Analysis

  • max time kernel
    169s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2024, 01:35

General

  • Target

    edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe

  • Size

    386KB

  • MD5

    63f8ca27ddacce225638a34121edadde

  • SHA1

    70f897e4e843388f656269c5257d7d62b9ce94a8

  • SHA256

    edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771

  • SHA512

    19687aff5e1e59da7b52bb76e8da49c9e5cf071ea1166484610b681c88c209cd3589aacf673a75eaeec9e0165aca792548884ffec40a75d15f52b9b86f398b45

  • SSDEEP

    6144:1soTOQcDCbE8qLi6mADXdJ2dcoARXDR6YZbus8Z+2vFJhcemcyOpG8h:WalcDCbE8qlmx8RkeS+MJueQi

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe
    "C:\Users\Admin\AppData\Local\Temp\edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\seejd.exe
      "C:\Users\Admin\AppData\Local\Temp\seejd.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Users\Admin\AppData\Local\Temp\ramad.exe
        "C:\Users\Admin\AppData\Local\Temp\ramad.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1580
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

          Filesize

          340B

          MD5

          5de5a24b2248d5b4b4758d811bb82e98

          SHA1

          e4e9e2759ca498ebeb4f26226f709e6d6ccfa3d3

          SHA256

          fb65b262f8c267fd370bf55cebb570927668dd814968428262e92a6b6cb76e25

          SHA512

          e1230a655127643c7d24ee1a4c299f2fb87d12e774c25afd6a2455a0617ac7d014d35ba7bd7612aaaed46491e499ce907eb9bedc1ce869b75771a218ad385c6f

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          668b842c1f44a1ef25fcbeede97b1364

          SHA1

          8607b95423c33b90315ae2b37834ca2b7e6494ee

          SHA256

          b31da2465570429a1e24cc679f9c8bdf03fbd9faf99162c797ae2efc4d7d6205

          SHA512

          67c97f0952be0551154639b1862d477722795eb96d0d8f18a3312d2f34c1fc68a40864071d3dee9b751df688e0e7a76801ea641ba03cf9c12de610d7dc69a837

        • \Users\Admin\AppData\Local\Temp\ramad.exe

          Filesize

          212KB

          MD5

          6fef2650c175bd51089427a0ac37559c

          SHA1

          ac5a49485a682c3611c247c9b67e529f4ccb5270

          SHA256

          0651c2721e6819c341cc7f7a1cd9369728eb3ad11f4beca35ea1abf9cc571f44

          SHA512

          407714a93725ea5553fb139375a6899614e402a1c2eb7c8d29ce686422014c575949094b6c7af994ff8ec5eadbe0e347d4c14ab82af1dbac4877542dff4be145

        • \Users\Admin\AppData\Local\Temp\seejd.exe

          Filesize

          386KB

          MD5

          0568705ae35d1dfa13dcec035a5a9280

          SHA1

          a2c3895873d5fc271ac204b1148bee1da803cf9f

          SHA256

          e0ee7a184c27adb7263b53faa35196c7fa68a3617f2070cdb90a8af71e1ac736

          SHA512

          9a8ffd5e3340ec73bd6f2ed4e1a2a6087f540016e4b8115f33d886d42a36f75d4b9c30b6efc47a58f590ea4590b693cafc00253a3deee4c98f6e85d3d5ab3439

        • memory/1580-26-0x0000000000860000-0x0000000000914000-memory.dmp

          Filesize

          720KB

        • memory/1580-27-0x0000000000100000-0x0000000000102000-memory.dmp

          Filesize

          8KB

        • memory/1580-29-0x0000000000860000-0x0000000000914000-memory.dmp

          Filesize

          720KB

        • memory/1580-30-0x0000000000860000-0x0000000000914000-memory.dmp

          Filesize

          720KB

        • memory/1580-31-0x0000000000100000-0x0000000000102000-memory.dmp

          Filesize

          8KB

        • memory/1580-32-0x0000000000860000-0x0000000000914000-memory.dmp

          Filesize

          720KB

        • memory/1580-33-0x0000000000860000-0x0000000000914000-memory.dmp

          Filesize

          720KB

        • memory/1580-34-0x0000000000860000-0x0000000000914000-memory.dmp

          Filesize

          720KB

        • memory/2492-23-0x0000000002D40000-0x0000000002DF4000-memory.dmp

          Filesize

          720KB

        • memory/2808-0-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB