Analysis

  • max time kernel
    119s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2024 04:34

General

  • Target

    d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe

  • Size

    333KB

  • MD5

    e672c23daa4d422f768e309c193e0770

  • SHA1

    e1b7ee3969e6c438e9d6480740f0c0375219c105

  • SHA256

    d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeeba

  • SHA512

    bb7bd98a81cc6624471afedc578e3e4690c03e01376a9eadb4fad86a9e3a494cd35b686a5750db96e876956fb84a35be33e6334d89f565e9505227c851af689c

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYr:vHW138/iXWlK885rKlGSekcj66ciK

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe
    "C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\zuwon.exe
      "C:\Users\Admin\AppData\Local\Temp\zuwon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Users\Admin\AppData\Local\Temp\zygaz.exe
        "C:\Users\Admin\AppData\Local\Temp\zygaz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2708
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    da67e38d5dde136007137b726aea20fb

    SHA1

    d4df79c1e92552e1fb2244efd1acba9731b402eb

    SHA256

    5ce46a0acdf39622c6c874b2580ccdf85aed56aa5498ec2dba7238f015be6a17

    SHA512

    618703f129df422bdce0a30089884973ffbff5d192dca50e476629b4749feb50e8e843b9a4a3b2219a6c53d8d29fcfa2ff78be8ede1194544a9fe1b690d7c036

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    81a181f86df76b2707c359ff0dc28df4

    SHA1

    3385c0dd7b8d429a8b5530c354c91fcb01a290a1

    SHA256

    4bab111ecac852b15f7ffc0349b158347265a47b611ffad464c30d43e965b8b4

    SHA512

    b17c43170f12f9437dbf5a43d5cabb3ef6e141a3b141c3930b5390e984e00ecdab43b530cd705ab306ddc2bca84b7393874ab72bd6241f9197ed5f9801f58b89

  • \Users\Admin\AppData\Local\Temp\zuwon.exe

    Filesize

    333KB

    MD5

    10b434fb7baa1cf69519cec71c26e910

    SHA1

    00ffd9a8554d227e1d4fab7901b59f8a1171faaa

    SHA256

    c03c6446e65436ff1f9e51defd35ebbbf9374016a1366b0c85b63e00c8a73ffb

    SHA512

    e95b8d9fd93151afcba927e227a0e41186f70c6be0acdbd2f97ec8fea95f08df5927a9426affbc25e0db15a9c221d1a6e9fc36ce8b41046853385d9a6b57b0c6

  • \Users\Admin\AppData\Local\Temp\zygaz.exe

    Filesize

    172KB

    MD5

    5c77cb8b05a5444b2757c5a190a9fb4a

    SHA1

    3b3ad302a55aa74c69b08846a367aa51f63c5ccc

    SHA256

    962e90cb9fa730bd4d9d615ef4cd8e6e91b85bd89e5fe348c333183b2aeeccb4

    SHA512

    d2acc2a958661c70695919fb9e7ce230a0e82c8fe12d16e98ca4161cc13dedf92ad880af1360d2b356b8a1822aca50a75395a518e4a29f4fca0f062daa44153f

  • memory/1964-0-0x00000000001C0000-0x0000000000241000-memory.dmp

    Filesize

    516KB

  • memory/1964-9-0x0000000002540000-0x00000000025C1000-memory.dmp

    Filesize

    516KB

  • memory/1964-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/1964-21-0x00000000001C0000-0x0000000000241000-memory.dmp

    Filesize

    516KB

  • memory/2708-42-0x0000000000350000-0x00000000003E9000-memory.dmp

    Filesize

    612KB

  • memory/2708-45-0x0000000000350000-0x00000000003E9000-memory.dmp

    Filesize

    612KB

  • memory/2708-47-0x0000000000350000-0x00000000003E9000-memory.dmp

    Filesize

    612KB

  • memory/2708-48-0x0000000000350000-0x00000000003E9000-memory.dmp

    Filesize

    612KB

  • memory/2736-24-0x0000000000990000-0x0000000000A11000-memory.dmp

    Filesize

    516KB

  • memory/2736-25-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2736-12-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2736-11-0x0000000000990000-0x0000000000A11000-memory.dmp

    Filesize

    516KB

  • memory/2736-40-0x0000000000990000-0x0000000000A11000-memory.dmp

    Filesize

    516KB