Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 08:32

General

  • Target

    59f0820e1dba93f32143edd3016243e0N.exe

  • Size

    53KB

  • MD5

    59f0820e1dba93f32143edd3016243e0

  • SHA1

    29ca84156e31cf22dff3784e0ea8fe16beacb5ac

  • SHA256

    d620b15623bb352588dbe7e71ed15be7018750380cf5670c0acfec5612b28d9c

  • SHA512

    5378d3b9a667f59c18d8544269441f5a0f331e1730c6fa6038b8508d58bf74d7a8c33c60822d1621fb932f265070776224c2f1304f8b852df9f7a3acfd28929f

  • SSDEEP

    1536:TlnBzGPEdPJpUI4QP4BDK3XmbPfKJ97ifa:JnBGPUMQwBDamb3a7iy

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2212
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    b4a86880004da8726288d7ec954885a8

    SHA1

    1bab1cfbdc2c540246210bc7852f8fe7e8357b31

    SHA256

    c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46

    SHA512

    22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    276B

    MD5

    81e05de602affcce0df5ebb80d5cb29d

    SHA1

    ee5f67f6d7fb476030780f50dd92ea78f6871b88

    SHA256

    8e942d9a670d8961bab18fa7ec93182ddaf9fcf31bf306f7268f079cea1a21ad

    SHA512

    43525dd191f61167d10999178edf440966dcf5fc0558043df17cf19f7588d25071231ed76430f57fca0efd4815e994939708a2e57659dd46e3416ac1732d37aa

  • \Users\Admin\AppData\Local\Temp\biudfw.exe

    Filesize

    53KB

    MD5

    c2cb93e3639a64143083587638c6e338

    SHA1

    53c8de35d70106933273c7d9b3f654adc51f9ea4

    SHA256

    b10fcbaf133620dabc22f4b949c7676983090356a0f02cfe856021494722dbfc

    SHA512

    8625873433d792f0c316dfb24f740d961af41212817dac30c18cb7b4681ddf37e4606796ed1be5056649dbe418bdbf94c31fe1b8e4716bd3633f309bef323a30

  • memory/2212-21-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2212-23-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2212-30-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2884-0-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2884-6-0x00000000033F0000-0x0000000003418000-memory.dmp

    Filesize

    160KB

  • memory/2884-18-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB