Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2024, 03:40

General

  • Target

    cfd5c1aa6724937811319258b8ef1acf.exe

  • Size

    445KB

  • MD5

    cfd5c1aa6724937811319258b8ef1acf

  • SHA1

    bc03f8c15cc1ff46eb8fc3af6d3b835001b2d242

  • SHA256

    a4ba88a728adc6608e0589a1b1f473e1c3b841d7b3b074735e89de4896c56d9c

  • SHA512

    62d1a0c91dea0ebba830c9d6a9eb3e3e474121e1ec9c76ecd3e45c2997bd3c6897e3b5935e4cc857e79c12275ae4811f78f40d537158f276a978d860a4451908

  • SSDEEP

    6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoL:PMpASIcWYx2U6hAJQnH

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe
    "C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\ygleg.exe
      "C:\Users\Admin\AppData\Local\Temp\ygleg.exe" hi
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Users\Admin\AppData\Local\Temp\duloxo.exe
        "C:\Users\Admin\AppData\Local\Temp\duloxo.exe" OK
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\Temp\simyc.exe
          "C:\Users\Admin\AppData\Local\Temp\simyc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:356
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:2156
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
        • Deletes itself
        PID:1268

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

            Filesize

            276B

            MD5

            65fd3a13a52c711374fd6ddd251f4568

            SHA1

            5e03bab03cd1243d2381f725b1b70b505d88b236

            SHA256

            3caab30d0f3b69820e0cfdf003a77831da6e053417d8ecb744a4b097122ef4b0

            SHA512

            5858224a2f573c9bf6034be522b21500bcae5066b6d56a0d4709095ef500ec1e9224b46633bb23dbee58ae4abc715d8fda698657fe9d5adbd01459b063623bae

          • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

            Filesize

            224B

            MD5

            5583b82a3be6ed8b547e222bfceec3f1

            SHA1

            05c3bfa771aae75842fc5a0327a69246f2775dfa

            SHA256

            986fa65fc9595c06ed90e9403fcdfd085df8c9598d78fd8156fdb2d40737fd03

            SHA512

            e140a14aa6f25e34b683c1e8b3b74d6e442766a8c445df7e923f46fdf18a5586447a828a9c330e5f007f28a84e4a8d96889219adb0769346ea65a821c5a5fead

          • C:\Users\Admin\AppData\Local\Temp\duloxo.exe

            Filesize

            445KB

            MD5

            f9bad2a336f0fdfbb02390e6329e5425

            SHA1

            145558c3254d4ac773b43dcb77e657a5497935dc

            SHA256

            86c5bf0c174c305036f7aeb4cbed7ca79ce3bb8032c71dcc4aaa79a76d6a6ae2

            SHA512

            cf16e147af3655f5731c76dcc1edafdce5e29bde49e1e8532f33e0f8d3790064a308519a3b2d4bc421ad3a2fbd493f7c9c18d82803270908e75a713c65ac9077

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            3598d114d7086fd1cc2bfb5853f9d900

            SHA1

            170bd1f4831aca145318380536f73141d1549edd

            SHA256

            ccd56ffaeedeef855550b6f10efeacb133452f36475d0f108b5b0e3592b03815

            SHA512

            2a49d76d3ee4994e5099fdbd1f2e08be3fba8f548c01f72637f4bd02924c1615110d9f6521a8501cb41259e9002c6114a4bd0002bf5ad26ed484f34e92182aef

          • \Users\Admin\AppData\Local\Temp\simyc.exe

            Filesize

            223KB

            MD5

            2a84363eb633d17990f7bf2169aa5c54

            SHA1

            d4e509b6c002e934a3520ce538d277610649b380

            SHA256

            ff92e3e5bb7d3d2205ca1aada8774146c2d8abd88b95288612d7eade2b93cda2

            SHA512

            fb5e79113cc9e635ae884f93e2337bfb362163ce2fb7dc22f6798f1660f992c7f106f9a3b7b0df8e8abbfadc33dcd5f9a2e4530b5931a282b0e1b8e53174c551

          • \Users\Admin\AppData\Local\Temp\ygleg.exe

            Filesize

            445KB

            MD5

            9ac5c56008564d493791fd16f533ced3

            SHA1

            15f136d84ad7d84d885724da029aee91181387e8

            SHA256

            f4436b9f15c3131a3a791d5fe45c127a3cd52dee67b470cbe08e53e8e2cb5fc5

            SHA512

            fd1177c8f136005baea1a6bc65076aec126deb1d4d48ffa0dccbbb67eee255f2839b661613da3f0549b51c3ba5523a37bee37946bb7186c0a9a17a56c430dbc8

          • memory/356-55-0x0000000000AE0000-0x0000000000B80000-memory.dmp

            Filesize

            640KB

          • memory/356-51-0x0000000000AE0000-0x0000000000B80000-memory.dmp

            Filesize

            640KB

          • memory/356-54-0x0000000000AE0000-0x0000000000B80000-memory.dmp

            Filesize

            640KB

          • memory/356-53-0x0000000000AE0000-0x0000000000B80000-memory.dmp

            Filesize

            640KB

          • memory/356-46-0x0000000000AE0000-0x0000000000B80000-memory.dmp

            Filesize

            640KB

          • memory/356-47-0x0000000000020000-0x0000000000021000-memory.dmp

            Filesize

            4KB

          • memory/356-52-0x0000000000AE0000-0x0000000000B80000-memory.dmp

            Filesize

            640KB

          • memory/2004-0-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

          • memory/2004-16-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

          • memory/2004-6-0x0000000002BC0000-0x0000000002C2E000-memory.dmp

            Filesize

            440KB

          • memory/2088-19-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

          • memory/2088-28-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

          • memory/2540-44-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

          • memory/2540-35-0x0000000003D80000-0x0000000003E20000-memory.dmp

            Filesize

            640KB

          • memory/2540-29-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB