Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 04:47
Static task
static1
Behavioral task
behavioral1
Sample
c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe
Resource
win7-20240903-en
General
-
Target
c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe
-
Size
333KB
-
MD5
1451a4312a14a1ac2cfa72abc1c76b74
-
SHA1
e0a59172e30587cf9bbef9f917f8bb3735dbb901
-
SHA256
c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b
-
SHA512
2f1c8bb8b61241860dd820f43aa79f59ca700c08014d0be9dcc7a17b121e849fade8460a7d6b0cf1f8ee98b0f0efcd18226746995c8bd18d549bfa9b5c1387d3
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYX:vHW138/iXWlK885rKlGSekcj66cii
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2728 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2780 tudas.exe 1332 borit.exe -
Loads dropped DLL 2 IoCs
pid Process 2712 c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe 2780 tudas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tudas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language borit.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe 1332 borit.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2780 2712 c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe 30 PID 2712 wrote to memory of 2780 2712 c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe 30 PID 2712 wrote to memory of 2780 2712 c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe 30 PID 2712 wrote to memory of 2780 2712 c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe 30 PID 2712 wrote to memory of 2728 2712 c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe 31 PID 2712 wrote to memory of 2728 2712 c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe 31 PID 2712 wrote to memory of 2728 2712 c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe 31 PID 2712 wrote to memory of 2728 2712 c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe 31 PID 2780 wrote to memory of 1332 2780 tudas.exe 33 PID 2780 wrote to memory of 1332 2780 tudas.exe 33 PID 2780 wrote to memory of 1332 2780 tudas.exe 33 PID 2780 wrote to memory of 1332 2780 tudas.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe"C:\Users\Admin\AppData\Local\Temp\c3b764212020bc5880a8c35fe63d09f56e974af94ddfd8dd5e4cb373892b182b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\tudas.exe"C:\Users\Admin\AppData\Local\Temp\tudas.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\borit.exe"C:\Users\Admin\AppData\Local\Temp\borit.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1332
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD57cd9f9bb0ccbb16c739aed2228374e01
SHA10cd8d6938dc888d475481ed6281a2219081cdc0b
SHA25651764318932983eb7cafc2c79850962dd0cd66f6cdd9ed8ac37e3ce424f9cd3e
SHA5122211757a4f94cb07943c94b644659cfedc7997f98ea12e45aa88f63be40b202cef43b14a9072c61cced53757dfce075e11d6d28fee57f5171c5ff8d48d1ff1ec
-
Filesize
512B
MD5661c70ca2465243a73a8589cf6e141eb
SHA1cd575a2f98ae3a73df8730b079c4ef36bb76b4c9
SHA2564a6d09a67df6c011769b86588c78bc71e4f9cf21152655214942fa9dbfc47e81
SHA5129a3834917582228bce0314e83b8c14e7122fe1c0133c48da2e72c37bb2aea0951e08d9ed8f0394957ed34658a972560c328e969a4b942f8b13bef4fced1d1e1e
-
Filesize
333KB
MD5e4be7f71833175f00bff3071bcc0ab95
SHA1987e941491dc945b09b810769f1a21d9ad53060d
SHA256ae6a29c318d66106e91635a7830add5ab5f1cfbd688200cc69f5619b9540a2f9
SHA5126dc0265fcc7d8611e787765e7fdb0f740a0597096745c8f96162b371af27f5edcf9f408eb6c7df56fb705dea075d8321a275dac9eca65ce37aa0c7a227392732
-
Filesize
172KB
MD594cefc7ad3611c1125335527ec062618
SHA12d8aeaabd540fe8b61d63529067465ec49344f78
SHA256ed20e006fd1ed8ad9fb4250b3514e2bd8c6c3e65181efe2ef0222189a941fa44
SHA51296c66a863c8edd604e28c657bd95b9692c585694c1cb70658311c633398e905b28714d8439c2bf5667a9354acc62f3a1a20f0bb79a06dc76aca7203dd51c2911
-
Filesize
333KB
MD5daf287150e6084dea985a26dbf145467
SHA10f34a516718c247e0b99134b31aa96331dbcd94d
SHA2568ca95939b0f00ec93b7b984e9857960839ce763b1b4ee482bfec1b21dbf80fd3
SHA512250f7b6d71d1df0851a4caa23da95400e50c6e5e520ea5a71c29b40676b4a935658338536348427cb86aeb3da6f933c50d72f891c2169faf00cd62eca6783c53