Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2024 03:40

General

  • Target

    5d40681dee8a5eaa2ee76ab80f59fec0N.exe

  • Size

    58KB

  • MD5

    5d40681dee8a5eaa2ee76ab80f59fec0

  • SHA1

    ae24217335d72a9d693f590ae00a9d092848c156

  • SHA256

    183efc32d12f7d89426755f1650f72e06399e2c81b934c9bcb6b6e9305de9849

  • SHA512

    8373d90311e0f085c810ae6472db98327bfef641c303f7ab4bddd730e24607f68ac7e83400e79d65e836a87195888cad5275ff10454056e495546327259d5615

  • SSDEEP

    1536:6W82C0Db1edMckBI1kmJAhTPY6pnouy8t:6n25DbaMySmJAhbvoutt

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\biudfw.exe

    Filesize

    58KB

    MD5

    5a5f202cf2b7cf395cc7edfa0c3abbaf

    SHA1

    1eb3a41b48edb5d5dd56259c11c41cf5ac661c55

    SHA256

    aac373365b0484475a6f1b224fadc130d9d8c2082dfe141bf87f7b4a27ecbea2

    SHA512

    8a1a7b47dd49a28c4425db1bab1a275166d54a78f2f656dc63d9622627740dd1121f1e3f35cc4321969c9a18b3e5edd1884528ac285c2613a546a3d3cf816bbd

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    b4a86880004da8726288d7ec954885a8

    SHA1

    1bab1cfbdc2c540246210bc7852f8fe7e8357b31

    SHA256

    c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46

    SHA512

    22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    276B

    MD5

    819362708bc5eee198a15582daab8e7d

    SHA1

    564d69a5cb20a00734ea49cef078f16b582988e3

    SHA256

    9e4c8e74ec0ed2ed3fe8888d2227f4bbb0c94134d3cd75b52c7553bec616305b

    SHA512

    d30d35f26473eeab5308a61fee132387e459df63365e431e3a09a48ad7194b812efd4ca4eaf7f1424e24c00da7608098f74947b031d1c8296aba49ef6daad485

  • memory/1724-10-0x0000000000700000-0x000000000072C000-memory.dmp

    Filesize

    176KB

  • memory/1724-18-0x0000000000700000-0x000000000072C000-memory.dmp

    Filesize

    176KB

  • memory/1724-20-0x0000000000700000-0x000000000072C000-memory.dmp

    Filesize

    176KB

  • memory/1724-27-0x0000000000700000-0x000000000072C000-memory.dmp

    Filesize

    176KB

  • memory/3248-0-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

  • memory/3248-15-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB