63ae1d

        • \Users\Admin\AppData\Local\Temp\pygoc.exe

          Filesize

          369KB

          MD5

          a52f173724a7b0b0a6d71dda0b8c1b09

          SHA1

          1239fcf121521f5efdcd5cacc84385c3aa7517c5

          SHA256

          ff940db8cefeb58fe3ff1da8436fced49bc1a50e4c6fb6d46543ef9baaadcd69

          SHA512

          66accd631a7a569c7b3d0a64b248d75a25f2ce2d6bb9b7c89326cf9bd1960b7c6670746d0b63eb595be5cc3e42cfd0b1d61e2092de35fef18931335a9f2c6878

        • memory/1252-0-0x00000000013D0000-0x0000000001461000-memory.dmp

          Filesize

          580KB

        • memory/1252-9-0x00000000012C0000-0x0000000001351000-memory.dmp

          Filesize

          580KB

        • memory/1252-18-0x00000000013D0000-0x0000000001461000-memory.dmp

          Filesize

          580KB

        • memory/1888-43-0x0000000000100000-0x0000000000102000-memory.dmp

          Filesize

          8KB

        • memory/1888-38-0x00000000013E0000-0x000000000149B000-memory.dmp

          Filesize

          748KB

        • memory/1888-39-0x0000000000100000-0x0000000000102000-memory.dmp

          Filesize

          8KB

        • memory/1888-41-0x00000000013E0000-0x000000000149B000-memory.dmp

          Filesize

          748KB

        • memory/1888-42-0x00000000013E0000-0x000000000149B000-memory.dmp

          Filesize

          748KB

        • memory/1888-44-0x00000000013E0000-0x000000000149B000-memory.dmp

          Filesize

          748KB

        • memory/1888-45-0x00000000013E0000-0x000000000149B000-memory.dmp

          Filesize

          748KB

        • memory/1888-46-0x00000000013E0000-0x000000000149B000-memory.dmp

          Filesize

          748KB

        • memory/3052-21-0x0000000000BF0000-0x0000000000C81000-memory.dmp

          Filesize

          580KB

        • memory/3052-34-0x0000000002DC0000-0x0000000002E7B000-memory.dmp

          Filesize

          748KB

        • memory/3052-36-0x0000000000BF0000-0x0000000000C81000-memory.dmp

          Filesize

          580KB

        • memory/3052-10-0x0000000000BF0000-0x0000000000C81000-memory.dmp

          Filesize

          580KB