Analysis

  • max time kernel
    91s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2024 08:12

General

  • Target

    acf28e718581966b6f116d765656eb30N.exe

  • Size

    56KB

  • MD5

    acf28e718581966b6f116d765656eb30

  • SHA1

    ff3aadbe4a294cafb424e7a06df54dab563d2639

  • SHA256

    ab523b44bb896976cbd004767f37aaf5475fdb212156c61276dce81c8b9a77d4

  • SHA512

    2b034f9f2a218fdcb4bd2e88bc5a2f21dac4793bab2076cef730e41a1c4be934f4f4676032f3107e86d914483757be73a258244a7ce67f931feb623186d9ad74

  • SSDEEP

    1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8Ha:MOemdTd1o74qlmbbJ+x+IkJa

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe
    "C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2084
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    7cdc8777d33db85bc19aefb64879a7f7

    SHA1

    f2d494d4dfe93a05eb58513935196e8578648adf

    SHA256

    9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336

    SHA512

    34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    276B

    MD5

    1c644509f50a95e09933bf8ed8b1dedb

    SHA1

    62c73d2fa1960469d7fb4680c2bc735f1d56ce71

    SHA256

    d94ff3c021f239a0e3726aca73472a472afdb1cf6d004347cb2d9f53914b8525

    SHA512

    bcddf3479074caf029c6f46369fabbedac2b5c56d1728980c4a77c2db113cfd615cc2a2ff4a183b58534caa0d7fe522279b24b6f840d04c1a3236923cac64ddf

  • \Users\Admin\AppData\Local\Temp\biudfw.exe

    Filesize

    56KB

    MD5

    a2a81ccaa4d0ae43969ccd5b7ed24c05

    SHA1

    cf2f95fe73d2e740b4cd1a8a663e834d2293adde

    SHA256

    de93351a17cc372daec90f4aa3bfbe084b5d9bf19572550c30141367b05aebd6

    SHA512

    fb7860ac9942a2448588e29eccf16d23cbb2e67da17eb0d805b66c6d533fe73b6e638361d6233db6babc49c3385554019ff060234921c252270c195a5d9cb2ed

  • memory/2064-0-0x0000000001060000-0x0000000001086000-memory.dmp

    Filesize

    152KB

  • memory/2064-6-0x00000000005A0000-0x00000000005C6000-memory.dmp

    Filesize

    152KB

  • memory/2064-19-0x0000000001060000-0x0000000001086000-memory.dmp

    Filesize

    152KB

  • memory/2084-17-0x0000000000830000-0x0000000000856000-memory.dmp

    Filesize

    152KB

  • memory/2084-22-0x0000000000830000-0x0000000000856000-memory.dmp

    Filesize

    152KB

  • memory/2084-24-0x0000000000830000-0x0000000000856000-memory.dmp

    Filesize

    152KB

  • memory/2084-30-0x0000000000830000-0x0000000000856000-memory.dmp

    Filesize

    152KB