Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 19:07
Behavioral task
behavioral1
Sample
b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
Resource
win7-20240903-en
General
-
Target
b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
-
Size
689KB
-
MD5
882afb62ea28195617963f64df97091f
-
SHA1
c2c0b5729bd376f925b5e3a26298e6ffe48d3686
-
SHA256
b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d
-
SHA512
34f47a3f4f1899a8d69cf4961d81fabde06dae6e8257c2028cf9e59faf254d009245e311299818364c03673ea52aa321711d8759e4ffccd0b86d51ad7d918102
-
SSDEEP
12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nh:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnh
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 288 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 3000 himac.exe 2596 ijneku.exe 1796 pedog.exe -
Loads dropped DLL 5 IoCs
pid Process 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 3000 himac.exe 3000 himac.exe 2596 ijneku.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language himac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijneku.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pedog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1796 pedog.exe 1796 pedog.exe 1796 pedog.exe 1796 pedog.exe 1796 pedog.exe 1796 pedog.exe 1796 pedog.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2756 wrote to memory of 3000 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 30 PID 2756 wrote to memory of 3000 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 30 PID 2756 wrote to memory of 3000 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 30 PID 2756 wrote to memory of 3000 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 30 PID 2756 wrote to memory of 288 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 31 PID 2756 wrote to memory of 288 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 31 PID 2756 wrote to memory of 288 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 31 PID 2756 wrote to memory of 288 2756 b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe 31 PID 3000 wrote to memory of 2596 3000 himac.exe 33 PID 3000 wrote to memory of 2596 3000 himac.exe 33 PID 3000 wrote to memory of 2596 3000 himac.exe 33 PID 3000 wrote to memory of 2596 3000 himac.exe 33 PID 2596 wrote to memory of 1796 2596 ijneku.exe 34 PID 2596 wrote to memory of 1796 2596 ijneku.exe 34 PID 2596 wrote to memory of 1796 2596 ijneku.exe 34 PID 2596 wrote to memory of 1796 2596 ijneku.exe 34 PID 2596 wrote to memory of 1072 2596 ijneku.exe 35 PID 2596 wrote to memory of 1072 2596 ijneku.exe 35 PID 2596 wrote to memory of 1072 2596 ijneku.exe 35 PID 2596 wrote to memory of 1072 2596 ijneku.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe"C:\Users\Admin\AppData\Local\Temp\b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\himac.exe"C:\Users\Admin\AppData\Local\Temp\himac.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\ijneku.exe"C:\Users\Admin\AppData\Local\Temp\ijneku.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\pedog.exe"C:\Users\Admin\AppData\Local\Temp\pedog.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1072
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5a404cd1e1c5dc4ff7980e95c6ac4fe61
SHA1885c830c5d069378821c20259ec2f17d31b2d008
SHA256e04933a8812a003e5d05600fb06d6f071a7e5af5415507c519d3fc5407d096b0
SHA51264cceb358122187e637508190004eb64c6572fb71c749495c389e4dbaec996525adf8030407d848e32d5545aa49a940e0f48518931c080679776309c75aca944
-
Filesize
224B
MD5a40cf8be8108346e2bc3ca611909f4cf
SHA11824fe6aa0e3a31c47b788af618418c5bdfe13a4
SHA256215438dc7f2c49a7afd1ba8673899795f68868f4da6f1552bb8372a002d6e6ef
SHA512f75e9416f8db0f8b41cdcf00de525d65dbef359179ed5d06d308d267093d007c3f9c289211ce5f8048c056571a2d1aa3b1d9cab4437664de3dc8a259ea9a5b69
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD55c1fc45b52425b0eb507ae6013e203eb
SHA1006b2ee9a08ba8e28d58bf9f86179e7e9942cdee
SHA25699ea92e13e84d18161106f47d065aa91a5638d5bc8af613c80f6908d7bf33c34
SHA51297224db99fecb203d8852186caae9d4618df9aec3d96710ac6e001d35dd1121a04b5764202859c7012fe1f2bc2d1368b6f22d962902ad533cbff5e7383eec4d6
-
Filesize
690KB
MD5bc352074354d4dfebd84b9be68868633
SHA19581d9249ac3d8db3faa3deb72545ae4918b42cb
SHA25634ca9d4e1e9bfe650365f7f8a4beeeb2116c38d11fde611f836aee975afc7b12
SHA5120439c9a35ce280ab3abddb5f8c60e01e2be41b7e6cd793e1ccfc7767c8584473817505ad6165063db638346f190850a5896c5efa22e4ca84f650a0aafcdac97b
-
Filesize
469KB
MD55cdd76c63494168232df7be37277dfbb
SHA1cd3a7b2ae075fc1b6e059cfb714eb61a20fbaae4
SHA256b26197ca1587b83cd3f0d2a6d088180c9fd20af892f49fdeb45ace2e1a6c9a63
SHA512951f496dabe623f47f7560669204522999cfd8dc208ef8e4e0e51d83da5471c188b8c878b69adbe6216a7a68bf1b382bf3bd7953b8d8b701e1a74e63091603aa