Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 23:13

General

  • Target

    71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe

  • Size

    333KB

  • MD5

    4db07e5916f1df61e29be73c51e152dd

  • SHA1

    f4d13b63c57e15491cedab6425982c21950605de

  • SHA256

    71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b

  • SHA512

    dc238854a7cdc6161084b09c0e6415a8aaf7426c138f1e99c5d5174ea47488c0f28fa378c238d0bfb8cc91b1f5ba30b5664e399b12f1bd1a995941a190bb2a57

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYg:vHW138/iXWlK885rKlGSekcj66ciB

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe
    "C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Users\Admin\AppData\Local\Temp\hohab.exe
      "C:\Users\Admin\AppData\Local\Temp\hohab.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Users\Admin\AppData\Local\Temp\fuqic.exe
        "C:\Users\Admin\AppData\Local\Temp\fuqic.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1920
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    061e1a7b6dd73689632ea9992e4df62f

    SHA1

    e30e7d684cb4a1d70e86c807f21d2a75c2bd4650

    SHA256

    7d46766c246f029c69281803481caa3628f96ede69e2b9c8988007228bd5486c

    SHA512

    62e339e31fc5b10b14b844fc251077549066f03b415867a9bc2a984f768e69e3f544d900e1e956757d52a07427074cb4d14cc3a65c8215944d3119e05493e2e5

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    711c59f36f3a5ded3a8a23b87ad57524

    SHA1

    48308d26c085a048c8a387524f0f854233ca1ae8

    SHA256

    7f8387f94d7102d587de3e0f07c59ac43ea1bf2a398fc6fa914e8108db9dc236

    SHA512

    a4929ed98abf4b6624fcf7245ef183cce2ef89e4c63a47a4dca060f77c10c22d24d924c541edaf3cb7303e27cd54f7940db1df9ec80a99fc267165a9e43b99c7

  • \Users\Admin\AppData\Local\Temp\fuqic.exe

    Filesize

    172KB

    MD5

    d2821f8b9da182be09677bafb56e92ba

    SHA1

    37ebca909fc2fe945f803618e61eb1fe10932068

    SHA256

    2df885d307cf14d137b9f5a24783ef1877ec42d06b502ab85a9344a37a6463a7

    SHA512

    389b607b2937499409b8f7f87f6cfe94ebdc795ea733f228e9a7c9a9409d7e61de7b64d3aa2577de1829a6191da3fc26fdb844eb3c712b0f54c417bd128df9d5

  • \Users\Admin\AppData\Local\Temp\hohab.exe

    Filesize

    333KB

    MD5

    9941d977f3f363bdcf6b0e61cb6da44d

    SHA1

    1946600e6bf1b10c469e47066bd50f8ae6cb3bff

    SHA256

    944dc36c1191e53f4a2d237d8029f84ef08c59dcbe748a651f348443095dc90c

    SHA512

    a3b3be23db0331b8a5696673d40834a3c4c598d02d0b5f9ea0ed607d255b0599dc913d33a5dfa287ec093155613616416ee2c445a7d3a5cb0e8b2357532c5ecf

  • memory/1920-52-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/1920-51-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/1920-50-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/1920-49-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/1920-48-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/1920-44-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/1920-43-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/2588-12-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2588-25-0x0000000000970000-0x00000000009F1000-memory.dmp

    Filesize

    516KB

  • memory/2588-41-0x0000000004010000-0x00000000040A9000-memory.dmp

    Filesize

    612KB

  • memory/2588-40-0x0000000000970000-0x00000000009F1000-memory.dmp

    Filesize

    516KB

  • memory/2588-24-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2588-11-0x0000000000970000-0x00000000009F1000-memory.dmp

    Filesize

    516KB

  • memory/2656-21-0x0000000000870000-0x00000000008F1000-memory.dmp

    Filesize

    516KB

  • memory/2656-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2656-7-0x00000000026B0000-0x0000000002731000-memory.dmp

    Filesize

    516KB

  • memory/2656-0-0x0000000000870000-0x00000000008F1000-memory.dmp

    Filesize

    516KB