Analysis
-
max time kernel
119s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe
Resource
win7-20240903-en
General
-
Target
7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe
-
Size
333KB
-
MD5
ede94d90737c8fb49f5bd968f90d32b0
-
SHA1
b465d4e4a9074ef84ae72f958fc87c324562e65d
-
SHA256
7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1
-
SHA512
31e15842f190d5cfd18ca7aca0ef44e583ed2d1b86af89a09d3e025402118c7a94ee21ee8bae2d76ff7e71cf40c95fa49c0cf88a0500477e5f2de45d50ae59dd
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYP:vHW138/iXWlK885rKlGSekcj66ci+
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation luavm.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe -
Executes dropped EXE 2 IoCs
pid Process 2628 luavm.exe 1324 gavyv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language luavm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gavyv.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe 1324 gavyv.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3604 wrote to memory of 2628 3604 7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe 88 PID 3604 wrote to memory of 2628 3604 7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe 88 PID 3604 wrote to memory of 2628 3604 7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe 88 PID 3604 wrote to memory of 4516 3604 7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe 89 PID 3604 wrote to memory of 4516 3604 7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe 89 PID 3604 wrote to memory of 4516 3604 7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe 89 PID 2628 wrote to memory of 1324 2628 luavm.exe 102 PID 2628 wrote to memory of 1324 2628 luavm.exe 102 PID 2628 wrote to memory of 1324 2628 luavm.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe"C:\Users\Admin\AppData\Local\Temp\7b632348a4cf480ea17052307d412c8d7ef5917e777ae9b674d43bae2fcafdd1N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\luavm.exe"C:\Users\Admin\AppData\Local\Temp\luavm.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\gavyv.exe"C:\Users\Admin\AppData\Local\Temp\gavyv.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD58e5ff9cd69aa9ba012b0758ee7186871
SHA14f0c63126f83d7def9fac04f933a273bd4f9e308
SHA2567850bc61359b067f44ab5a962d105239f0c4695762b2e261e62eeaf69d5b940c
SHA5126e55571ce61b51610b33dff82b75d8ee3f7d2ee85cc4a64640b36d3020800efaa0814dd7cf72e27b62d2fc38fe938c5b5d9d565e263ec734c09c83d3f8fdf2cb
-
Filesize
172KB
MD5d08495efcb3eac21a634b4b77e22fc02
SHA1cba5b4ca92127cce262e4a3abad5fc493ee4ddb3
SHA2560214125a710474837e919bad93d768722f36093ff82be20637e8c43a8b8aaf51
SHA512db90b8f04d8e3a75458803fe59fa7f3df2e9fc3815f2e88e33d755410b483a7fe57c3e39f82bd09416534287e5179d2e31bb9ba1689803e7da158f017d92023d
-
Filesize
512B
MD56f36c3e23b00b6d08aa90d3d6f7ee4c5
SHA187e4101441ea1951847063c302683e2c95d306cb
SHA2560290d22bbe34a319b941e3c7707832e21fa51e793157754c64e8e86940044903
SHA512460231c7636b42208b1d15b1354dca03c2330e6852f090a2d879c355bf5c0f24a7aa7031b8f649ed02e83e4172d81035e3ef57376aa8c3eceb0fcfc03bd34281
-
Filesize
333KB
MD56a3c15241a2d10858c61d143c9980ae6
SHA1709d2b391927c83a9c1e9379e1c5e19d392e55fd
SHA256e8933044289764ca9efa22f202338dd7d4c1023918daff85310c4b02830fc45f
SHA5123532c70cfe4df64eb1d5f32e2fc70009d2689bf1acea37dc3193193056ada9840c38d021e36a3dac9e304e0e3c2c10192ad3758c8352c14b901343ceec32798c