Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 10:48
Static task
static1
Behavioral task
behavioral1
Sample
c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
Resource
win7-20240903-en
General
-
Target
c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
-
Size
332KB
-
MD5
dd283e263e2b0339bf8bb6a19a7ef990
-
SHA1
b91c87e5ca1573739a501f8bd91b041a1adbe82f
-
SHA256
c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884
-
SHA512
198932fada52cf3b8b908c634251a252a14e8118950222c490a3249004d6fca78acfdb1e789fbfbfca2425a0365561d7637c4307e1ec201d9bf72c65d0436b3b
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVb:vHW138/iXWlK885rKlGSekcj66ciEb
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2992 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2936 huwyp.exe 340 vuguv.exe -
Loads dropped DLL 2 IoCs
pid Process 1852 c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe 2936 huwyp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huwyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vuguv.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe 340 vuguv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2936 1852 c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe 28 PID 1852 wrote to memory of 2936 1852 c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe 28 PID 1852 wrote to memory of 2936 1852 c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe 28 PID 1852 wrote to memory of 2936 1852 c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe 28 PID 1852 wrote to memory of 2992 1852 c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe 29 PID 1852 wrote to memory of 2992 1852 c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe 29 PID 1852 wrote to memory of 2992 1852 c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe 29 PID 1852 wrote to memory of 2992 1852 c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe 29 PID 2936 wrote to memory of 340 2936 huwyp.exe 33 PID 2936 wrote to memory of 340 2936 huwyp.exe 33 PID 2936 wrote to memory of 340 2936 huwyp.exe 33 PID 2936 wrote to memory of 340 2936 huwyp.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe"C:\Users\Admin\AppData\Local\Temp\c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\huwyp.exe"C:\Users\Admin\AppData\Local\Temp\huwyp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\vuguv.exe"C:\Users\Admin\AppData\Local\Temp\vuguv.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD512cc31e42f61ba51d1ef42b3dfd7dcad
SHA1feec1c4dd538f7e2a03b9a9edcb2ae38db9b9275
SHA256640d2e011c0789c0c436c6bd990adc5042a65341afd0d6c14ed099ba24de54ee
SHA5129c2fa7c203fdf61f1757462a612e45fdc975b651bb3a2c9d7d218400e6f087c01d86ed82b5dc446ec44644de06aad9dc54158695332393463bb7f86eaee8d8ac
-
Filesize
512B
MD5ea0d2158add00405f07ccc5c24da22f6
SHA1cbffa349a9c004607cbe52db08974ec7df4c5e7b
SHA2563c904a05d5027613ae506357cc7ff6ee7d62426f35d0635826c0b004b2825185
SHA5124d8a2fd7183c1314a2f244a5948863bde416c6ebf0fbb338de440474e4e6b163d2db9785d38695ce8a961f7e15f476de6deabac4bbd0e788b38c927f951b37a4
-
Filesize
172KB
MD56c4a0ab6adf2bf383dc93e32844f3a6c
SHA1b563a0dcade79847a3227bd3525194f551d4821d
SHA256e393d8fbe1b6342b06aaa3d9e1195835e73a63800c64dc7dc9130a0e8e528a70
SHA512346fd0f2e2ec69d2f2ff6765fb1dc22c3432ba8e16c828ba03c7358c8ea60818fbc3e1a2a593c2675dd44960290c7f5999283e12b1b392df19d10da13010be90
-
Filesize
332KB
MD551eed1ab0f7858d508ed63816b25835e
SHA10bdbf0f8b6a5e09c10eddf2ddbfb3462671a4a7d
SHA256a74cf7dcfa120bf76f2738e92fddc2e3522464271b7ea7d5371fbc30d230fbf1
SHA512c1635d12c5681142bfaa57397008160ef6ffe111822beac352c4f5b141fb21576260dd0a1cab22f450ea9354f292ba400edffc4bb498f5a979aa4a2e1fdee9dc