Analysis

  • max time kernel
    103s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 07:07

General

  • Target

    68d69faf6220c50a95de6b54815474f0N.exe

  • Size

    91KB

  • MD5

    68d69faf6220c50a95de6b54815474f0

  • SHA1

    f5913e186c2b40d230149ae9b77beb0be3514036

  • SHA256

    01f890783b8750e10b5c62cc087e5fbeb7b924bca6ecb2e522351831a919bcc1

  • SHA512

    e6f14fb6c54f0a36e3a53ed545523bc5309c61af5a6415b5ab62e043924d41bd0fd3b0bf4f98295ace4cdc1daf9c2bd8bd16af535284474e35b224280bcc5ed2

  • SSDEEP

    768:2geZ5QeklJQ35pPRuIkUD1sYAQ/TN71N1adOZSHj9jaSCpOzIi7D8kUUUNUE0:heZqP25TuIfmS7Fv1aUZSD9yiIHq

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.28.139

121.88.5.183

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\poldge.exe
      "C:\Users\Admin\AppData\Local\Temp\poldge.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    3f372385bf24b44385f4b1251d3aca4d

    SHA1

    83546de6ba8f20bd08a15896d34f6242ed64352f

    SHA256

    b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27

    SHA512

    d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7

  • C:\Users\Admin\AppData\Local\Temp\poldge.exe

    Filesize

    91KB

    MD5

    4bdde19067b5e16fa93dca96bdb7b84e

    SHA1

    f3d9aaa8246a6d3347b5b53d7ef1c48be136540c

    SHA256

    8c5bb96551cd756a6e8fbcd0d1f46ac1816b6d571f8dc73472063f686f95be7a

    SHA512

    c3f009d3f5d1bdf42e3be580ee6e23a6d9fcc1f0722df17814a58e4e4f4e7714f3ceca9fa196eeb656434dbe4fcca89dd6f05de29e86a766e7b573acb5a205a2

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    276B

    MD5

    dff8e39ed48c596107b0527450202ab2

    SHA1

    f5442f78bf9926ecfa56152e4ebbc1e1af041f8e

    SHA256

    174bac57d3f72e76634e3babdc911b9742e05fb62810425075aef9e0944d1768

    SHA512

    dd9d73e9a020dbd3b081a6665078a1e68e68e5d1041c52a51ce1f326f0b9e0694a488d11c91554cad4861e008c16d9a8a6ad6f961af5788729572f0078f05b09

  • memory/828-11-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/828-17-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/828-23-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1224-0-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1224-14-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB