Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 00:20
Static task
static1
Behavioral task
behavioral1
Sample
b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
Resource
win7-20241010-en
General
-
Target
b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
-
Size
332KB
-
MD5
64ac1bc4ca221ef927c0f5b570dd2b80
-
SHA1
157f3607b64b7a69cc3b85ae3e6fb0855dfb9185
-
SHA256
b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12
-
SHA512
9a329ce8c12e83cf96aa821bc0d68ee107e388d99e8dc9eaca8d55bf9f62e54d48fbcba4619999925917a62372d3d931fb1a4dc4872c7e94ac516b88830f023b
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ciN
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exeujqoa.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ujqoa.exe -
Executes dropped EXE 2 IoCs
Processes:
ujqoa.exenuzuy.exepid Process 1808 ujqoa.exe 4488 nuzuy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exenuzuy.exeb40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exeujqoa.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nuzuy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujqoa.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
nuzuy.exepid Process 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe 4488 nuzuy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exeujqoa.exedescription pid Process procid_target PID 1168 wrote to memory of 1808 1168 b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe 88 PID 1168 wrote to memory of 1808 1168 b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe 88 PID 1168 wrote to memory of 1808 1168 b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe 88 PID 1168 wrote to memory of 4044 1168 b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe 89 PID 1168 wrote to memory of 4044 1168 b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe 89 PID 1168 wrote to memory of 4044 1168 b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe 89 PID 1808 wrote to memory of 4488 1808 ujqoa.exe 100 PID 1808 wrote to memory of 4488 1808 ujqoa.exe 100 PID 1808 wrote to memory of 4488 1808 ujqoa.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe"C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\ujqoa.exe"C:\Users\Admin\AppData\Local\Temp\ujqoa.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\nuzuy.exe"C:\Users\Admin\AppData\Local\Temp\nuzuy.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD58a72da537d856fe39cf196e33d506de4
SHA1b3fe8a6999f910b62a54af43f93dd9387b3fdc03
SHA25691eb2480d34d1e3f221e5a8f319619ce6d11b48561cc12a3a543ea352d5885b3
SHA512f0324a89c320b64025d33d904bd7de35e04ea761360d5fd79d3319d3872c001c4c743ee621b2aca5494a1f4f1428de026029d046fdcba395dc5fc724b06a3cfd
-
Filesize
512B
MD5b66922e07df073c93a644e5ca075827f
SHA1cac1cc430e92dd90eb355b97cbfd880b6d8b8171
SHA2565adfcb39a77b2361dbe9ef25811cc51f9ccd9f906fe6c7f162af09891336c78e
SHA51295ea7279f524e9d9550683b125b8d41c5cca8dcf03f7f7a0e7385c87981235a11b3161e9e995d07b6b4e59db963995b6f4e553816e663d6dc6bd4f2fd5eb45a0
-
Filesize
172KB
MD51113854fb9705cec082563540fee2ebe
SHA13b2404170341c1fd18a53db2642df4c874687a58
SHA256ca53cfee9d7c7a1b5f37383307ec466e69364a91d726f9b7587479fa79d943ea
SHA5121a4dc3c15662958428bc168ecf06911699c49e76f4d2fd119a4bedf48147ae21185786bc4b49f093c80220532fb425e9bc3b1e0fee9c9769e71bf3db4ae08de3
-
Filesize
332KB
MD56c562f54d4879673d7833d98244636d2
SHA1441e97d32b53a5f01caa98c2d3d9d1e1c2e4acf0
SHA2561a7e4580c69dbc8c2d20721d6899f1485c7460cbf7cd80cfff232eae17038ea4
SHA51238b807c8ee71def1a1cbf845d78a3154b7c8ca80492951cab8e8220f15e92a08af904cfe49cc05bfaf3fa3fde8267f9f136f5ab4cd2fe013ec144ebd09d2ff27