Analysis
-
max time kernel
119s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 14:18
Behavioral task
behavioral1
Sample
d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
Resource
win7-20241010-en
General
-
Target
d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
-
Size
402KB
-
MD5
4b72cb7dd2593e7d26485ab3f41c24e0
-
SHA1
3e9703abf1d2466afcb8ad4a67251702e4f7ad89
-
SHA256
d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127
-
SHA512
1c620ede140af2d52e170c763be53a2ffc3fd3ed378e45ad234b5ad8d22521d2083ba1cf644b7c6613dc0bcc42a87ae18b8a3384f52f7b7ba5026ece9a924dd3
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohCq:8IfBoDWoyFblU6hAJQnO1
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 3004 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2848 hoifn.exe 2800 bufoco.exe 1632 rosut.exe -
Loads dropped DLL 5 IoCs
pid Process 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 2848 hoifn.exe 2848 hoifn.exe 2800 bufoco.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hoifn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bufoco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rosut.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe 1632 rosut.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2848 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 30 PID 2484 wrote to memory of 2848 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 30 PID 2484 wrote to memory of 2848 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 30 PID 2484 wrote to memory of 2848 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 30 PID 2484 wrote to memory of 3004 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 31 PID 2484 wrote to memory of 3004 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 31 PID 2484 wrote to memory of 3004 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 31 PID 2484 wrote to memory of 3004 2484 d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe 31 PID 2848 wrote to memory of 2800 2848 hoifn.exe 33 PID 2848 wrote to memory of 2800 2848 hoifn.exe 33 PID 2848 wrote to memory of 2800 2848 hoifn.exe 33 PID 2848 wrote to memory of 2800 2848 hoifn.exe 33 PID 2800 wrote to memory of 1632 2800 bufoco.exe 35 PID 2800 wrote to memory of 1632 2800 bufoco.exe 35 PID 2800 wrote to memory of 1632 2800 bufoco.exe 35 PID 2800 wrote to memory of 1632 2800 bufoco.exe 35 PID 2800 wrote to memory of 2096 2800 bufoco.exe 36 PID 2800 wrote to memory of 2096 2800 bufoco.exe 36 PID 2800 wrote to memory of 2096 2800 bufoco.exe 36 PID 2800 wrote to memory of 2096 2800 bufoco.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe"C:\Users\Admin\AppData\Local\Temp\d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\hoifn.exe"C:\Users\Admin\AppData\Local\Temp\hoifn.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\bufoco.exe"C:\Users\Admin\AppData\Local\Temp\bufoco.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\rosut.exe"C:\Users\Admin\AppData\Local\Temp\rosut.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5f94c012ff4e5fa45f55778df0f3feeb2
SHA1680b6eefb7a88dadd16a38e25456e8a14a133a76
SHA25693a0c638363865382e9c9eaf61e37fc2dfe2840c292a69e53403ec07ef270bb8
SHA512c4b789b0b23e8386d6529ed68ee00c040219bc9e5fb0813f531a475901fcd19804fbc2fce9090a313d8e92468538d9eed67cc94d7cdec09db2e065d52aa85b0e
-
Filesize
224B
MD516df94bd4f1d8201fdffd062b145040c
SHA15ac34cfd53f909f648143e23bbb713f0c27fabf9
SHA256753896ac850171081f7dcf3d87e176c7fe79f313a11d6e99ebf322633556dd5a
SHA5123b4c0bfc4511d18d4349e560c6b746a96f15c2bd828c79676b6732c5d5942b6dec2e8dfc0980cab5c4e1823bebebfca23bf104266c0534729b2e291fa9b78951
-
Filesize
512B
MD5baa5a969eac825f54b3ae4c6e894f7ea
SHA15f6ceb95110d470464434ba737d1b5e370fb4e5c
SHA256b60c2c0556c28d84c7abf75fc38aeb8fcffe080194b1574e5ed1bf32f63adf8b
SHA51252fb439d8fe859eb81f626f27fb6695ad92c38959dc8a85183875a24b2b6fff516a9b1c442d793128e4b8459237b0c7c4b0f35325c004f828304e23ce0d144b6
-
Filesize
402KB
MD503b540fa1c67c6225ba22aeffb05042d
SHA12391e1f213249bc117942314786f48a765169cf8
SHA25687ffde8492ce601b21e359e36fec084047770dd2688ce74aaaea308582ccac37
SHA51296edf517be42cc15d0488b8edc756d148295f8d13bcb4877a2df71debb90b0381d2251245317551ced1325a2454a2082622f2c29aa555b4e62d44674cab97163
-
Filesize
402KB
MD5354c46dbed0379731390317c283f98bf
SHA160467efedb582e68315e99581148280bc95fd4d1
SHA2568a0db4312b8fe98bf3f93dd73faa25efe4588ceeb1d1df04ed1443ef3a6ba30b
SHA5127bcc7cf1113b5ff433d067c62fd26710480f2991f00dce734a9751b599429d69aace6a807164f483bfeb88a96a05ac11403f4e88b190c05d0b02d41b98bd2313
-
Filesize
223KB
MD5ccb2679ad0f7640cee9efb75ca79212d
SHA15079beb7926fa461dc73ae3afd7e3427491345df
SHA256ec24c384aa3596dbb428a01a5b9be8b541ebfa407a089baf7fd44ae5d96ff557
SHA51245d5d36bdee6117ecf039071882e25c4c487e58cbcbdb3084d8a9792fe668e34f2c08b3e3b15d46fd7d4d1eb0430edba63fa49ac1301ad7b452b264cab731003