Analysis Overview
SHA256
f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020
Threat Level: Known bad
The file f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
ASPack v2.12-2.42
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-05 02:40
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-05 02:40
Reported
2024-03-05 02:43
Platform
win7-20240221-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\epnun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gilyv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\epnun.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe
"C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe"
C:\Users\Admin\AppData\Local\Temp\epnun.exe
"C:\Users\Admin\AppData\Local\Temp\epnun.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\gilyv.exe
"C:\Users\Admin\AppData\Local\Temp\gilyv.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11150 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 121.88.5.182:11150 | tcp |
Files
memory/2216-0-0x0000000000830000-0x00000000008AA000-memory.dmp
\Users\Admin\AppData\Local\Temp\epnun.exe
| MD5 | 5233a3a5ac9ab833f6c39f002703b5da |
| SHA1 | 2757233b1af01edd99303e7df97752c368a12321 |
| SHA256 | 199775cc3320d98cdadd6f817df9c0166e55e29ec3a1b1ffd67abb7528e725f1 |
| SHA512 | 4c985bdd75b09ca660821e6a87d5bfb6cfde6a54be48e7ffeb4d82e1a21febd719232b800f62efc9803bd30c78188fe1d1790005010ffe14274a15d4a63973b0 |
memory/2216-6-0x0000000002490000-0x000000000250A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 6d12b4699b3df740d86485f6c3b6b25f |
| SHA1 | 90e3e4003955350d1fc0b0c6affef3e7ea826bc7 |
| SHA256 | 544a41366f7ce75d214612e3437e198ca3f24f3363c9730f3aaf58a470ec68ed |
| SHA512 | e96ebb59f27364d6cf37e83dd328abc0b8b6a990a6717e8264889c55d82c31ecd5b3e9eafa26a53f70938603ea001391d95cef6e69ba4958398eae3c0675773e |
memory/2196-10-0x0000000000F10000-0x0000000000F8A000-memory.dmp
memory/2216-18-0x0000000000830000-0x00000000008AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 60a58a39db9471f7885d5e977715a6ae |
| SHA1 | 1f467441bd71818faf71eb640d8395d06449438e |
| SHA256 | 4d6b45a8e266664d641535dcc1f099e61a57ff45d6995b79a74acbadd8d87587 |
| SHA512 | 4b7036e71775ffae2312460289b0363bfb4cb75d2067fe8d5c034210505ef81c6c287face8170a4b3df11ca6b966daab03d53d5292e91f556c025b4bd35b34ef |
\Users\Admin\AppData\Local\Temp\gilyv.exe
| MD5 | bb29925cbdedd09a788ceea3a7e86f73 |
| SHA1 | 86d28254bef214f4706dca24072ac72df9d71123 |
| SHA256 | 093e63f82802d237c7f994912fad258dc54989130fe5124f3a0140cf658e2d97 |
| SHA512 | be6ff3d82c703f2dc7bf7de20ca4cd24dc956ed4843f0ba7074df5b0cf9fd6a05ad14836b9842cd18c621af45337d61237abe050b8d5f366dad21cbe0590162f |
memory/2196-25-0x00000000032E0000-0x0000000003374000-memory.dmp
memory/2196-27-0x0000000000F10000-0x0000000000F8A000-memory.dmp
memory/2724-30-0x0000000000FB0000-0x0000000001044000-memory.dmp
memory/2724-32-0x0000000000FB0000-0x0000000001044000-memory.dmp
memory/2724-31-0x0000000000FB0000-0x0000000001044000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\epnun.exe
| MD5 | 37d9aa2aba44d37586fb0364a64872ec |
| SHA1 | 4a4959f94f07dc586eacda48a42f5f9470a6567c |
| SHA256 | 4f17946b0d1f4e90be4f4a76bc455c53ccf94290ab7b1a60e725862cb27e1aec |
| SHA512 | 09396ba872ee717c5bf04f8ef51306fa0c817978fdf2a3740df9fbe27c19204cd97ad618942a802352a96311618d2612e61aa2bee4da44546f10964d5a791816 |
C:\Users\Admin\AppData\Local\Temp\epnun.exe
| MD5 | d7c572e8c6082d60017a2a8f0966a97a |
| SHA1 | 0b0261c71bf9971147f89eae504571f93ea5a14d |
| SHA256 | e9da3f52c668bb2ae8187fdf12f53917eb631fc494ffede98d0dcad3d504c2ca |
| SHA512 | 70ca285456d1bf22fb77a73f1489f26f36208ad241064034a12183a9e4890b3e0fe00e0446fa21fba843b3a2f5964ab08308b83b31f4adedafbf22356937b047 |
memory/2724-35-0x0000000000FB0000-0x0000000001044000-memory.dmp
memory/2724-36-0x0000000000FB0000-0x0000000001044000-memory.dmp
memory/2724-37-0x0000000000FB0000-0x0000000001044000-memory.dmp
memory/2724-38-0x0000000000FB0000-0x0000000001044000-memory.dmp
memory/2724-39-0x0000000000FB0000-0x0000000001044000-memory.dmp
memory/2724-40-0x0000000000FB0000-0x0000000001044000-memory.dmp
memory/2724-41-0x0000000000FB0000-0x0000000001044000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-05 02:40
Reported
2024-03-05 02:43
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
152s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gyceo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gyceo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\niejg.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe
"C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe"
C:\Users\Admin\AppData\Local\Temp\gyceo.exe
"C:\Users\Admin\AppData\Local\Temp\gyceo.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2524 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\niejg.exe
"C:\Users\Admin\AppData\Local\Temp\niejg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| KR | 121.88.5.183:11150 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| KR | 121.88.5.182:11150 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
memory/4576-0-0x0000000000820000-0x000000000089A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gyceo.exe
| MD5 | 27ba9768ca5e235e35297ad81f1e6af1 |
| SHA1 | 1c4706077acb015585a65139477a091da7a75d5f |
| SHA256 | ebc2a10eaddc69751e7c4341e075d50bf1f07c725f827c4687a26f5cc7d39614 |
| SHA512 | d061b460cbc7ed3c8ecb46bb37b06b47d062543f55a725031ce73182d78027e67faa5f47764a6063a1aa47c1834a63ee48961aaeb9f1af3b1532f3e47bd7cee5 |
memory/1728-11-0x0000000000800000-0x000000000087A000-memory.dmp
memory/4576-14-0x0000000000820000-0x000000000089A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 6d12b4699b3df740d86485f6c3b6b25f |
| SHA1 | 90e3e4003955350d1fc0b0c6affef3e7ea826bc7 |
| SHA256 | 544a41366f7ce75d214612e3437e198ca3f24f3363c9730f3aaf58a470ec68ed |
| SHA512 | e96ebb59f27364d6cf37e83dd328abc0b8b6a990a6717e8264889c55d82c31ecd5b3e9eafa26a53f70938603ea001391d95cef6e69ba4958398eae3c0675773e |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8f8b85cbe860eab327d29250d66db0f9 |
| SHA1 | 51d4bc0d35a08a270ea29d7df6653e5ed94bcf4d |
| SHA256 | 1a474158c3709c82b8423b4ccf809ba5f02ad17e59f5a5a0ce8b83f56f22d57d |
| SHA512 | d74ad2be9eedaef933cb9a689e02906ef3421ddbb612c63572d0efad7e8f50215286beb57b1999ab944a7e2de98c6af8a5b86b359aa345ec6e1357f29b1cbb3b |
C:\Users\Admin\AppData\Local\Temp\niejg.exe
| MD5 | b09e0ff441da299ae3a793830c7ea478 |
| SHA1 | 15b8a411ed330f29abe9db340988234a6378beb4 |
| SHA256 | fdbf0fefafb12cbdacc2889c042d9e150bb2d5188665ae3030214737ef02e232 |
| SHA512 | 55ac479713a694645c954dd447c7aaeb94638d7ef26e5b84e59a87478212942aab16a7023444588045ad60d3a4609e8e6673f3464c07a040b56898adc5462d0c |
memory/2460-26-0x00000000006E0000-0x0000000000774000-memory.dmp
memory/2460-25-0x00000000006E0000-0x0000000000774000-memory.dmp
memory/2460-29-0x00000000006E0000-0x0000000000774000-memory.dmp
memory/2460-28-0x00000000006E0000-0x0000000000774000-memory.dmp
memory/1728-27-0x0000000000800000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\niejg.exe
| MD5 | 49f5f5fd217b842bfe887690ead40688 |
| SHA1 | cb8f00c7f33a6eb566c2cdd9a6b6e111538b7a6e |
| SHA256 | 776066b82b704b41313aef0b549ea6a5aff3f3b2d5711865bb99f74bf3db2f22 |
| SHA512 | 665e2ac7cb2eab330c30ce6248a8ee67efd5939e9b9fb00e6b4852efef92862483711bd32ac494083ad6bbfe146c329620f9b1a7428b4b7b8063de31e0be8a7b |
C:\Users\Admin\AppData\Local\Temp\niejg.exe
| MD5 | 34d005737a26bff1f48976870a1bd82b |
| SHA1 | c7832652ce5bb797c1676cb95eb9cd2d3530ec7c |
| SHA256 | d7f5bfd5b4f26ea23faa67835eb1894eee5bd01b2648ef22ed1fe79cb3a1a8c4 |
| SHA512 | 9c62fd6eb0a31880347693da75e863cfceb2c67d7302ffa8bc96cf9fce6f93f824b3ddd05ad9bfc47054056ef9ee8e000423bf2d42e4b9ec2f37d6c6d76d4554 |
memory/2460-31-0x00000000006E0000-0x0000000000774000-memory.dmp
memory/2460-32-0x00000000006E0000-0x0000000000774000-memory.dmp
memory/2460-33-0x00000000006E0000-0x0000000000774000-memory.dmp
memory/2460-34-0x00000000006E0000-0x0000000000774000-memory.dmp
memory/2460-35-0x00000000006E0000-0x0000000000774000-memory.dmp
memory/2460-36-0x00000000006E0000-0x0000000000774000-memory.dmp