Analysis

  • max time kernel
    157s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2024, 01:51

General

  • Target

    f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe

  • Size

    406KB

  • MD5

    891bf6404527fad1fe321fa5a2ba7281

  • SHA1

    98ec4fb028e8caa6703062c31d83612c51b58d30

  • SHA256

    f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a

  • SHA512

    6e4181cbc999981f13dc4967a4359a42c0edd2f02a41d3cde91c2ac9f6f09bfa92f354b039c9da330b2a8ffc718d6e93535aa4348743dc226989c13d3a811978

  • SSDEEP

    6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohPS:8IfBoDWoyFblU6hAJQnO0

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe
    "C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Users\Admin\AppData\Local\Temp\jijui.exe
      "C:\Users\Admin\AppData\Local\Temp\jijui.exe" hi
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Users\Admin\AppData\Local\Temp\isnuso.exe
        "C:\Users\Admin\AppData\Local\Temp\isnuso.exe" OK
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Users\Admin\AppData\Local\Temp\pojin.exe
          "C:\Users\Admin\AppData\Local\Temp\pojin.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2624
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:1368
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
        • Deletes itself
        PID:1564

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

            Filesize

            224B

            MD5

            1c1e982d6941717d841e4129df9c41c3

            SHA1

            59d7f341b12c1c7305dea8cdc267e17c35379d04

            SHA256

            82a2baeca1a8f9dadec11e7799a35d5007e5d8c3fcb4afbf93953496b07eaeb6

            SHA512

            6d0b4ca58cfc3fa866ba20127e47dc9ae9bcc920929c68432506d50e4e551c4f8c9888c67c411c65f2f6760a6d8462833a109e35f1086032bff2884546469f6c

          • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

            Filesize

            340B

            MD5

            047b024223c5fa0c621431007d08b16f

            SHA1

            eb2aef08b0c87407281cada747a5cd5a12af26f2

            SHA256

            4c77c8080060a85d99ca2e0fbd2986dc73378cb8dcd65e7cf3c10de27c12d397

            SHA512

            187bcd8a107b81a3c7e9585b93cabb7e4db9a9cfb105f1e1ead4d18f8154da64c27bb23f127f911d03f06f8555035006e7da0154f203ceb3d920a008972bb1e3

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            27fef949ccb96ac3f9c325feabdccb61

            SHA1

            694c9104de36b20826e7b956832c8726d71a5c0b

            SHA256

            d11b9ab63b75941afe79e382a7542ed4557a064de6e9bd0f87d489bebfc46475

            SHA512

            096b4772202cf1f48c166f24c6bbbcde4627c3da3b56ade0265f11f8aefe0d0c29047dbfa5ad82a8a6dd1b8e82fe6d208cb08e6a9d4e38d022a917891851a43e

          • C:\Users\Admin\AppData\Local\Temp\jijui.exe

            Filesize

            406KB

            MD5

            76ea83a5d8e05ce7d4180db69e907957

            SHA1

            4ad8252a92a8a2a4f3ba0670f87eea5864e8c23b

            SHA256

            5b0949f3298f767f9e3308086b0a12f32c924037c70974e14535657cf6ee1186

            SHA512

            25c5b4f0b866ebfc8b9824a3311e67fd5846840b87cb03f1833329a709ca8836ffd556a14c05693c638e3c7b0e0e4465bf1a2c8e89dc5f0154963879f3a77522

          • C:\Users\Admin\AppData\Local\Temp\jijui.exe

            Filesize

            192KB

            MD5

            cebd9e1b3893da666d3b620f99255e93

            SHA1

            c8b428008322c787b8f772f685e61b31edec0c4f

            SHA256

            6f69e4aaee647ee2119131f4051814124a40d08fe1804ae17c75e4c261b38e59

            SHA512

            8eebd667d79483ff914b73812a0c366bf4218d5d98f0fb49f401e16b5be8f425068219e9d69ea2c01f8a82e12e530019acb09461d037ff03fe1c37a8d6bc4f6a

          • C:\Users\Admin\AppData\Local\Temp\pojin.exe

            Filesize

            128KB

            MD5

            df4c53b223ed60a53332801214a30953

            SHA1

            bbaac36875c4ade502e7231cf66e772e93e13185

            SHA256

            6af392d27bafe7553d54fe382480661db1fa354249f8a3b29d458e2a87dfc44a

            SHA512

            758bf5106dda55aad0274976050390c5c19b8b2c854a8404c5c0ccc37a18640b61b71d9f2f5a1be4a24d643a549a62e0cf8e29d5d6b52a06a2e8fbf2b08f8e9b

          • \Users\Admin\AppData\Local\Temp\isnuso.exe

            Filesize

            406KB

            MD5

            ba700a5dca2f84364202fa2fed34ae83

            SHA1

            5d30c5cb483eeaf4e1a8314f1f195a90cc9f1f47

            SHA256

            6e3dd3a5a1084516bb1152acb3ca9430186bc99c058746db1c4726acb11c40a9

            SHA512

            7b3cc5fb268df891730c66ae17d6f68a275d36c11063ac75406684f75d0dcdb1d5f47b5bab51fd79f48b790ce1cecd8d7918bb2ed71b13d42648ccb6d1a64620

          • \Users\Admin\AppData\Local\Temp\jijui.exe

            Filesize

            406KB

            MD5

            ab8d2123ca4162d852e887e135fc2a0d

            SHA1

            b0d3a914a7fc6c7838737a6f92dd8e640c60e560

            SHA256

            3bc5ea7560ec94e47cbcf30e7f23aad323f1628768a1aa98af4558312f18fcb0

            SHA512

            046de8c9202a899a6bcabd503ea2ee5b9347d3bbb0364c41be252ec3883013ec7552a3fdc378d5527358802cc719ef41465aada08c5427b85e03750e47534476

          • \Users\Admin\AppData\Local\Temp\jijui.exe

            Filesize

            64KB

            MD5

            e49881b9caeb2e1881e02efa0275fd45

            SHA1

            c47401d50a491326258d34337d07e25fa223a9ab

            SHA256

            5c0f7a466a88e100998645ef61c6876b17704365ed042ee9a23fff4ce5e0fe00

            SHA512

            177dc1c55d8069377fbbd4e1b86272df87ec68789ab7c2c307d8f867778d55f607e7cb7fe6d66bfc30653b963123a26e59bd862ae3656d2db9b4a0aeb4674a8b

          • \Users\Admin\AppData\Local\Temp\pojin.exe

            Filesize

            223KB

            MD5

            dfebaf7318dd971fc04764d0da3f56ca

            SHA1

            a154748087ebf983b436236d65113545c606941d

            SHA256

            74cc296ea7da2152e2b8fcd8a657d4f34a57a3d506acc4e6596e63366c8ae0be

            SHA512

            7519191ef2bf6a8e06cea513cb656fa4601748ba2582d8ac684343d596c3beb2deeb62d02195e1cb310e5bc0dc9b202324be01a425a049de0a91775b2aebfa3e

          • memory/2624-48-0x0000000000340000-0x00000000003E0000-memory.dmp

            Filesize

            640KB

          • memory/2624-56-0x0000000000020000-0x0000000000021000-memory.dmp

            Filesize

            4KB

          • memory/2624-63-0x0000000000340000-0x00000000003E0000-memory.dmp

            Filesize

            640KB

          • memory/2624-62-0x0000000000340000-0x00000000003E0000-memory.dmp

            Filesize

            640KB

          • memory/2624-61-0x0000000000340000-0x00000000003E0000-memory.dmp

            Filesize

            640KB

          • memory/2624-60-0x0000000000340000-0x00000000003E0000-memory.dmp

            Filesize

            640KB

          • memory/2624-59-0x0000000000340000-0x00000000003E0000-memory.dmp

            Filesize

            640KB

          • memory/2716-11-0x0000000002210000-0x0000000002278000-memory.dmp

            Filesize

            416KB

          • memory/2716-0-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/2716-25-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/2716-15-0x0000000002210000-0x0000000002278000-memory.dmp

            Filesize

            416KB

          • memory/2768-55-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/2768-44-0x0000000003450000-0x00000000034F0000-memory.dmp

            Filesize

            640KB

          • memory/2768-36-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/3004-14-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/3004-34-0x0000000000400000-0x00000000004679C5-memory.dmp

            Filesize

            414KB

          • memory/3004-33-0x0000000003050000-0x00000000030B8000-memory.dmp

            Filesize

            416KB