Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2024 00:48

General

  • Target

    972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe

  • Size

    348KB

  • MD5

    99f923fe659ab29eab7d0b6ce916a4ad

  • SHA1

    5f5335c397aba69ad7eeb3c7acf96d3a85379697

  • SHA256

    972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1

  • SHA512

    976f934ed6c6946049d6b6e1a4e1a0f6750336538fc3257567ef6618ff2aa7a9c2638ac1eb723d6e682c115bd2fe74f904355f54eaf0b408374b9d848d78e76e

  • SSDEEP

    6144:c/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZe:A0G5obGGraOpUWlpZ

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe
    "C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\juizf.exe
      "C:\Users\Admin\AppData\Local\Temp\juizf.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\ozkeby.exe
        "C:\Users\Admin\AppData\Local\Temp\ozkeby.exe" OK
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Users\Admin\AppData\Local\Temp\ulhux.exe
          "C:\Users\Admin\AppData\Local\Temp\ulhux.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1752
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2896
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

    Filesize

    340B

    MD5

    40c0cecdb6095e9022f9b96cd55f10a3

    SHA1

    b5be5385481f9373aa7bcc2fed4e21d5c0cf79da

    SHA256

    a0cdb22e6cbadeaf877aba273d6fa7b5c5162fa0a8671207364ac7607ddf5d24

    SHA512

    759cba8c297f7a1e2b0f9e4467fe9f27236eb41ecb99cf37d90828e03d2462949f7280a8a2c36b2067af3a803a8b6986bedf9144602e7cfbbbaef4e5f5b41e73

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

    Filesize

    224B

    MD5

    37bba20cb649bd8ad7f6a39610fe9e57

    SHA1

    a1d019f4e2b5044fa7b45f2463fd4d9ca2e96b76

    SHA256

    415e8629e0827c7a5c5a9d2c738a35722525f239dea3893fb1a73f8a7bd9b056

    SHA512

    fb9d4e36cd2e6e46d9bb97b88bddb6f19394291b5b3e0652d792110a3779bfaf187808450cf3fc889342ffd72920c5a77bd7a5592c89b287527b18dfd7025dc1

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    eb88c82179968983af11c18f0b4eda60

    SHA1

    00123a5a438fe3a0945b112f4e5ddbd5451421f0

    SHA256

    20d3b3d70781db72ffa70dcb3c75ec7d48b09092ea203f19738c9fe11894e7b7

    SHA512

    b8fb7919c4207fb9279c9ba5f4f5d6bc8327eae21992ad61a242f24ebf763cb2aecbac14bf635405b8904e7decc0449563a354865f44fdb0042d0b46254903a9

  • C:\Users\Admin\AppData\Local\Temp\juizf.exe

    Filesize

    348KB

    MD5

    d52b544e2e688291a7122e835e9bc700

    SHA1

    9fd04f03c31f443f96ad2bb30e8ebf70f1cf168f

    SHA256

    064cb57860b4e10de57e3e443f023bf5eda64d7078eb51cf4eeffbc79d737cb8

    SHA512

    0dbb2823a90d5c17377189e1043c43b7f46984a19c9bd110aed20e81eeb63ad9380d52fa7d4bdcc2cc328b4d1df8ee3592157d80f2803a8d18859f6e6df30a39

  • C:\Users\Admin\AppData\Local\Temp\ulhux.exe

    Filesize

    115KB

    MD5

    c47b79ccba0bcd28795d8f5c4bf797fe

    SHA1

    965a69ac90fb806c45bc673500e8be2ccb472288

    SHA256

    4a66b16bba7e0b8d4dea5bb649df355758133b5d00d8aab2f8ed6d142bf33121

    SHA512

    64812c0027111ef235ac55bc9a39086daa6d08a01650252a9d886777edc7da03c2665a795588101928e1f4d5de9c68217949814a97b65a20db8a0b43f6c9cb46

  • memory/1752-60-0x00000000009F0000-0x0000000000A72000-memory.dmp

    Filesize

    520KB

  • memory/1752-61-0x00000000009F0000-0x0000000000A72000-memory.dmp

    Filesize

    520KB

  • memory/1752-65-0x00000000009F0000-0x0000000000A72000-memory.dmp

    Filesize

    520KB

  • memory/1752-64-0x00000000009F0000-0x0000000000A72000-memory.dmp

    Filesize

    520KB

  • memory/1752-63-0x00000000009F0000-0x0000000000A72000-memory.dmp

    Filesize

    520KB

  • memory/1752-62-0x00000000009F0000-0x0000000000A72000-memory.dmp

    Filesize

    520KB

  • memory/1752-57-0x00000000009F0000-0x0000000000A72000-memory.dmp

    Filesize

    520KB

  • memory/2708-0-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2708-19-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2708-36-0x00000000024D0000-0x000000000252C000-memory.dmp

    Filesize

    368KB

  • memory/2804-21-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2804-32-0x00000000036C0000-0x000000000371C000-memory.dmp

    Filesize

    368KB

  • memory/2804-34-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3040-35-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3040-56-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3040-37-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB