Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Resource
win7-20240903-en
General
-
Target
7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
-
Size
6.5MB
-
MD5
5a0997fb887c620d2815135e9a8f9e00
-
SHA1
b60b295c2ee512364978eb9d0dad3de46ab91a80
-
SHA256
7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47
-
SHA512
99eaa2bd1e12fa9f07458930e59b66fa5e9370983df605189c6b2dc147a2389c0bf668bed010512b432f705635fa071359dbd6ae499ee7653e2649a100b70b68
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSq:i0LrA2kHKQHNk3og9unipQyOaOq
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ycass.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation kuizso.exe -
Executes dropped EXE 3 IoCs
pid Process 4436 ycass.exe 4064 kuizso.exe 3488 bidyw.exe -
resource yara_rule behavioral2/files/0x0009000000023ccc-65.dat upx behavioral2/memory/3488-72-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/3488-76-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ycass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kuizso.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bidyw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4008 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe 4008 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe 4436 ycass.exe 4436 ycass.exe 4064 kuizso.exe 4064 kuizso.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe 3488 bidyw.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4008 wrote to memory of 4436 4008 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe 89 PID 4008 wrote to memory of 4436 4008 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe 89 PID 4008 wrote to memory of 4436 4008 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe 89 PID 4008 wrote to memory of 2336 4008 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe 90 PID 4008 wrote to memory of 2336 4008 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe 90 PID 4008 wrote to memory of 2336 4008 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe 90 PID 4436 wrote to memory of 4064 4436 ycass.exe 92 PID 4436 wrote to memory of 4064 4436 ycass.exe 92 PID 4436 wrote to memory of 4064 4436 ycass.exe 92 PID 4064 wrote to memory of 3488 4064 kuizso.exe 110 PID 4064 wrote to memory of 3488 4064 kuizso.exe 110 PID 4064 wrote to memory of 3488 4064 kuizso.exe 110 PID 4064 wrote to memory of 4620 4064 kuizso.exe 111 PID 4064 wrote to memory of 4620 4064 kuizso.exe 111 PID 4064 wrote to memory of 4620 4064 kuizso.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe"C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\ycass.exe"C:\Users\Admin\AppData\Local\Temp\ycass.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\kuizso.exe"C:\Users\Admin\AppData\Local\Temp\kuizso.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\bidyw.exe"C:\Users\Admin\AppData\Local\Temp\bidyw.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:4620
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5aefef7aa7f0199676941b34c9df61960
SHA1434c6975ecf2b18e57feb8c0d8b5e77cb744b8ea
SHA2561da8dec5db869ff91420ce9c81579acbae649d5954905f91fb8987b0ff09eb79
SHA512811b8508670f8680449aa1d13f1b7db5faeaf67cc228f34afa3f765df9582491b36a5df29518eff1290d616b1daddf41672aa57dd884831cda5a16a092ae2826
-
Filesize
224B
MD5a3c258d464020f58fe88073c55ba4dd7
SHA151139ee4204c8e6d8ce88c552de02461bcbdb943
SHA25628969d59abdb705c625108b9a612a0c003ba74b0ccaf85735be3c338c7b9f1c9
SHA51290a3b63c6f91714c4da1c694b58996a260e801d30d436770d71e7e43bade406c843e7efdb9417baf1c534f925b80f27db49d3094b1cbbc0093f08162c4563cf5
-
Filesize
459KB
MD584ca18a4884b2aa38ee6f0feea07bb92
SHA12c0f93f197ba33054bb8ef55a9aa49097bdaf640
SHA256f4cfe0004f43844d44a37d95b79f0a3d81b2b26b0352b30067e793b0f4e614cb
SHA512b09bbf4a7e72e5f3616a271d9b63cf9c604d17ef7fbbcb06683e6d1098d0136728c036ef5130e98abaa4159a3c59a0a9cfd1eaebd29b20eaef78f93d1c0c3270
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5f9cb051042ce30c90833f52da930ce8a
SHA18e7441d2928bf3b9a4fc9e98ddc1e34fe752fa78
SHA256f63b4724b013aa72460dda3efefb400b5fc984a58c1c95f575f44629a0cc66bb
SHA512fffcbb52772083e81394964fdcc1be7af5ce09d5327a36797539bb60d6108e5d9bd065e2b74dfe489396aabf806c10c43697347825085d4844c1c8768d9307b4
-
Filesize
6.5MB
MD52389b231d509c6e609b2ea4a5a1584d6
SHA185d656c2f8b87989054d7ca70bd16a5917a23b2d
SHA256c9f6dbc162ae6cc11f0396e2b0d1353f7d04c19aba30f47f97971522c9b71996
SHA51255f898e84edba89d2a10571e023ca335e5eef952ced39317b758b508db61e4c1ff212593a6b8273f531b12e22e7c34d224a4b333e67bf57cc8566620f8162df8