Analysis

  • max time kernel
    120s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2024 10:47

General

  • Target

    b8f788750bcdec10cdca7daa18c166f0N.exe

  • Size

    324KB

  • MD5

    b8f788750bcdec10cdca7daa18c166f0

  • SHA1

    5ae561b0a5a5cdfa1aadb20f2355e718670c471c

  • SHA256

    2b26868cdea1e236721c55cf842cce7d4a0aec370543c6a819dda8ccb8570d43

  • SHA512

    7df0a5b99a15d111ef047eb455243d715cb3d987e1bf043ca7f4124cf2d4db558a2be7b5eecc27ee367b3b41d6942261bde9b80419de04d5b97d60a7a79f7d67

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYuA:vHW138/iXWlK885rKlGSekcj66ciU

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\AppData\Local\Temp\wiilg.exe
      "C:\Users\Admin\AppData\Local\Temp\wiilg.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Users\Admin\AppData\Local\Temp\nureo.exe
        "C:\Users\Admin\AppData\Local\Temp\nureo.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    278B

    MD5

    4bdf2c8288ae06e45710056749f1d337

    SHA1

    3b88947abd5b1fca78c668f647393a26f0307073

    SHA256

    11e92f37d446d4b84dc610d076e96f67471fa566245d5c0299084a8086b68e2a

    SHA512

    83f8aa91fabc6d745ae8d5efc621da8e951cf3cb5f7b1727ecdc72bcdd5b6d78d2f7c81495befaaaa6a3ecc416b4df6a0c0bcc98cbe5fee86155c51a6a082999

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    0f197c97bd93a24239da3c685b55332f

    SHA1

    6f7d0c721b147f3c5c2584234a770dbbd7df526b

    SHA256

    59486b9d1d2d800e8e4515d85da0586fdc544f154c24458d2067ea8bcacc351a

    SHA512

    fe3895909df0a9ae216c24a6c9348b473af893ced4884e78327b57aef995fdff9ecce56ecaaf050e9ff248e08e190462da17d0225cefbf076713d4e952d26fb3

  • \Users\Admin\AppData\Local\Temp\nureo.exe

    Filesize

    172KB

    MD5

    73c2a8bccb03eb4bee86971fd7b8748a

    SHA1

    8bf11a5b5e750f25a05dfe366e6638163238a238

    SHA256

    f498fe5f3056b87a2bbdf1db74f483d5f20c34b8987bd9cf553faec2f456d9cb

    SHA512

    6c1482e641b2480bcba3fe49417df57db872345a93d11781e9ec51f93825998e92bf38137fac399442b42c433d7126c36fadf73af52c4c24dd7c255fcbe12701

  • \Users\Admin\AppData\Local\Temp\wiilg.exe

    Filesize

    324KB

    MD5

    5482a6c1902767752742709b8fbf1d86

    SHA1

    0a99db74890ee7da60458d0e85846ae20ef6a994

    SHA256

    4539ce13c37dce1f70179abefe7a34f23fa8c42448ee8066c4ad531e3ae5a0af

    SHA512

    6f60fe03a17013bd0a7ecafd0fdfa7ea4373e067f709b70914105abd0342445ceccf36a62aee7db58be8107a4eab3283979f32619637f1d6da0135195ad7f562

  • memory/2032-41-0x0000000000820000-0x00000000008B9000-memory.dmp

    Filesize

    612KB

  • memory/2032-46-0x0000000000820000-0x00000000008B9000-memory.dmp

    Filesize

    612KB

  • memory/2032-45-0x0000000000820000-0x00000000008B9000-memory.dmp

    Filesize

    612KB

  • memory/2032-40-0x0000000000820000-0x00000000008B9000-memory.dmp

    Filesize

    612KB

  • memory/2436-0-0x0000000000D10000-0x0000000000D91000-memory.dmp

    Filesize

    516KB

  • memory/2436-7-0x00000000028F0000-0x0000000002971000-memory.dmp

    Filesize

    516KB

  • memory/2436-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2436-20-0x0000000000D10000-0x0000000000D91000-memory.dmp

    Filesize

    516KB

  • memory/2452-13-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2452-39-0x0000000000FA0000-0x0000000001021000-memory.dmp

    Filesize

    516KB

  • memory/2452-23-0x0000000000FA0000-0x0000000001021000-memory.dmp

    Filesize

    516KB

  • memory/2452-12-0x0000000000FA0000-0x0000000001021000-memory.dmp

    Filesize

    516KB