Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 20:26
Behavioral task
behavioral1
Sample
213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe
Resource
win7-20240708-en
General
-
Target
213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe
-
Size
629KB
-
MD5
852c786fe915770ff65d506086e4bf35
-
SHA1
c47e365f60694b91426dd12d50df82cf96afd732
-
SHA256
213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e
-
SHA512
469b5daf40b28366b11268f7ab96f7a1379f9e34ab150db4902301ad4779d890d09933527e45b6c88888979ef53c99d96178d2abe99a2824633a4d6e1ac9ca33
-
SSDEEP
12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsx:5UowYcOW4a2YcOW4Q
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas family
-
resource yara_rule behavioral2/files/0x000400000000072f-21.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation neleh.exe -
Executes dropped EXE 2 IoCs
pid Process 5044 neleh.exe 4516 siuvy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neleh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siuvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe 4516 siuvy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4728 wrote to memory of 5044 4728 213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe 87 PID 4728 wrote to memory of 5044 4728 213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe 87 PID 4728 wrote to memory of 5044 4728 213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe 87 PID 4728 wrote to memory of 4376 4728 213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe 88 PID 4728 wrote to memory of 4376 4728 213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe 88 PID 4728 wrote to memory of 4376 4728 213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe 88 PID 5044 wrote to memory of 4516 5044 neleh.exe 106 PID 5044 wrote to memory of 4516 5044 neleh.exe 106 PID 5044 wrote to memory of 4516 5044 neleh.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe"C:\Users\Admin\AppData\Local\Temp\213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\neleh.exe"C:\Users\Admin\AppData\Local\Temp\neleh.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\siuvy.exe"C:\Users\Admin\AppData\Local\Temp\siuvy.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5f6f67b02a0fee1cbac2651a91befa5e1
SHA1f768ee445010c870da40c425824995553e98e8a1
SHA2564386dcf6a59d8cf5fd16af36f29321bdedccdf8781babf4033498446c76539d2
SHA512d4c6d1f58b2d8e8ca58b4650a3ada7f871cbf17dbcd64912ffaf3a91ecc22e0d86c0f2240e4f8a082062cf17fc4e75b1efee41f5b24759ba509eae25d6b07a5a
-
Filesize
512B
MD5747578224d89bd90332a4bceb7ad494e
SHA11a6295224c17739fce8387c7560e34f825e6f266
SHA256442b3d001d771b4d05ec7060ea09e49c7cf0adb477b61fd540a4758e1d8b1d4d
SHA5120747e08a09ca43a4b3f0cf5fcaed12af4bd8c4dd6ff4fd809ce663d23f29cdbee930e4a402d66a13cebfb2a8faf9f64c5759900bf649da52a455ca0957e57bae
-
Filesize
629KB
MD5538924984ded92c205a237d4639cab81
SHA1a30eec3ddcf04312a8d6809da3ce10544d42a75f
SHA2564172074a92f3541520644ab073ca5d67e698d1a1ca1380e8df70509798a32b1b
SHA5128963ae2f959df7a41a4948158156998b57587bc5d83ec8ac1e78e9f4a841284262adc5988ec8941fa087093aec233cb6e9bbae0a24bc36cc9152654ca547c548
-
Filesize
212KB
MD55c671da0b70e92698a2f30cd60f2f2e0
SHA1231eda2356ebeed1612e806095ebb2163e7330d2
SHA256f31d74b660625e8804709c49715a964bd421eb4304a09d3fbdc71b706e4153f7
SHA51253a67a3f53e0681f58f8757be30809c33c08162d8d624b3cee885132db9c2e4b15781f0cec846b3f63870f4b1fd429e61bfea462cff5d592afbb679c865b3a2d