Analysis Overview
SHA256
045b4bb4a2914bf91607a617516731dd3317c74a701a38749a1fc0930d225680
Threat Level: Known bad
The file Backdoor.Win32.Plite.bhuu-045b4bb4a2914bf91607a617516731dd3317c74a701a38749a1fc0930d225680 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
ASPack v2.12-2.42
Deletes itself
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 06:55
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 06:55
Reported
2024-02-29 06:58
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bytur.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fuxya.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bytur.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"
C:\Users\Admin\AppData\Local\Temp\bytur.exe
"C:\Users\Admin\AppData\Local\Temp\bytur.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\fuxya.exe
"C:\Users\Admin\AppData\Local\Temp\fuxya.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1136-0-0x0000000000400000-0x000000000046A000-memory.dmp
\Users\Admin\AppData\Local\Temp\bytur.exe
| MD5 | dd87d57c7f06b4a342e80ae413a045ff |
| SHA1 | 8f6a39dff19d93c468cd1947476219e41c9016aa |
| SHA256 | 2378e7e2f0e8cec74aa756faf2c1d696fd5f6c92ec78bc9b8caa7facb74e0560 |
| SHA512 | ec66d72779ba18be82d688a68c2c538f81d81ad4883edf30150ed9cc98a5666e21fc087898e4102e6dbc97923452e917a84d0c2de9afeb4dd3234dc1165e3b0a |
memory/1136-11-0x0000000002680000-0x00000000026EA000-memory.dmp
memory/1896-19-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1136-21-0x0000000002680000-0x00000000026EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 97fc87a02a4d6b9e3c84b60d8c043bfe |
| SHA1 | 766c62bed33c6c7aabf6e27099702bcd584dcccb |
| SHA256 | a3196284add063a8e6090efbb24a11a92af85d7257bc6b583299ff5df53806cc |
| SHA512 | 4462f2d9275882358de182cf3984fdde74e8430ea85212efa2c579c618c6cab10c867e7a2d6fd3dfd0400b7918a9d03de37eb5c5296abefa53846a8e126e6938 |
memory/1136-22-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b0eb3d58daa59ca15164d998af721e23 |
| SHA1 | 1fae3b65d2174d0b9b1d4d3923ca50ad220e65f2 |
| SHA256 | af68cd422eb11a2b4d53509ac4c358d40c7cd1b937389d448df24eb5e85b50f4 |
| SHA512 | c9f724fe91f6f3c945794f68cff1ae9b8480a5d959adc3a6cb0f0e72f3d512df4cb94282b2a8e46ad65fd82f3da2dace5c60b73c1058ff05ce2b26b7463bb44a |
C:\Users\Admin\AppData\Local\Temp\fuxya.exe
| MD5 | 7e4f24618313c32066dc7a1dfd5c0c58 |
| SHA1 | ba3b4353960413533f30a6b574e50a3593364326 |
| SHA256 | 5a8e99af7c0167e3b9ae1f9f07ef3117981f6fc2273e3db6a550e2efb60c10e2 |
| SHA512 | 52407dc38558115a86d8f1361d4c1ba808b3a77a98858414ac0829459bba02ec5312e1b2834e734f24facce1878cd0fc97b83e97aa26dce3d1cac10a4f444af8 |
memory/1316-33-0x0000000001320000-0x00000000013C2000-memory.dmp
memory/1896-32-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1896-31-0x0000000003250000-0x00000000032F2000-memory.dmp
memory/1316-35-0x0000000001320000-0x00000000013C2000-memory.dmp
memory/1316-36-0x0000000001320000-0x00000000013C2000-memory.dmp
memory/1316-38-0x0000000001320000-0x00000000013C2000-memory.dmp
memory/1316-39-0x0000000001320000-0x00000000013C2000-memory.dmp
memory/1316-40-0x0000000001320000-0x00000000013C2000-memory.dmp
memory/1316-41-0x0000000001320000-0x00000000013C2000-memory.dmp
memory/1316-42-0x0000000001320000-0x00000000013C2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 06:55
Reported
2024-02-29 06:57
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
114s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tioza.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tioza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iqfei.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"
C:\Users\Admin\AppData\Local\Temp\tioza.exe
"C:\Users\Admin\AppData\Local\Temp\tioza.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\iqfei.exe
"C:\Users\Admin\AppData\Local\Temp\iqfei.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1376-0-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tioza.exe
| MD5 | 57d5033e75bda61bde83d77ca5be1dfe |
| SHA1 | fa32361d615e96147070ef7556c0a0bfcd3eeeb6 |
| SHA256 | 49ebadcb54900f790df1b9c22220ab2c8c83a9e6a021cf8701300c63d5b6bb5d |
| SHA512 | a956d9f0fc20558455e47691c06c33b765495cb571e87aacb7bf11af4c4f2499b85f9ec115d94c8bee0a47103c5f453c09cfe58f9883fcb25c9c7a34f83f1be2 |
C:\Users\Admin\AppData\Local\Temp\tioza.exe
| MD5 | d1bc512e4f3f1f3c469a3229b45b9fd9 |
| SHA1 | ce1e4eb3b19bf3211b3dc4b99f9bf85b78867040 |
| SHA256 | 27da9f0368a14a0fbf18457241d37142a50d53e482e1ec29a3503a1e41c757f4 |
| SHA512 | 69cd554387b3d91f9b41086b1efaa9328cef93e30d3dc13f851a5e057a9365f1643571d268773947e44908fcb98d32d95cbc03050b0b69bf854ce4fa69289d30 |
memory/1376-14-0x0000000000400000-0x000000000046A000-memory.dmp
memory/3648-13-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 97fc87a02a4d6b9e3c84b60d8c043bfe |
| SHA1 | 766c62bed33c6c7aabf6e27099702bcd584dcccb |
| SHA256 | a3196284add063a8e6090efbb24a11a92af85d7257bc6b583299ff5df53806cc |
| SHA512 | 4462f2d9275882358de182cf3984fdde74e8430ea85212efa2c579c618c6cab10c867e7a2d6fd3dfd0400b7918a9d03de37eb5c5296abefa53846a8e126e6938 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 70b1a3f1f922eefc842d9946ca899efa |
| SHA1 | 60adca9af7c6da22afdf35f0035d55eb6870008c |
| SHA256 | 112c3c8439270fb627e95b20c97e32a82d31cd0dc3770acd8cfc2764d059d493 |
| SHA512 | 656c1e638b479ff75f459d19c3be45f3ca0d2b80e8862cfba7af80ec2791efe6a8d18022e6e7b50d859b065c5907baf481e8a114a01e05a2dad31bdb50789071 |
C:\Users\Admin\AppData\Local\Temp\iqfei.exe
| MD5 | 8ac43cbedd2aeab7cbd4ee10a1f3bd1f |
| SHA1 | ba16efb70b5cbdb2473d17dd4e1db1d5fcb2f7a0 |
| SHA256 | 4c19bea1f25db9273d5d9efb408ac446447660c09e5598920d60408f0f6f7aa8 |
| SHA512 | 6ae61b95e8323afaa80519b0632be1a9122f57d8e38957f4fd5e23ce0654b2df1f2091fe979ad02b9b66152dea81cdc00a5148fd72ba012ed39a6d28264f8174 |
memory/3648-25-0x0000000000400000-0x000000000046A000-memory.dmp
memory/4392-27-0x00000000004C0000-0x0000000000562000-memory.dmp
memory/4392-28-0x00000000004C0000-0x0000000000562000-memory.dmp
memory/4392-29-0x00000000004C0000-0x0000000000562000-memory.dmp
memory/4392-31-0x00000000004C0000-0x0000000000562000-memory.dmp
memory/4392-32-0x00000000004C0000-0x0000000000562000-memory.dmp
memory/4392-33-0x00000000004C0000-0x0000000000562000-memory.dmp
memory/4392-34-0x00000000004C0000-0x0000000000562000-memory.dmp
memory/4392-35-0x00000000004C0000-0x0000000000562000-memory.dmp