Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 14:43
Behavioral task
behavioral1
Sample
4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
Resource
win7-20240903-en
General
-
Target
4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
-
Size
660KB
-
MD5
3251cb0860e7baaf7de35db27328da62
-
SHA1
b4c461c408d7bddb5b431c1a73b3cdf21709b18d
-
SHA256
4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02
-
SHA512
0059cb85e1116bcf6c53dc8c92cda2d6d14b7309a99c5599d6c9238ee8b808e0dc6e694f7f9fe8d3acdb78253a0198c04b013a6eaa6fcb949170c62bd3e208fb
-
SSDEEP
6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqLS:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0s
Malware Config
Extracted
urelas
121.88.5.183
218.54.30.235
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation kolio.exe -
Executes dropped EXE 2 IoCs
pid Process 4652 kolio.exe 2720 sodas.exe -
resource yara_rule behavioral2/memory/1532-0-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral2/files/0x000a000000023b5e-6.dat upx behavioral2/memory/1532-13-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral2/memory/4652-16-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral2/files/0x000800000001e786-21.dat upx behavioral2/memory/4652-26-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral2/memory/2720-25-0x00000000006B0000-0x000000000076A000-memory.dmp upx behavioral2/memory/2720-27-0x00000000006B0000-0x000000000076A000-memory.dmp upx behavioral2/memory/2720-28-0x00000000006B0000-0x000000000076A000-memory.dmp upx behavioral2/memory/2720-29-0x00000000006B0000-0x000000000076A000-memory.dmp upx behavioral2/memory/2720-30-0x00000000006B0000-0x000000000076A000-memory.dmp upx behavioral2/memory/2720-31-0x00000000006B0000-0x000000000076A000-memory.dmp upx behavioral2/memory/2720-32-0x00000000006B0000-0x000000000076A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kolio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sodas.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1532 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe 1532 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe 4652 kolio.exe 4652 kolio.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe 2720 sodas.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1532 wrote to memory of 4652 1532 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe 83 PID 1532 wrote to memory of 4652 1532 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe 83 PID 1532 wrote to memory of 4652 1532 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe 83 PID 1532 wrote to memory of 2008 1532 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe 84 PID 1532 wrote to memory of 2008 1532 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe 84 PID 1532 wrote to memory of 2008 1532 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe 84 PID 4652 wrote to memory of 2720 4652 kolio.exe 101 PID 4652 wrote to memory of 2720 4652 kolio.exe 101 PID 4652 wrote to memory of 2720 4652 kolio.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe"C:\Users\Admin\AppData\Local\Temp\4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\kolio.exe"C:\Users\Admin\AppData\Local\Temp\kolio.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\sodas.exe"C:\Users\Admin\AppData\Local\Temp\sodas.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5b5d7e82c11d42300f1bd6b48c1ee79fc
SHA12d94b64506c949a244560edc529f18f71e8ff36c
SHA256dda2262ad63b118de3301081e95a6168dc042c51876ba180ecd072c8dd1cb5b5
SHA512225fa8d76aaf11a7474fc541f7f2c9d9e08d741909015ebf4631ad70afc568f7f27f6200ced896e38a3b2e0ae4ac2a2914dc61a7ec21941eee9742f93abdbbb7
-
Filesize
512B
MD562bc4223c1310fb358a64bf1aa86e748
SHA11ac559377b273288370ae96376da62e5a25d0b0b
SHA256e88aeffe7a1c8bf09f292c42a31caa7d880cbe43319a8b2dea624be23abd57a8
SHA512c0f78c4cf145bb17f5ea2736172195561c8f5fbde3b13f850da32cfc7e090c6ea8bf56ce7a0ea897131a2f17aa40422a6b8f29cdd648af737a4791d5bd5b714d
-
Filesize
660KB
MD5ef00a326734ca1f0b7b682cf8babfbbd
SHA118210ed7237ffaee69d57ec5bf2ffaae5ba87600
SHA256465822a9148be9c4ccc4657665b6e8b6350d3c1c85d53792dbd0361e6cb4c3fe
SHA512ab5cae6461be8ebe199927e36ca216333a7f9a0ab584bf4269194b9b51bf58a2194250644682c9ace037f6893a15b4932ac48eaf556fc3a0e51e0b6be1167364
-
Filesize
243KB
MD50122996eec8abc8ca7be80ed34eb42a0
SHA141a8727e7f76ab6b60b416b1e4bb48cf59a7a9c7
SHA256ee12692eceafff7653f075c88c0080d4d0776192f7833155fa871a85cf8efe05
SHA512f33207dd80d08bf9a8f6aa85429557999df437c5f467ae02fae3d0e4ac840a9874297caf53cc53dd90db6d7fbbbc564538c0dfacefe5d98a3d55f8f3f468fe71