Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe
Resource
win7-20240729-en
General
-
Target
576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe
-
Size
334KB
-
MD5
c8bad9053e92de4f01b9f1ec020320c0
-
SHA1
03946e22d4ad01c409006b058cb6b01e83e4bc7f
-
SHA256
576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6
-
SHA512
b3dee39c5f133119e01e9a4d5fb0b8d1d6bd6b0ac4b5c295999f314bd50d6765139e042ca9577d1cf83ba202dbdf08300ffa8e67293c0e0753ae6e21c09bdeb7
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYPf:vHW138/iXWlK885rKlGSekcj66ciG
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation jyqof.exe -
Executes dropped EXE 2 IoCs
pid Process 2636 jyqof.exe 1812 nowue.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jyqof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nowue.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe 1812 nowue.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2636 2852 576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe 88 PID 2852 wrote to memory of 2636 2852 576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe 88 PID 2852 wrote to memory of 2636 2852 576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe 88 PID 2852 wrote to memory of 4856 2852 576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe 89 PID 2852 wrote to memory of 4856 2852 576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe 89 PID 2852 wrote to memory of 4856 2852 576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe 89 PID 2636 wrote to memory of 1812 2636 jyqof.exe 107 PID 2636 wrote to memory of 1812 2636 jyqof.exe 107 PID 2636 wrote to memory of 1812 2636 jyqof.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe"C:\Users\Admin\AppData\Local\Temp\576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\jyqof.exe"C:\Users\Admin\AppData\Local\Temp\jyqof.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\nowue.exe"C:\Users\Admin\AppData\Local\Temp\nowue.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD57f5dc6735a805699f2b181d5c31dce1d
SHA1c5f2435d44569565343f8aec06d45407e5f07d54
SHA256c45fecdfb9d5563ee23b3d6cb6ea4b2e1d860284d4f4a00dc218cd32682b440f
SHA51265a847606f6fd6f608fb4d99e5b8483e6d030c29345c97036f07fc3cf1b98d68c694cde27fd4f79ed36447c6d512c3af7ce5f9e11eff1b5deebb20dfcc0e801b
-
Filesize
512B
MD5ae91de910d4205d6fdc04a63db04c00a
SHA1acdfc98391b1866cda6acffc4b794e57bd68a2af
SHA2569037f86405435262aa434b3422e202669dc0cb93bd68c7a7e207103bc22e9c51
SHA512e43c1cb6c1a7ac9659cfa6086bda3c3e746e20e9aaf86511da165951564f141fe32c22df9d8c148c56f4b6ed85cd2132284b414ca8454345b81af636a7186fc0
-
Filesize
334KB
MD5faee1fa7cf0cd17a14f41d666b6d4071
SHA18766f5a324e0819cfdc2aee13f55d4b5fab2a17b
SHA2566bdeb9766e97ce49bd234f722a283466f3b1e2fa0d4bad131b1b8ec28e470912
SHA5128e66a8b0b0925ab8c1fca61d224e128dc5fb2426a9038094442e2caebd767f67b1e708b792470ca40e20f7b00bc28c95fd83edfbf94713e6c3103afa773f7f63
-
Filesize
172KB
MD50addb9474b95a09f9ac2c868ac87ad97
SHA12d78403a2f96d8a6c6940d66422551dad8064746
SHA2560e6c8ce4b7d1dab923c7b157b85f57ffb4b5c026d4808dff1c648defdfef0bf5
SHA5125b949b175dc88bd5e80332b5a68080554dc84dc381e85fe802e9bf1c8659c80e3851e7f9cdc854f3cec672d4058394c44df48d0313b991a4bf7b695c30e023d8