Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2024, 09:05

General

  • Target

    d07ae5eb7a8e9c65fd0be420c14a0bb2.exe

  • Size

    187KB

  • MD5

    d07ae5eb7a8e9c65fd0be420c14a0bb2

  • SHA1

    ebe8e5114b9fe1f8599b69f4de189676d6624301

  • SHA256

    ad3fdf98b8be3c2bc0f7fe96aec6df4bd686fee78f5249cb73aeffe65540b99d

  • SHA512

    3bce4a31d8c09ec196497ff7fc5fb534f057b18c6ca291382c06286662f220e99eb89063fce1ba6bbd5826bf9df3bf01f2fe9905f8096628836286fdf1e0e095

  • SSDEEP

    3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFad:2mvqeP33AYFIN9treHy

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe
    "C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      PID:4220
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:2844

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\biudfw.exe

            Filesize

            187KB

            MD5

            f44af430d6ad8e3c542b3acd781a3139

            SHA1

            a03a6632a2d1aad44487ad19b38adb514c5287d8

            SHA256

            71b5fad460ac5290dbbe3672f5dc54cf458d9eba2199f1fccff81c9915263e39

            SHA512

            91f6254a0f968d55f43700888704f108e079d51d7f67d1948b0e955b471ee9bf62ab957c1d1c3b72716dc3b660b27b1d4da6059d5b0f447c60a2926afd98643a

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            1e75a7e32613b9d0b73f13b66c2c2f58

            SHA1

            035e2d6ab4ac34190f0e684681098188409e978c

            SHA256

            9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3

            SHA512

            e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

          • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

            Filesize

            274B

            MD5

            bc1d434dffa395a95abd4d58f4d2fbdf

            SHA1

            f634dbbd5cd486ce545b80fcb03cdfee27f6d61f

            SHA256

            3399bedd7600583509c2abba117b9430dde2c884a9cb6bf86ea01a37b6b8ced5

            SHA512

            1a1f9d9274bb7da1287b0bf1b1cf4db1823a5ad2247644583e4e31e45307fce1ef503140f59ba11d9043701ad035c6e83ab2568b5ff0cd9fc92a7b27d76c5d1f

          • memory/2352-0-0x0000000000C90000-0x0000000000CC2000-memory.dmp

            Filesize

            200KB

          • memory/2352-17-0x0000000000C90000-0x0000000000CC2000-memory.dmp

            Filesize

            200KB

          • memory/4220-15-0x0000000000620000-0x0000000000652000-memory.dmp

            Filesize

            200KB

          • memory/4220-20-0x0000000000620000-0x0000000000652000-memory.dmp

            Filesize

            200KB

          • memory/4220-21-0x0000000000620000-0x0000000000652000-memory.dmp

            Filesize

            200KB