Analysis

  • max time kernel
    120s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 11:43

General

  • Target

    8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe

  • Size

    331KB

  • MD5

    37fe6876c0864c4b1603f415713a8a30

  • SHA1

    4daf69b800cf5d258c9fcf511d61e4478f0242f9

  • SHA256

    8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46b

  • SHA512

    c0285bec719e1ae821fa88d50eb4447d315a36adf13dc48e288381a6f26c0603fb23005c15c7bad0a30c62ae7ced9f82ef0040ccb1f931a4e86347e33f543d4b

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
    "C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\gexyf.exe
      "C:\Users\Admin\AppData\Local\Temp\gexyf.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\AppData\Local\Temp\kyyrw.exe
        "C:\Users\Admin\AppData\Local\Temp\kyyrw.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2560
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    4f237e2fc86c1f1f2b92b627c68ffafb

    SHA1

    c0d7607700d7804b07de537051e7fe2ca95d3a3c

    SHA256

    e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2

    SHA512

    4b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    8ced0a00d161490632ae8cf130fae02a

    SHA1

    3c101c6569a1453d31b46101e13e16220022f090

    SHA256

    16e8cec5e64f147b329089fb28e4902c979b2f24bf2d853205be8c2265503afb

    SHA512

    d16ddde4b700b9399161b26acbb5a8f254905ed2308700124832db651fc2a2cfdefc7667b0ab4f66a527135ed3fc05d9480cabe9e08215bdd4a91179586a94f6

  • \Users\Admin\AppData\Local\Temp\gexyf.exe

    Filesize

    331KB

    MD5

    79f89251ec745bab62418bc86edeaab1

    SHA1

    9d3fd1a7081a94549a4489a89bfcee66dbffb1c6

    SHA256

    4e242188113a137c65182a557f15921d794d390f62247dc60630f541c5294642

    SHA512

    cc0a13f56d814db47881ac3fd3133fd85a7ef50f43f92608b8882619c207a3190a6cae946c10e7082fbacbca526a046b922579ea94bfd9a04061facdecae185d

  • \Users\Admin\AppData\Local\Temp\kyyrw.exe

    Filesize

    172KB

    MD5

    b6f99e80c0e2f1086d8852e39027f70b

    SHA1

    d8226562a2a065e8a847cf36bf4469aab894fe44

    SHA256

    b5231256720f22bf065497679030016d527d1a6a7376455c6f23c037366c6d92

    SHA512

    7551780e7583bfe55d93f6f32ae89357980c94664d2b55c56f0aac9057d17574ef98c5553e503af9286becb2517b51b383f08c25c882e3ed65b28ca03ba20a83

  • memory/1672-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/1672-7-0x0000000002930000-0x00000000029B1000-memory.dmp

    Filesize

    516KB

  • memory/1672-0-0x00000000003D0000-0x0000000000451000-memory.dmp

    Filesize

    516KB

  • memory/1672-21-0x00000000003D0000-0x0000000000451000-memory.dmp

    Filesize

    516KB

  • memory/1936-15-0x0000000000CB0000-0x0000000000D31000-memory.dmp

    Filesize

    516KB

  • memory/1936-24-0x0000000000CB0000-0x0000000000D31000-memory.dmp

    Filesize

    516KB

  • memory/1936-18-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/1936-41-0x00000000032E0000-0x0000000003379000-memory.dmp

    Filesize

    612KB

  • memory/1936-40-0x0000000000CB0000-0x0000000000D31000-memory.dmp

    Filesize

    516KB

  • memory/2560-42-0x0000000000F50000-0x0000000000FE9000-memory.dmp

    Filesize

    612KB

  • memory/2560-43-0x0000000000F50000-0x0000000000FE9000-memory.dmp

    Filesize

    612KB

  • memory/2560-47-0x0000000000F50000-0x0000000000FE9000-memory.dmp

    Filesize

    612KB

  • memory/2560-48-0x0000000000F50000-0x0000000000FE9000-memory.dmp

    Filesize

    612KB