Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2024, 17:14

General

  • Target

    d16d445722fcebd5b2c37bfe3ff79036.exe

  • Size

    180KB

  • MD5

    d16d445722fcebd5b2c37bfe3ff79036

  • SHA1

    ecace6bb09004314df7aea2bf9ea254c0d4f4f9c

  • SHA256

    fee37357fdf781f827d0c1231eadf4a30b66f6081ee04ca57cbc9a5100c7540a

  • SHA512

    ddac6af01f310aa62f1468992909693956d98ace8507086cb1542781976d9ee29ac35cef2797809afa6871bfe795c73cec6e396382223127a60da35e5c68007a

  • SSDEEP

    3072:z/5KFl81i04l2Fv2f9tMUr6of9MRNwda7KVr0cHneunw1oN:z/5KFl81jDv72RFMReGir0cHneMwqN

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe
    "C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2404
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:4680

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\biudfw.exe

            Filesize

            180KB

            MD5

            ca9e53442e22e11b6959830a52e3818d

            SHA1

            6ef53e0eda45eb13735f5b350e876f743f6db36b

            SHA256

            f58dbc21e606cadcc6a3f3565547cd8b5a24bbd42459e0d20d115b6012a5dd58

            SHA512

            29ff405ddc9e2c52b212937b52c19ce0b6b4a94648a462dbf8fe947bd2078001799e73142c5e5c92a0ff18fc152eedb707fb40192223e09abcd0704d3bc5677a

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            0750e4580a3e9076e82bdc6ad33ba927

            SHA1

            b1e526b3833feda0e3b0738c6865fdac6360bf07

            SHA256

            74428e568204ea0d1c31570864cb96b1c2b672880f7575220957bf5fc2b24d89

            SHA512

            303b2cb8e644b336d7bf0892eadc84b414afdc41216719721aa0cf27fc18ecea1a2e943f07813c41d55c4166e489f89ec61a4fcead679ed3de8b323ecb42a8d9

          • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

            Filesize

            274B

            MD5

            84f7ac848c93111d2cf12ba7c7c87c36

            SHA1

            8bfb3409486b626307c09badd688c726ca3c5b76

            SHA256

            3fa668132b33f643e67a76f05ab51582276d55ee5d108a1762798587aa6193c0

            SHA512

            7a11b6cf78abd2b10f54e17af4fa6a1746792d1ca44277a98108ae7e1dfa32923fba818dc18504e7b644f90b849c9f970a8fdd960a10bd5f32f8fa641688ce78

          • memory/2064-0-0x00000000002E0000-0x0000000000311000-memory.dmp

            Filesize

            196KB

          • memory/2064-17-0x00000000002E0000-0x0000000000311000-memory.dmp

            Filesize

            196KB

          • memory/2404-12-0x0000000000490000-0x00000000004C1000-memory.dmp

            Filesize

            196KB

          • memory/2404-20-0x0000000000490000-0x00000000004C1000-memory.dmp

            Filesize

            196KB

          • memory/2404-21-0x0000000000490000-0x00000000004C1000-memory.dmp

            Filesize

            196KB