Analysis

  • max time kernel
    89s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 23:20

General

  • Target

    6914ce5eb27b92b5ce458c06eac964b0N.exe

  • Size

    69KB

  • MD5

    6914ce5eb27b92b5ce458c06eac964b0

  • SHA1

    15c16d67e68b6000511a9436957b9e392d562cf5

  • SHA256

    4fcf1ad0f4dbe5bc30c644767e49e3eeb459636963d22778f83cb346b8e05577

  • SHA512

    9f549ffc2bccff68367372e3ce7ca39fab7ac1e3b8b4a312af29a4fd55eb40ab6f6ca41626fea31c45da21111a6cbd8d62936689335d548c6be6dc6855d8cfa8

  • SSDEEP

    1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCarawi:yLAYUzmdD0sMQl7d7IuhCae1

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2536
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    1c9b2720af0ca9528b47898d9c7f4799

    SHA1

    80495f16e333f54ecc700252323c2a7cb7d751e1

    SHA256

    d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

    SHA512

    5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    276B

    MD5

    55cceab02cdd862011c08a2718d97bf0

    SHA1

    52d86666f6684acab0bacafbf4c97cdc4e500019

    SHA256

    184375989cfb2b460331312fad8f72037fc45e3c9d7df9738ed497114229808d

    SHA512

    f330bcd3a607e4e1275dadea380e74e693f62e2da13b245e91eef54e851504df9260da555ab6f50bdf17d26ee6b28699f4d72c2c6bc264b44be38be92472e0bb

  • \Users\Admin\AppData\Local\Temp\biudfw.exe

    Filesize

    69KB

    MD5

    00989879661bf8eed1d769b7f672f29f

    SHA1

    d54ada255aafd9e1c92fb7205b79c248cf4d8d31

    SHA256

    2175a4627de5fef0306944bf686f707068639f9a2593160340db6404202f7df7

    SHA512

    2d0a5cb5dc8e6e42d3b159e95842a12b20caa27ff6123b606c991396172251c62542fe1fa62f7df337dced59766695163c66f9a8ede29891a09e8f8a47ac7c8c

  • memory/2412-0-0x0000000001050000-0x0000000001077000-memory.dmp

    Filesize

    156KB

  • memory/2412-6-0x00000000004E0000-0x0000000000507000-memory.dmp

    Filesize

    156KB

  • memory/2412-19-0x0000000001050000-0x0000000001077000-memory.dmp

    Filesize

    156KB

  • memory/2536-10-0x00000000001A0000-0x00000000001C7000-memory.dmp

    Filesize

    156KB

  • memory/2536-22-0x00000000001A0000-0x00000000001C7000-memory.dmp

    Filesize

    156KB

  • memory/2536-24-0x00000000001A0000-0x00000000001C7000-memory.dmp

    Filesize

    156KB

  • memory/2536-30-0x00000000001A0000-0x00000000001C7000-memory.dmp

    Filesize

    156KB