Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2024, 17:14

General

  • Target

    d16d445722fcebd5b2c37bfe3ff79036.exe

  • Size

    180KB

  • MD5

    d16d445722fcebd5b2c37bfe3ff79036

  • SHA1

    ecace6bb09004314df7aea2bf9ea254c0d4f4f9c

  • SHA256

    fee37357fdf781f827d0c1231eadf4a30b66f6081ee04ca57cbc9a5100c7540a

  • SHA512

    ddac6af01f310aa62f1468992909693956d98ace8507086cb1542781976d9ee29ac35cef2797809afa6871bfe795c73cec6e396382223127a60da35e5c68007a

  • SSDEEP

    3072:z/5KFl81i04l2Fv2f9tMUr6of9MRNwda7KVr0cHneunw1oN:z/5KFl81jDv72RFMReGir0cHneMwqN

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe
    "C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2172
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      PID:2676

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

          Filesize

          512B

          MD5

          0750e4580a3e9076e82bdc6ad33ba927

          SHA1

          b1e526b3833feda0e3b0738c6865fdac6360bf07

          SHA256

          74428e568204ea0d1c31570864cb96b1c2b672880f7575220957bf5fc2b24d89

          SHA512

          303b2cb8e644b336d7bf0892eadc84b414afdc41216719721aa0cf27fc18ecea1a2e943f07813c41d55c4166e489f89ec61a4fcead679ed3de8b323ecb42a8d9

        • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

          Filesize

          274B

          MD5

          84f7ac848c93111d2cf12ba7c7c87c36

          SHA1

          8bfb3409486b626307c09badd688c726ca3c5b76

          SHA256

          3fa668132b33f643e67a76f05ab51582276d55ee5d108a1762798587aa6193c0

          SHA512

          7a11b6cf78abd2b10f54e17af4fa6a1746792d1ca44277a98108ae7e1dfa32923fba818dc18504e7b644f90b849c9f970a8fdd960a10bd5f32f8fa641688ce78

        • \Users\Admin\AppData\Local\Temp\biudfw.exe

          Filesize

          180KB

          MD5

          3a34d8f9b601456c000ca2655b553c76

          SHA1

          ca18fb77803e0e27f212d483b1f07f8dabd5abfd

          SHA256

          b48ba6dc5422a03534b2b0c3b5938f1abe8cd3ca815be69627b19154fabce5aa

          SHA512

          68c31ca487a43773301b2272b0fbe628d6b5be62f1ccf4b6340b107023e396c436ca0d55c1ed0949e0ce43be546c677e0bc492c88c2566af601574374072e168

        • memory/1556-0-0x00000000001F0000-0x0000000000221000-memory.dmp

          Filesize

          196KB

        • memory/1556-17-0x00000000001F0000-0x0000000000221000-memory.dmp

          Filesize

          196KB

        • memory/2172-9-0x0000000000F90000-0x0000000000FC1000-memory.dmp

          Filesize

          196KB

        • memory/2172-20-0x0000000000F90000-0x0000000000FC1000-memory.dmp

          Filesize

          196KB

        • memory/2172-21-0x0000000000F90000-0x0000000000FC1000-memory.dmp

          Filesize

          196KB