Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2024, 01:36

General

  • Target

    cf98e1c96efb311bbd871d0e2b974135.exe

  • Size

    402KB

  • MD5

    cf98e1c96efb311bbd871d0e2b974135

  • SHA1

    03e7db2575c8f88ee65107f33d9a260a15ccdb0f

  • SHA256

    d14e7af0587c40e259d8b3400b9754d2df6359b3df0e522d261c9b9d117d3167

  • SHA512

    d7f2ffffcf4294fa8451ab71a018bd8f269c6895739ffd44868f075bc5ad7e7c7e0f8fd224c2e3cad3a60f3dcbedc5b965d99fd349632ab4997d085686cec934

  • SSDEEP

    6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh2:8IfBoDWoyFblU6hAJQnOg

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe
    "C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\gyfog.exe
      "C:\Users\Admin\AppData\Local\Temp\gyfog.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Users\Admin\AppData\Local\Temp\miekdu.exe
        "C:\Users\Admin\AppData\Local\Temp\miekdu.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Users\Admin\AppData\Local\Temp\ancio.exe
          "C:\Users\Admin\AppData\Local\Temp\ancio.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1788
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:4872
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
          PID:1300

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

              Filesize

              224B

              MD5

              9786f1c23f7d338ca04684c58a97edee

              SHA1

              d6af8b67253f2cc37b3060f8c3415d8c1bdec4d0

              SHA256

              9b36c443f6f2a68be8de192543bccd33f55f851c37e0d011cbd952aa1db9b4bd

              SHA512

              52ad90d7c0eb55b6475067bbdc6c0fd2626745d774e29129ad556879e0e1983097b30e9620388e42396b056964a6ad4cededbbc3a3de4aa1e860d9c63c2a3bee

            • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

              Filesize

              276B

              MD5

              36c9bf4a55cb8300c6139f9307c087b4

              SHA1

              f02fac771ac36c38d63174907ce30d8272a9960c

              SHA256

              3c6c5d512387419fec7f9e766ab4d85a515748b908e0e91f999fd45b584443e1

              SHA512

              71af02057fe77265d918bf6c06d7414b4f0208ee971ead4101f1f719c614c67a711666ffab32eab5af1f5302b507e30b2da0a06b5b7870cff54b001408df259c

            • C:\Users\Admin\AppData\Local\Temp\ancio.exe

              Filesize

              223KB

              MD5

              535dc6c4d29838b8bc8a7299596f62d5

              SHA1

              77dbc16b7739b5a96d4ae4e90b7c81781c362a7e

              SHA256

              de3bbbef9d6864db6f21be44037e4904cd563a4a231d218f08fc6235853cef4a

              SHA512

              228c6648b112fde47fd12ba79bb469bd3a7bb8dc6067727f5729b28f5aea3f7071be28a21c894441c428da76acbc9a0503bcdd2914d6938f738aa9776ab30159

            • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

              Filesize

              512B

              MD5

              1deed40f1e6cfdc389c44eb46afbefdc

              SHA1

              ee306aaf80375feac79f509e4bdddcbbe94597f3

              SHA256

              1bebe60310ce420d85f842f89087d1ac8d85859468011352da89cc72e2c06a06

              SHA512

              2f3a96314d54c9a6f9ec90a4730189271bbb33529bd12bc1991fea720a16694b45f71f3f750c237ece4a7331f2c7a78d7c97c6d8027ba1cb25515f65d037e596

            • C:\Users\Admin\AppData\Local\Temp\gyfog.exe

              Filesize

              402KB

              MD5

              da35388d0d0abffc322389f03f61609e

              SHA1

              ffd82d19943e8fcedc681b9d1ca5c07b28765944

              SHA256

              cfbeb85db59d0d984ad81188bc3124e50d17ad51c3b1d45bf80f2213509f68f0

              SHA512

              15722a4c6fdb8d9923cfa712caa195a79ef69f9b4c14da611ce5f4e35589625668189a2ecec8bd757316d484a199b1ff264a9ed7a6bf09a8f80e088d6512ff35

            • C:\Users\Admin\AppData\Local\Temp\miekdu.exe

              Filesize

              402KB

              MD5

              b91b14da85ea731a3d740f14b5267292

              SHA1

              c0cb8dc43b6004c3082dd7e161d10955876615f1

              SHA256

              68a79a90b472d741a9204b7d450267dcaff1ea0c44626b4a8b9ed0eed3533866

              SHA512

              d23089a6175bde2db98b956326905c700b1819455dc6b47e8d7d585176c12dfcb749007cc0318385eba3e14c28e8ef7e553edeefbb8593f286906d5aa42c0c44

            • memory/1788-46-0x00000000006F0000-0x0000000000790000-memory.dmp

              Filesize

              640KB

            • memory/1788-45-0x00000000006F0000-0x0000000000790000-memory.dmp

              Filesize

              640KB

            • memory/1788-44-0x00000000006F0000-0x0000000000790000-memory.dmp

              Filesize

              640KB

            • memory/1788-47-0x00000000006F0000-0x0000000000790000-memory.dmp

              Filesize

              640KB

            • memory/1788-43-0x00000000006F0000-0x0000000000790000-memory.dmp

              Filesize

              640KB

            • memory/1788-39-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

              Filesize

              4KB

            • memory/1788-38-0x00000000006F0000-0x0000000000790000-memory.dmp

              Filesize

              640KB

            • memory/3524-15-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/3524-0-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/4796-40-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/4796-26-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/4816-25-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB

            • memory/4816-14-0x0000000000400000-0x00000000004679C5-memory.dmp

              Filesize

              414KB