Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe
Resource
win7-20240903-en
General
-
Target
7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe
-
Size
338KB
-
MD5
3e4c16d9130d98dfcf7ca845d4c34b80
-
SHA1
c72fca9756823d85ec81ca9856cce7604a49e0e7
-
SHA256
7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d
-
SHA512
9788b0f06265a0f19e66fc4ed97559b861534b3896cfd7bb78ac6b4f4707894a4ec76963970331bfeb37b95e1281c5492689906e0bfe1cb581c459530dfae5ef
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYWE:vHW138/iXWlK885rKlGSekcj66ciI
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2832 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3040 focuf.exe 2020 nyxue.exe -
Loads dropped DLL 2 IoCs
pid Process 1660 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe 3040 focuf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language focuf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nyxue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe 2020 nyxue.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1660 wrote to memory of 3040 1660 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe 29 PID 1660 wrote to memory of 3040 1660 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe 29 PID 1660 wrote to memory of 3040 1660 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe 29 PID 1660 wrote to memory of 3040 1660 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe 29 PID 1660 wrote to memory of 2832 1660 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe 30 PID 1660 wrote to memory of 2832 1660 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe 30 PID 1660 wrote to memory of 2832 1660 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe 30 PID 1660 wrote to memory of 2832 1660 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe 30 PID 3040 wrote to memory of 2020 3040 focuf.exe 32 PID 3040 wrote to memory of 2020 3040 focuf.exe 32 PID 3040 wrote to memory of 2020 3040 focuf.exe 32 PID 3040 wrote to memory of 2020 3040 focuf.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe"C:\Users\Admin\AppData\Local\Temp\7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\focuf.exe"C:\Users\Admin\AppData\Local\Temp\focuf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\nyxue.exe"C:\Users\Admin\AppData\Local\Temp\nyxue.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5569d6c89e11fb43d80a460ee3263cd13
SHA19e235ce57c6aa2cf7ff57f82415db66b6fbc8323
SHA256ae10a167e94897ea24d4e22c0333a0e7db867aa82be2625043dd809a705bcfd0
SHA5120965a06333d79695224bd0b1cbfd48460ad128630e99cd97bfb05dddf388e23504ec85b2572225b9e099dc42cadb2bcb8b8bf047172f87101364ff9bf6466667
-
Filesize
512B
MD55b4d8c704a4ddfb1650246440f957697
SHA1e3381a25f531e3d09c1b7624b421b20d2da1879a
SHA2560a595080c7c4d1927c249c82d54aef4eb6008cf2048dd03ca246da560c13bc97
SHA512751c1fee4fb536e3c2e16720a8dffacc06484e9b45bacd55ec2cb7f93a07e3d687bcb571b02148c0ce149d7ba61d72aa7206102e8cfb58f453758c1e942b00c7
-
Filesize
338KB
MD5c4c9b79a23e9272ff1d764e002f29907
SHA1b51a207941bf606dd43836be28d183a997f8aef6
SHA2564aeb4e2fdfea95adadb71a86d111eb5e514ec5b157e4226958f9767f85768522
SHA512dc1566ae6e29622cfdc0d56a49428197f24e18ce77e504c912adca0e0527f336be411d16dfb4c60b4d11c0137a69711c2309fa687bd30e9b157d340a3739943f
-
Filesize
172KB
MD5e2d98ee106d4b2eade4102717cfbeeca
SHA1412dbccccd315b0ebd7b542c9011b333b940aabe
SHA256ae2ae1da4e4024d484c09aea8acf5a96199c479471ba3bf91227577ea73e7edc
SHA512fea089437f8081d19277d6c2e9e3046fa85d138a893d8ab5d89a93db56b61d8b7abbc06188c2f6c94abb76eee19a9e12de921a49c87381e8b6a7d37a3c60e2ef