Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 06:46
Static task
static1
Behavioral task
behavioral1
Sample
ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
Resource
win7-20240903-en
General
-
Target
ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
-
Size
327KB
-
MD5
3a42324892ed90b441f4ca7f5003f197
-
SHA1
df571092643708c31152b637ed2f1887a8f7cbea
-
SHA256
ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a
-
SHA512
68c2a41f56bf984f95a3fcc055c96e98a7c8b35dee9b20744b9704369a30a2311965106cbde0fbd71f9d3fb4b240e4201c16efd889069d6f0d08601d7dd601b3
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI:vHW138/iXWlK885rKlGSekcj66ci9
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2012 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
icfur.exekojie.exepid process 2720 icfur.exe 1752 kojie.exe -
Loads dropped DLL 2 IoCs
Processes:
ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exeicfur.exepid process 2076 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe 2720 icfur.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exeicfur.execmd.exekojie.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icfur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kojie.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
kojie.exepid process 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe 1752 kojie.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exeicfur.exedescription pid process target process PID 2076 wrote to memory of 2720 2076 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe icfur.exe PID 2076 wrote to memory of 2720 2076 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe icfur.exe PID 2076 wrote to memory of 2720 2076 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe icfur.exe PID 2076 wrote to memory of 2720 2076 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe icfur.exe PID 2076 wrote to memory of 2012 2076 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe cmd.exe PID 2076 wrote to memory of 2012 2076 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe cmd.exe PID 2076 wrote to memory of 2012 2076 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe cmd.exe PID 2076 wrote to memory of 2012 2076 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe cmd.exe PID 2720 wrote to memory of 1752 2720 icfur.exe kojie.exe PID 2720 wrote to memory of 1752 2720 icfur.exe kojie.exe PID 2720 wrote to memory of 1752 2720 icfur.exe kojie.exe PID 2720 wrote to memory of 1752 2720 icfur.exe kojie.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe"C:\Users\Admin\AppData\Local\Temp\ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\icfur.exe"C:\Users\Admin\AppData\Local\Temp\icfur.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\kojie.exe"C:\Users\Admin\AppData\Local\Temp\kojie.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5aa871695149228d63195c3cfab93b26f
SHA1450cd094bce0bc3c7cd398d2fa89528c88a7c954
SHA2561f46b535ae994c35cb582bcc7d12340ad844492ba41b318f0461f3ddcda99017
SHA512916be60582f9d1d10cae48ad08e33bd7932c17ded77d3bc2051bf7b089feb9e4e29e1645a94c1b4ba93739d1304c7c345e3d022d8bcf15ecb5cea33fd13311b9
-
Filesize
512B
MD5e07ec5e762747e9066a4cd965d473650
SHA10496b71b09e08a70006438c4cc268ed6c2bbead8
SHA256ddc0e446afdf0c01351e737a4f12ce9338ba2a8d200ea8016ba976f704d186cb
SHA5129d8aba90825c0cfd105ae1794f5e2f32f86091e092cc933032b7438c7fcb01e97e3df1c59c9b2df69ec8ab6b8a9fa47149ed9f7943e51ca9294855934d4bf59c
-
Filesize
327KB
MD5e123c08099b35480aa815a0a4e0d3313
SHA1896c217e20a7800638213d7af1877cad62574f28
SHA2568a572ad09f7f844cf4c7c579c9cd8cdbe32d8025b86df2efe25baaccbbe5fb2d
SHA512f8d9f7c70230c4dbafa1d0eb11d3cfb1a11bb3ebb5e4764c7897b85805fac227bc5b7aa3280d0d4e6983ed08ec4998eda1786e9479b74902b0c9dbd269605a64
-
Filesize
172KB
MD5ef6fb3ba27705bd80c914f1ca040ed05
SHA1d5869bd50d424b643f757bfbdb5a54f4508ec33f
SHA256b9dea9edc187b2839a28ea535664ea7e942ca11c035106a6f1f05ca1622181be
SHA512a37f246ef95b4a0f2a490aad545fd6843d385d0e63408547a841008d53da90c1372539f36859974aaa280f7ee54492afe5a4e6ff497d6714e5e583ac938fce02