Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2024, 09:05

General

  • Target

    d07ae5eb7a8e9c65fd0be420c14a0bb2.exe

  • Size

    187KB

  • MD5

    d07ae5eb7a8e9c65fd0be420c14a0bb2

  • SHA1

    ebe8e5114b9fe1f8599b69f4de189676d6624301

  • SHA256

    ad3fdf98b8be3c2bc0f7fe96aec6df4bd686fee78f5249cb73aeffe65540b99d

  • SHA512

    3bce4a31d8c09ec196497ff7fc5fb534f057b18c6ca291382c06286662f220e99eb89063fce1ba6bbd5826bf9df3bf01f2fe9905f8096628836286fdf1e0e095

  • SSDEEP

    3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFad:2mvqeP33AYFIN9treHy

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe
    "C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2880
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      PID:2728

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          1e75a7e32613b9d0b73f13b66c2c2f58

          SHA1

          035e2d6ab4ac34190f0e684681098188409e978c

          SHA256

          9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3

          SHA512

          e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

        • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

          Filesize

          274B

          MD5

          bc1d434dffa395a95abd4d58f4d2fbdf

          SHA1

          f634dbbd5cd486ce545b80fcb03cdfee27f6d61f

          SHA256

          3399bedd7600583509c2abba117b9430dde2c884a9cb6bf86ea01a37b6b8ced5

          SHA512

          1a1f9d9274bb7da1287b0bf1b1cf4db1823a5ad2247644583e4e31e45307fce1ef503140f59ba11d9043701ad035c6e83ab2568b5ff0cd9fc92a7b27d76c5d1f

        • \Users\Admin\AppData\Local\Temp\biudfw.exe

          Filesize

          187KB

          MD5

          d07ae5eb7a8e9c65fd0be420c14a0bb2

          SHA1

          ebe8e5114b9fe1f8599b69f4de189676d6624301

          SHA256

          ad3fdf98b8be3c2bc0f7fe96aec6df4bd686fee78f5249cb73aeffe65540b99d

          SHA512

          3bce4a31d8c09ec196497ff7fc5fb534f057b18c6ca291382c06286662f220e99eb89063fce1ba6bbd5826bf9df3bf01f2fe9905f8096628836286fdf1e0e095

        • memory/2172-0-0x0000000000840000-0x0000000000872000-memory.dmp

          Filesize

          200KB

        • memory/2172-6-0x00000000003A0000-0x00000000003D2000-memory.dmp

          Filesize

          200KB

        • memory/2172-17-0x0000000000840000-0x0000000000872000-memory.dmp

          Filesize

          200KB

        • memory/2880-18-0x00000000011F0000-0x0000000001222000-memory.dmp

          Filesize

          200KB

        • memory/2880-21-0x00000000011F0000-0x0000000001222000-memory.dmp

          Filesize

          200KB

        • memory/2880-22-0x00000000011F0000-0x0000000001222000-memory.dmp

          Filesize

          200KB