Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 06:58
Static task
static1
Behavioral task
behavioral1
Sample
ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Resource
win7-20240729-en
General
-
Target
ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
-
Size
335KB
-
MD5
a382b347737bdb4bd2bf3ac26c34ba03
-
SHA1
0ba6c6f58880260c32eb733350f7634eb245890c
-
SHA256
ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc
-
SHA512
390d29133ae5d769573875024024140790154290d0db373ca0181129886c332627f98e574d44500ba768848882b9fe90e7cc8732f448b9574ae642852dffe6b2
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV9MC:vHW138/iXWlK885rKlGSekcj66ciE9MC
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2720 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2464 naqus.exe 2912 pohyr.exe -
Loads dropped DLL 2 IoCs
pid Process 2136 ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe 2464 naqus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language naqus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pohyr.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe 2912 pohyr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2464 2136 ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe 31 PID 2136 wrote to memory of 2464 2136 ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe 31 PID 2136 wrote to memory of 2464 2136 ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe 31 PID 2136 wrote to memory of 2464 2136 ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe 31 PID 2136 wrote to memory of 2720 2136 ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe 32 PID 2136 wrote to memory of 2720 2136 ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe 32 PID 2136 wrote to memory of 2720 2136 ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe 32 PID 2136 wrote to memory of 2720 2136 ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe 32 PID 2464 wrote to memory of 2912 2464 naqus.exe 34 PID 2464 wrote to memory of 2912 2464 naqus.exe 34 PID 2464 wrote to memory of 2912 2464 naqus.exe 34 PID 2464 wrote to memory of 2912 2464 naqus.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe"C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\naqus.exe"C:\Users\Admin\AppData\Local\Temp\naqus.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\pohyr.exe"C:\Users\Admin\AppData\Local\Temp\pohyr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD52327ead2b68b0439df68905a99174378
SHA104ebca76b854ae1a856e304d4ec9486322779513
SHA2567fe90d95840f59e20765937b8c0f56231ec0e3582bf3c4e53fff1ff527b6f3d7
SHA5122e9f26a14e31b968995305e6464afe2625679b99e3aeb28dd1b218a2630e78b9c9e6ab32bd597a17ad55cda4cd24701e2c3a7ccbf48cd0b26fe4e75c439ce6a2
-
Filesize
512B
MD55b2d6633d00662971311a345e63b09fb
SHA100835ecd52c9496c16d2b20fae98dafae84819e0
SHA2564377dbe2f479e6263bcfb5fb843f088fac5391cce379fdc8c53a7127e7a2d836
SHA512c2174b6c0006515161550551a518ed24ae37ce21b2216ccda82e304a3856d5fee91d73b5b3be3640071d3100e3872cbedf013d048bbdad7727ada26236596bd5
-
Filesize
335KB
MD5e422dbcfedd82d7326f39553a4f40ae6
SHA13a184e27e11239f2f5e0e5ee86f710a59c40ea9f
SHA256ea1c49eb5862a6397f4d6b61ab741d062ffe2f4f83c31497ca07eccd406e331f
SHA512077bbc66265eac3fdd58e800c2fcb22f6577f7502a0650b7506b16bd75e0add2c5a43801c95ca16df70b04b7eebccdd1453a1706a9ff138e33d959ef6b933a29
-
Filesize
172KB
MD5bf562051f2386d882964270b2cd91b41
SHA1520b63692a05e1e29cde65229a778c066e51811a
SHA2562d916b9db2ff82ac9d0303715f478329c608bc796d863c1af7defe502b006927
SHA512c549407cad1fb44a395a095c0d15a7a6348667c09dc55f3c2da6581c23ab85308c85ea034236e3f09599af5b709d55a2f25829f7d45cd340b66e99f33a1a7b3d