Analysis

  • max time kernel
    100s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 04:31

General

  • Target

    33a0d35356cb29cc100814c509666060N.exe

  • Size

    61KB

  • MD5

    33a0d35356cb29cc100814c509666060

  • SHA1

    004f841827eb1977ee1c9a8027b497ef4645f978

  • SHA256

    9fb2d1aa8a690de100629d4029dcb40bb9c1a8a19bf783ff4d29c8e211546167

  • SHA512

    74701d39f4e0c004ffd1785ca9b912dac1490b2e366122b60c7726c1c2ac4a4a9f47879889794cae9e5451c2d3581d2f20d19d6535299db41ee25f024bbe20e8

  • SSDEEP

    1536:saTkcl2v/z0thjkh6+uYLo31d0JuPrROVz:Jo0cAthu6+FQ0JuPkz

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe
    "C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\biudfw.exe

    Filesize

    61KB

    MD5

    b6a93393a126b159c5d8eb9651635363

    SHA1

    7724cd0320ef44b2d0a993043f48e137bb5dea12

    SHA256

    156269dc6a875f8d63c261e556a81875ef00f45b6531e2ae9ca8855bd23b8868

    SHA512

    85c176cfc5f0ae3a4038bc07163c4dab15786bf491f7f0fc66d3c0a0b30d40b2aad0f0955f70abc4099ea2f32fa8b743cd70fb3378d51c0d6ea94abcbe9d270a

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    657ce9e5dd337971e44dfb9cb3fbf7dd

    SHA1

    026734083afaa4b7d298781b26a72ac9b67ac831

    SHA256

    3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472

    SHA512

    79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    276B

    MD5

    40b712c61ed3bfc861e5f3c1811b6281

    SHA1

    626b4b934ec6890740776d273d76080418526ce9

    SHA256

    023cd5235b4f06e6108752833b439df76e755ef596bfb12fd669e8bff28868de

    SHA512

    06ef7a0ff65b2219fbc0b99a5aa9cfd6bf6bc9b1e19d2b30322435b5b0205369b46b3d1dcbe8ec9bd5b99dc31a99a219f5e24fae2ad4e5bd62c698b4c0f57a96

  • memory/2416-0-0x00000000002D0000-0x00000000002F5000-memory.dmp

    Filesize

    148KB

  • memory/2416-18-0x00000000002D0000-0x00000000002F5000-memory.dmp

    Filesize

    148KB

  • memory/4772-13-0x0000000000900000-0x0000000000925000-memory.dmp

    Filesize

    148KB

  • memory/4772-21-0x0000000000900000-0x0000000000925000-memory.dmp

    Filesize

    148KB

  • memory/4772-23-0x0000000000900000-0x0000000000925000-memory.dmp

    Filesize

    148KB

  • memory/4772-29-0x0000000000900000-0x0000000000925000-memory.dmp

    Filesize

    148KB