Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2024 18:58

General

  • Target

    12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe

  • Size

    343KB

  • MD5

    5cf93f15082a5e5b4ac032d42179d36a

  • SHA1

    ff796054fc055bad3f24e65cdf41a637691110ff

  • SHA256

    12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1

  • SHA512

    8a26411a95ce1a17119ea3d99132e6017f95798eb8f82982366021ae9cadcfef8f2f938b11e73e4529c38872d9bc300b20f03c5b8c145b6c910547403ddd38c3

  • SSDEEP

    6144:Nd7rpL43btmQ58Z27zw39gY2FeZhrL8Awb:X7dL4AZ0U9gY2FhAy

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe
    "C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\xigoe.exe
      "C:\Users\Admin\AppData\Local\Temp\xigoe.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe
        "C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe" OK
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Users\Admin\AppData\Local\Temp\lorua.exe
          "C:\Users\Admin\AppData\Local\Temp\lorua.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1924
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1568
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

    Filesize

    340B

    MD5

    770cdab69a28fa9a1cf16240d51f758a

    SHA1

    164154361f4ccaca43687c1a1f0d9999383ebe4a

    SHA256

    fbadee865fe00289a978424feccd4db1c1126fbee1b806cf1acfaa8fcb049310

    SHA512

    225a067a51a6ff2eb827c13c0a6195efd2ec9d76cbb931b2743bb7d3ce4813853c4fc5afb3423b8f28a41bb080fe901cf5d768010bad87254a44dad3166549a7

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

    Filesize

    224B

    MD5

    cfe886bc155270c247620b2da2b00020

    SHA1

    6dbee9bd94b8470fd19b1cce102597511b0256a0

    SHA256

    6d63c895ded6aa6939f4a9e1511c43c5117f7256ac12a61296a7be342101bcaf

    SHA512

    3f77ce65f4f582c9741b5f8292daf149615817fcaab6e61f5144dbcc33bd2de945f90114c80f8bc514acc278d7f30385a6a5540265cf8726820ef1a227a49db6

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    c6aab2b0ddc6c37775297be3b1e51c45

    SHA1

    0166a1d9aa16a11af6c8389064288686af62d843

    SHA256

    e0ba9a98144815c6969cb0c26b1bf089cda1b792adf217eab50b7e77bcc41fa6

    SHA512

    e3021a9722fae7cbdc9278e71e21d545dca5726b28e7255ffe5ba90169101bc2bcdd9df95caf4604af6d09b810eaa7949572483302720f9dddaddff9c5b1706a

  • \Users\Admin\AppData\Local\Temp\lorua.exe

    Filesize

    136KB

    MD5

    1789b8fa0ee06dbc7da2fd7d292c0002

    SHA1

    5439be5ee772db7263093d39c8cea36836c2aee6

    SHA256

    5f4691a07dc51e0232ad55b59a225f502348c4df223180aba233518993833429

    SHA512

    5228f7a95adfb0252d2cc3118068dd1e504b8de78525c804af394a2b6e8e9aa1e841aec9a03c5084144f0f731f11d46afc19e080c9dc29d01aa496c170602f02

  • \Users\Admin\AppData\Local\Temp\xigoe.exe

    Filesize

    343KB

    MD5

    486b148b753069d1894474f4f75e01c4

    SHA1

    0e19b78416184de4efe6644c014ba38fe8b25a03

    SHA256

    993bc8569b4821720a61e3a0cd96e02be3b1b6e9b46f37b4fc106eadfe1e1568

    SHA512

    b45dbacd60a11725bc94ad8fc489425d05479c3ed9adb4613f262864b5640be69c639b705916c6832fc56f253f5401384913d247c14d2c3a23f8c46c400e61f5

  • memory/1924-63-0x0000000000960000-0x00000000009EC000-memory.dmp

    Filesize

    560KB

  • memory/1924-56-0x0000000000960000-0x00000000009EC000-memory.dmp

    Filesize

    560KB

  • memory/1924-62-0x0000000000960000-0x00000000009EC000-memory.dmp

    Filesize

    560KB

  • memory/1924-61-0x0000000000960000-0x00000000009EC000-memory.dmp

    Filesize

    560KB

  • memory/1924-60-0x0000000000960000-0x00000000009EC000-memory.dmp

    Filesize

    560KB

  • memory/1924-54-0x0000000000960000-0x00000000009EC000-memory.dmp

    Filesize

    560KB

  • memory/1924-64-0x0000000000960000-0x00000000009EC000-memory.dmp

    Filesize

    560KB

  • memory/1924-55-0x0000000000960000-0x00000000009EC000-memory.dmp

    Filesize

    560KB

  • memory/1924-65-0x0000000000960000-0x00000000009EC000-memory.dmp

    Filesize

    560KB

  • memory/2280-24-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2280-2-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2280-5-0x0000000002AB0000-0x0000000002B08000-memory.dmp

    Filesize

    352KB

  • memory/2780-57-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2780-42-0x00000000039C0000-0x0000000003A4C000-memory.dmp

    Filesize

    560KB

  • memory/2780-37-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2840-33-0x0000000002F30000-0x0000000002F88000-memory.dmp

    Filesize

    352KB

  • memory/2840-35-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2840-32-0x0000000002F30000-0x0000000002F88000-memory.dmp

    Filesize

    352KB

  • memory/2840-14-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB