Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 10:30
Behavioral task
behavioral1
Sample
36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
Resource
win7-20241010-en
General
-
Target
36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
-
Size
409KB
-
MD5
dd27974b04f29dd7b43ce92dae43cd90
-
SHA1
21ba560271aac3e1d2548a68594ad848918b92d9
-
SHA256
36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babb
-
SHA512
f29513f26c39141026d72cc15eb649d6b041aaa99d907ac7054836a8325bc0fa07b1152d687dff2d2d47031b9c7d404bc7fe7d12cad69822974daf6b0d9697eb
-
SSDEEP
6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOY+:eU7M5ijWh0XOW4sEfeOz
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas family
-
resource yara_rule behavioral1/files/0x000a00000001658d-28.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2900 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2152 vecak.exe 3020 avbeb.exe -
Loads dropped DLL 3 IoCs
pid Process 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 2152 vecak.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vecak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avbeb.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe 3020 avbeb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2152 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 30 PID 2736 wrote to memory of 2152 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 30 PID 2736 wrote to memory of 2152 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 30 PID 2736 wrote to memory of 2152 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 30 PID 2736 wrote to memory of 2900 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 31 PID 2736 wrote to memory of 2900 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 31 PID 2736 wrote to memory of 2900 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 31 PID 2736 wrote to memory of 2900 2736 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe 31 PID 2152 wrote to memory of 3020 2152 vecak.exe 33 PID 2152 wrote to memory of 3020 2152 vecak.exe 33 PID 2152 wrote to memory of 3020 2152 vecak.exe 33 PID 2152 wrote to memory of 3020 2152 vecak.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe"C:\Users\Admin\AppData\Local\Temp\36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\vecak.exe"C:\Users\Admin\AppData\Local\Temp\vecak.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\avbeb.exe"C:\Users\Admin\AppData\Local\Temp\avbeb.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD50d4514c1d29cc90e6c386266520c81d5
SHA1505a6c72c47b3044379da558211a2fff546da277
SHA2564721a3f937f6452d73c2fc4e49a28d93a5b3275d8d6375f1ce7dd96fc4beadb4
SHA512a0a6df796d9a10800e57f65b3c4a2248315e9b838e6d0f568c2ee7e13c15fcdd4e2b150acf9d46da1e919429fe442a419825e63ae9e3d5ac59297b83fe0db571
-
Filesize
512B
MD59faff338415d52a0835d60532730fcc3
SHA196f4ccb55be4031fd82fd40423c3d08f6e93aa63
SHA25636545b948468def32ac88232c9c5e4c6ce32c5954449eb4d48f1b98f8d1a7d53
SHA512361337a9036d850028343cbb140cda353c39960a7ccab9c71d722543de013898311b6a6b83ed0f1bf90db6d8c783256a0c58ac82a9aec262d669f6a75b2442ec
-
Filesize
212KB
MD50296fc66a977b57e3c5cfeec9da599e0
SHA1fc5f192446a5db9fef59989500f8891595f28f10
SHA2565088b70f27d5323c3311bf0a3646f78ec687e603fcba0854f0dca755c8523ac8
SHA512554387461e3c2f35c0f8bd79a0c466bcac568bc35d8c1de15d626bc47e37390b754791512dafbb875a5e987ed34a42e73111d164996ac57db6a5f81051c7f318
-
Filesize
409KB
MD5c65c8e6eb660a7677cd6bf48b9b00c42
SHA180a41ad690752a6506d4cdcf616ddf8e77b0f532
SHA256ed2ad2657666c79bb3b1fd29758ec5a0a92c32350bca9951e79789a233e7584d
SHA5125db438453842727042367b9da01fed24a2a9fa713be141f9d7c034a1eab6bc75f3ac551efde9a5fb4017aaea1ea426cde9cfffb0333e0b07c188996b4699e797