Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 06:22
Static task
static1
Behavioral task
behavioral1
Sample
f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Resource
win7-20240903-en
General
-
Target
f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
-
Size
6.5MB
-
MD5
897f9c7d871aa6cfee73a8a226b2ce00
-
SHA1
71a7b5a797d80cc76fb7dbc0d209eacb290ccc0b
-
SHA256
f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e
-
SHA512
d668d0a14399ff53680d138ba041e6fff2cf36241588d42aedeecab3095f575d6579b6878224975f9b0c0f68508bb466a2efdf2ff5bd4924db9982e610f7d070
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2416 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2764 muguw.exe 556 vymidi.exe 1320 uqpik.exe -
Loads dropped DLL 5 IoCs
pid Process 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 2764 muguw.exe 2764 muguw.exe 556 vymidi.exe -
resource yara_rule behavioral1/files/0x0008000000018696-155.dat upx behavioral1/memory/1320-161-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/556-159-0x0000000004830000-0x00000000049C9000-memory.dmp upx behavioral1/memory/1320-173-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vymidi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uqpik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language muguw.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 2764 muguw.exe 556 vymidi.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe 1320 uqpik.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2764 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 31 PID 2012 wrote to memory of 2764 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 31 PID 2012 wrote to memory of 2764 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 31 PID 2012 wrote to memory of 2764 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 31 PID 2012 wrote to memory of 2416 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 32 PID 2012 wrote to memory of 2416 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 32 PID 2012 wrote to memory of 2416 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 32 PID 2012 wrote to memory of 2416 2012 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe 32 PID 2764 wrote to memory of 556 2764 muguw.exe 34 PID 2764 wrote to memory of 556 2764 muguw.exe 34 PID 2764 wrote to memory of 556 2764 muguw.exe 34 PID 2764 wrote to memory of 556 2764 muguw.exe 34 PID 556 wrote to memory of 1320 556 vymidi.exe 35 PID 556 wrote to memory of 1320 556 vymidi.exe 35 PID 556 wrote to memory of 1320 556 vymidi.exe 35 PID 556 wrote to memory of 1320 556 vymidi.exe 35 PID 556 wrote to memory of 904 556 vymidi.exe 36 PID 556 wrote to memory of 904 556 vymidi.exe 36 PID 556 wrote to memory of 904 556 vymidi.exe 36 PID 556 wrote to memory of 904 556 vymidi.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe"C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\muguw.exe"C:\Users\Admin\AppData\Local\Temp\muguw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\vymidi.exe"C:\Users\Admin\AppData\Local\Temp\vymidi.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\uqpik.exe"C:\Users\Admin\AppData\Local\Temp\uqpik.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1320
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:904
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD542071b4999964ac7ea4dbb20bb222108
SHA1cd8e664ffc1e9f93e95f718a5665198b3d9fe8b3
SHA256f7a72cc9635629405fa8eebc4df07ee04fc876886a0603f0ec11854b0489470a
SHA51202e2e63a4143dd7ee2888e75cea4ff1df9dba4d90e5023e9b7c6f2e59725a54afcac3af329d246d0c955052d18afef1b6591fddc5930493949b08be5bad654e1
-
Filesize
340B
MD599c774238dde8dcabbcbd9218b3186a0
SHA1db3cc894f3457dd2a28d2bf15c63159c4c8b634e
SHA256cbe3415c7e081687de8473980ee98e6271e9b9fc9a07c91d1ea3858ba29b270e
SHA5126863c40cd29af1e5074269dbd77e493ebc527a4e065166a55abeee892cbf121cf22cbda37f5cf3f92e4bcf1a86b82db95f0312f51f1e69482570b9b212bd6430
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5d4d72072a4459bd23dc157e9b34d9308
SHA1051a612da8800b8950d31e7e9dead80661bc4221
SHA25696cb9ba56f79dc03526c47587e3095e276a6a748c203d6b998194b83cb13b488
SHA512d13b9ef5a7ef0a4b4efcb0c5e93ad34a11e8a9441c79680b0f744a22a120cb54c199e17b352c6eaa3c0beae9fe59b5b401d625fa6b79aeff7ed7b11d3d6fddf4
-
Filesize
6.5MB
MD5a0e84ab1801d7a0920a35da12e3abc88
SHA122c08f978e2449ee84c3bca25ddad5feeb36cae0
SHA25651d71a3417a83f858aad42d3d3fce612e8fcec25e95564a63858620a77a92b2a
SHA512568d4f0cfc98550dd48b4b618a06cb93b76e8ac5353bb7f69678400d6012721d2f10d51d08100a0440dae5c17327e744ba4f8779264213b51ad348f5b8eddd51
-
Filesize
459KB
MD5f6a0f494683a9120917957390f99d593
SHA12aff38f093b37ab29f8d0149ca8a723c7912d9ad
SHA256ed564f706daa3f2d111df4e22cfb5a03138cd44150e556cc655c4c582cb8947b
SHA5120fae46b06c539536b9423346a89376c3ed7fad04000922d5a1df97b7ad6ce269a8ae5736c6f9799cb4e5f66733417d52fd979b8f80239e3f53635df7223f524d