Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 19:15
Static task
static1
Behavioral task
behavioral1
Sample
2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe
Resource
win7-20240903-en
General
-
Target
2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe
-
Size
333KB
-
MD5
8dd4853010e7db531898aa198b116300
-
SHA1
839c24033a06b4f9ff2abd065f12cbdec61d83e0
-
SHA256
2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f
-
SHA512
1be5cbce7454acf89b94ec27ef1f9c74c3a8ef53bb6a93dc3ca9243ef9a5d612b1400d7215a4107e95512f7f073c65e3ba7d90f735db74c990830acf0444b5f6
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9W:vHW138/iXWlK885rKlGSekcj66ciWW
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation roluj.exe -
Executes dropped EXE 2 IoCs
pid Process 3580 roluj.exe 2452 jugiv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language roluj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jugiv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe 2452 jugiv.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1884 wrote to memory of 3580 1884 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe 88 PID 1884 wrote to memory of 3580 1884 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe 88 PID 1884 wrote to memory of 3580 1884 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe 88 PID 1884 wrote to memory of 2792 1884 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe 89 PID 1884 wrote to memory of 2792 1884 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe 89 PID 1884 wrote to memory of 2792 1884 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe 89 PID 3580 wrote to memory of 2452 3580 roluj.exe 103 PID 3580 wrote to memory of 2452 3580 roluj.exe 103 PID 3580 wrote to memory of 2452 3580 roluj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe"C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\roluj.exe"C:\Users\Admin\AppData\Local\Temp\roluj.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\jugiv.exe"C:\Users\Admin\AppData\Local\Temp\jugiv.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD56fadf302779de6a35911ec20f44eaa9c
SHA1badefcb45d3e18eb9a4af1b8f9b53ba321fd4d26
SHA25680beb48d4f4f11b66385e3347cb54777a8376fc918532c6def8af74f6ee9e4a0
SHA512be028304116ebc759a74721b3d98f97f5948dcdd0767ad86a91e21daec21bd87407ce885c4c7e08f609d1ce89044bdbb04e6db2f1107b73bf344c74993d45001
-
Filesize
512B
MD5868cb3ca38254a8182c232b270301b81
SHA1b9c3e18c82b54808a66581e9176b30ba96a45510
SHA256ebfdb545ccd772b9ae3902b9e3dc2a314cea0b6386822606e490d5bebb79f556
SHA512292e63e2cdac0597ef580049521d8d33a1d84912dba89f64d625f343d3e3b2f8d2453362c18e4364600f6a8c9aa48bb51aa8d90b7bef3604ba31a8ce0ca95fdd
-
Filesize
172KB
MD541b91ed808852b882a4c36c8ab20a462
SHA1dc1df4c4c271155116c69a2719f99710ce16e29d
SHA256b57d05f8ac308cdc94e7ebb5dc61d02455e409a745b6347fcd93e77be90d2b59
SHA5125e664c4c46f5ddc55c1e8bb995b471a224894d7711eb671ff6bc73d1d9efe2a87b74404027b5743493b8e779e6c91634edbae4dd84927b24c484df42c3b4607a
-
Filesize
333KB
MD5ee5c70b3a844a00c2f205cc074b4dfc9
SHA1ebac72d24b9cb574684f691dad93e45f8a0d8b80
SHA256c6a920f39ab746691f6b0d2398f0ce4d898689d0c6a8130e6806e4a1c4e0a5f6
SHA5126331076721ba2a9edd25a356ca6a4ef86ba6c449771d04907ac6439a4388146991f7c385207ad7bc9a5419952b40d5843f6e50494e12678bc2ac6eda8c9616fd