Analysis

  • max time kernel
    163s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2024, 01:58

General

  • Target

    f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe

  • Size

    97KB

  • MD5

    034e6ee05fcbc8a0e1eb4b4474715f07

  • SHA1

    8ce1a9e8ad5e0c3e2f09372d4eaeb9519f095a84

  • SHA256

    f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0

  • SHA512

    8767a32cfec4c2a8ac51855a2f6257ff6cc9690d853961c539a6cc217e412d219ddee50678bd79e8f61d33b011534b4eca40bc8e31ab177f19dc7886eb228111

  • SSDEEP

    1536:tquG5UkVx28W+OCASbUHY98wNYp37wweKcSM:MLUom+4sUHENYxwwBcF

Score
10/10

Malware Config

Extracted

Family

urelas

C2

112.175.88.208

112.175.88.207

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe
    "C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      PID:4396
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:3156
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4580

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

              Filesize

              512B

              MD5

              ad66dcc3e4d62e8844a34f8e570fc21d

              SHA1

              5ae300786796af39a81a5f96daddbb5fd6d7ad0a

              SHA256

              b7b165b08c5e5fff025ada3ba0b814d0e1323567a23ecd89d7b6f264e48c74b1

              SHA512

              24ed5e4361ac13ae419cfcabed2650eb07e646f61b3d9e4d6c67d3a3ca31d7a504c015dde6e9b859d20edf03e90698fa879c4fe1c62b26238736cd8dcf390105

            • C:\Users\Admin\AppData\Local\Temp\huter.exe

              Filesize

              97KB

              MD5

              f1bb7b7298b5e9ab07837d5d42ebd3a1

              SHA1

              4dcb0f694132ba983e4180b7691e3f5ed76add4a

              SHA256

              bb234f548d5328e219355ea9533e93526932c71a7eff2f59145db77914b323b6

              SHA512

              2af1da38ebd9bea09c22aa7966bdc3530126caa0e4b838f52894c32d5a7d591f8b331e8f9ac5d377eeb5b6d6a121eb5a4420fc75ab26e297e9e5e78861f9cf5b

            • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

              Filesize

              338B

              MD5

              b3262c8533a67d54004ef6e527d9bb24

              SHA1

              45b6b9786078b1a8d283f9cadfebd3167180b66d

              SHA256

              6a6f9142af4836797f9217a61eb81d67c461f87a404ef8e3be6bcc5913023b38

              SHA512

              cdb44109ce3a23121c05d14369c9a856f3e52ac3a932b59689d361f0974348ac3388b03cc5f4008a6950d090ef8e1f90658e29486f101f39a4c0a5fa07116a30

            • memory/2052-0-0x0000000000C60000-0x0000000000C90000-memory.dmp

              Filesize

              192KB

            • memory/2052-10-0x0000000000C60000-0x0000000000C90000-memory.dmp

              Filesize

              192KB

            • memory/2052-15-0x0000000000C60000-0x0000000000C90000-memory.dmp

              Filesize

              192KB

            • memory/4396-12-0x00000000002F0000-0x0000000000320000-memory.dmp

              Filesize

              192KB

            • memory/4396-18-0x00000000002F0000-0x0000000000320000-memory.dmp

              Filesize

              192KB

            • memory/4396-20-0x00000000002F0000-0x0000000000320000-memory.dmp

              Filesize

              192KB

            • memory/4396-26-0x00000000002F0000-0x0000000000320000-memory.dmp

              Filesize

              192KB