Analysis

  • max time kernel
    69s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 07:07

General

  • Target

    68d69faf6220c50a95de6b54815474f0N.exe

  • Size

    91KB

  • MD5

    68d69faf6220c50a95de6b54815474f0

  • SHA1

    f5913e186c2b40d230149ae9b77beb0be3514036

  • SHA256

    01f890783b8750e10b5c62cc087e5fbeb7b924bca6ecb2e522351831a919bcc1

  • SHA512

    e6f14fb6c54f0a36e3a53ed545523bc5309c61af5a6415b5ab62e043924d41bd0fd3b0bf4f98295ace4cdc1daf9c2bd8bd16af535284474e35b224280bcc5ed2

  • SSDEEP

    768:2geZ5QeklJQ35pPRuIkUD1sYAQ/TN71N1adOZSHj9jaSCpOzIi7D8kUUUNUE0:heZqP25TuIfmS7Fv1aUZSD9yiIHq

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.28.139

121.88.5.183

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\poldge.exe
      "C:\Users\Admin\AppData\Local\Temp\poldge.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    3f372385bf24b44385f4b1251d3aca4d

    SHA1

    83546de6ba8f20bd08a15896d34f6242ed64352f

    SHA256

    b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27

    SHA512

    d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    276B

    MD5

    dff8e39ed48c596107b0527450202ab2

    SHA1

    f5442f78bf9926ecfa56152e4ebbc1e1af041f8e

    SHA256

    174bac57d3f72e76634e3babdc911b9742e05fb62810425075aef9e0944d1768

    SHA512

    dd9d73e9a020dbd3b081a6665078a1e68e68e5d1041c52a51ce1f326f0b9e0694a488d11c91554cad4861e008c16d9a8a6ad6f961af5788729572f0078f05b09

  • \Users\Admin\AppData\Local\Temp\poldge.exe

    Filesize

    91KB

    MD5

    3083e7bd8495296f665b4764a22f4df6

    SHA1

    3c3d49e1090e3cf53c5cd4c181c318a08092c139

    SHA256

    09eced2ce52e1af674c0a8637a5f9924050fc22e77da83b229bae5df9bbdb715

    SHA512

    3fc96c81d4d5f9b2182f72ecd5b244e3268fbdb4ec9076c7ddaf2c04abf3587e3ac6ec57eb75a359b10698cb19ed2cc31353ab276d102b04a86abb0f626741a2

  • memory/1624-0-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1624-18-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2440-9-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2440-21-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2440-27-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB