Analysis

  • max time kernel
    89s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2024 22:23

General

  • Target

    0d917d4356e49ad582f390894a45bdc0N.exe

  • Size

    55KB

  • MD5

    0d917d4356e49ad582f390894a45bdc0

  • SHA1

    3a3372a923573fcee7b87e493ba6d0a32000a379

  • SHA256

    a142637f6eacebb4de2997f61d82d2f14d1ff4b6e125f3c1b49806d13d3bc739

  • SHA512

    8f2ef9c8c30b2419214d0704482d1d041bf481f402cdfa3c68aa92d1d6325449c084776c6e648732fba6a2cea8bb4efeb5cff827bf0bea44457dca5fcad26283

  • SSDEEP

    1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8Ac:MOemdTd1o74qlmbbJ+x+IkSc

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    7cdc8777d33db85bc19aefb64879a7f7

    SHA1

    f2d494d4dfe93a05eb58513935196e8578648adf

    SHA256

    9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336

    SHA512

    34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    276B

    MD5

    fbca1a090a554b4c8bd3cd0003d8d48b

    SHA1

    6bd217c7aaafe8e437e7dfc79a820b43d194a529

    SHA256

    15649ac2cf024c3f84ea48f22e8fe3f2488baa5078f7d14e7fa0c6705d1cc27a

    SHA512

    0a00ea714a5d3d9c7fc33eb639b957b3142484c315438fcc9a746adef8398eef5ee7635d003cf9e838bde1cf89388123b66b8841221facee69f4ab90a47f1570

  • \Users\Admin\AppData\Local\Temp\biudfw.exe

    Filesize

    55KB

    MD5

    9d8d0baecbcf02412ae80cd489fc5072

    SHA1

    7697a60c1c08c832569e4379c5c171529dabf586

    SHA256

    807568e80037f87a3268fa283307267763e41ecbf42dd40f8b5b9200b0fa94e9

    SHA512

    59461bace6941c19545218a0b953289ffd069de2214197494fd46526edd8c93c7e734438e022a0e8a7a5250aac42954097caef29540588a19eedee41d464318a

  • memory/1724-18-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

    Filesize

    152KB

  • memory/1724-22-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

    Filesize

    152KB

  • memory/1724-24-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

    Filesize

    152KB

  • memory/1724-31-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

    Filesize

    152KB

  • memory/2292-0-0x0000000000E20000-0x0000000000E46000-memory.dmp

    Filesize

    152KB

  • memory/2292-6-0x0000000000910000-0x0000000000936000-memory.dmp

    Filesize

    152KB

  • memory/2292-19-0x0000000000E20000-0x0000000000E46000-memory.dmp

    Filesize

    152KB