Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 20:42
Static task
static1
Behavioral task
behavioral1
Sample
f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
Resource
win7-20241010-en
General
-
Target
f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
-
Size
6.5MB
-
MD5
897f9c7d871aa6cfee73a8a226b2ce00
-
SHA1
71a7b5a797d80cc76fb7dbc0d209eacb290ccc0b
-
SHA256
f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e
-
SHA512
d668d0a14399ff53680d138ba041e6fff2cf36241588d42aedeecab3095f575d6579b6878224975f9b0c0f68508bb466a2efdf2ff5bd4924db9982e610f7d070
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2656 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2140 fepex.exe 1744 xahiqu.exe 1052 omqoi.exe -
Loads dropped DLL 5 IoCs
pid Process 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 2140 fepex.exe 2140 fepex.exe 1744 xahiqu.exe -
resource yara_rule behavioral1/files/0x0008000000015d5b-159.dat upx behavioral1/memory/1052-165-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/1744-163-0x0000000004760000-0x00000000048F9000-memory.dmp upx behavioral1/memory/1052-177-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fepex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xahiqu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omqoi.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 2140 fepex.exe 1744 xahiqu.exe 1052 omqoi.exe 1052 omqoi.exe 1052 omqoi.exe 1052 omqoi.exe 1052 omqoi.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2140 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 30 PID 2384 wrote to memory of 2140 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 30 PID 2384 wrote to memory of 2140 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 30 PID 2384 wrote to memory of 2140 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 30 PID 2384 wrote to memory of 2656 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 31 PID 2384 wrote to memory of 2656 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 31 PID 2384 wrote to memory of 2656 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 31 PID 2384 wrote to memory of 2656 2384 f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe 31 PID 2140 wrote to memory of 1744 2140 fepex.exe 33 PID 2140 wrote to memory of 1744 2140 fepex.exe 33 PID 2140 wrote to memory of 1744 2140 fepex.exe 33 PID 2140 wrote to memory of 1744 2140 fepex.exe 33 PID 1744 wrote to memory of 1052 1744 xahiqu.exe 35 PID 1744 wrote to memory of 1052 1744 xahiqu.exe 35 PID 1744 wrote to memory of 1052 1744 xahiqu.exe 35 PID 1744 wrote to memory of 1052 1744 xahiqu.exe 35 PID 1744 wrote to memory of 1028 1744 xahiqu.exe 36 PID 1744 wrote to memory of 1028 1744 xahiqu.exe 36 PID 1744 wrote to memory of 1028 1744 xahiqu.exe 36 PID 1744 wrote to memory of 1028 1744 xahiqu.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe"C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\fepex.exe"C:\Users\Admin\AppData\Local\Temp\fepex.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\xahiqu.exe"C:\Users\Admin\AppData\Local\Temp\xahiqu.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\omqoi.exe"C:\Users\Admin\AppData\Local\Temp\omqoi.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1052
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1028
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5c8f9bdf732fed33b5bf3d8048d84b847
SHA191e692e32e365baacd4413e4b5e710579b5257cc
SHA256bd89e7e76592b19f6c58c3c746dd0b24cd34981a189a79061408b3c3ba8953fe
SHA512b0406b07b95a297f1fe83f8b90cd5221b0f32b591f79be7ea5d1426454eadc2e2080a02108c17dd1fb6175a8b205da4e70322987a631e7e8587c1ddc763ba82e
-
Filesize
342B
MD5937f07b8af929674610e5739a06fdc64
SHA1400c9e7f43604e1707aa4d19b6e9e925d8e55b71
SHA256d39c5753c2a4dcc0319baef659a93993446a9edbe88fded4ba72aaa5a2f01027
SHA512f2e8058a9e2d89676b8ed455ce559456141b48d8b6f64e6e5fe164f7fd016583afd82130371ff1611342e6b61f538de420069b016b56d990531c6edfc1f20f35
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5f879be8b697fd769caddcd2d91cf83d9
SHA13e9e3430325e706fc4a56bdc5e3883516391899e
SHA256e95c91553fd54e5e65d66d066a2811ae2bfd9b1e80bee6b22f5b5ed2157538fa
SHA512ff2019588892b3e6a8da0a5b94a66cafd9b1d507839a528ec08869ab4c1bf4ea8ce67926ea0268a178ef57cf55c40fdff5a22cd6da3ec1009ee7dab439ec4ce2
-
Filesize
6.5MB
MD536d0657b7b494c5afde84df4a8f8d323
SHA129efa899d84b526ececa55807c5c2286f316be67
SHA256d434d43e71f209cc47c7dc0ea804eddcd4460617f403b3ca6b2b3c61992cd02b
SHA5129f65ed0d1c11c88aa99b208999a65fc45e8eead476e8aacec9816e43b40721f7d61f5e4ea0706ea71da84e9c41e3d99e5303546a34ca31ea64c7e83fa67528e4
-
Filesize
459KB
MD51616d4341f458500ebdf6b7e29c932b1
SHA11b445705476e679c7cf7fb17f43cf6bdb0e53940
SHA256ab3fcdbd0689f09ef7727705d9dd47f40b85f15dcd71a24b171322343dc6b682
SHA512f8830d28ab91afda59dcaf7b2fea9672be902d944812e1473685c461d4577a8d4a946cfeb8551c9e02fe4838bbe1306625794141ae590faf2e9ce43ee3dc4ac5