Analysis Overview
SHA256
ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb
Threat Level: Known bad
The file ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
ASPack v2.12-2.42
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-05 02:21
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-05 02:21
Reported
2024-03-05 02:23
Platform
win7-20240221-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qigiu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unkul.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qigiu.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe
"C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"
C:\Users\Admin\AppData\Local\Temp\qigiu.exe
"C:\Users\Admin\AppData\Local\Temp\qigiu.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\unkul.exe
"C:\Users\Admin\AppData\Local\Temp\unkul.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2036-0-0x0000000000400000-0x0000000000465000-memory.dmp
\Users\Admin\AppData\Local\Temp\qigiu.exe
| MD5 | e47a42f1dcab0a85d467e53f0307ba82 |
| SHA1 | f78548710301caeadc70da3c994e8028b3e5fb50 |
| SHA256 | b5ac6b7336547481d2e7067c403b8768550128c956adcb5a85ea0a2fdacd8698 |
| SHA512 | 589bfb529c5ff9e3f61abe80d855d11a9b5e89453c8cef5f3d08340d1cee66770138464c4382ef371f8551d7dcc4f15cdba95472eef332d9570f984bd8a70ccd |
memory/2036-11-0x0000000002BC0000-0x0000000002C25000-memory.dmp
memory/2992-21-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | f0d4c528db1a5a3deab717cc3f4844a9 |
| SHA1 | 3b46c4d928e3dce0afff3ea5ed8425af472b4995 |
| SHA256 | 7a51e5f482fbe5350a629f76b31bdf3114f38fdce4f049920467feec74a12389 |
| SHA512 | 68e238d9b7166e321cb722416b82121d9c0d3e3dbc8619b01f6a5b8edba52a058d33fe4cf649be4e22766259f7543806fd17049dc4753b7c08b2a2e07ef89b05 |
memory/2036-19-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 83b14cd481bad09a555912cfc128a031 |
| SHA1 | acd195b2fde79865810790f8979860c4c478ee1c |
| SHA256 | 42251923a6cffdde6d26dc66a4f3dc3f0d3de401fe74322927579dc67c42f28a |
| SHA512 | af2053842f2c8dcf3f9f6f4da2c80a1346b0d4dbc00fdcca68067fb6dc6e7e62beaffb9c34a1789ecb5007ff152007cc019d32c4a919dda7b61003d06b05f9fb |
\Users\Admin\AppData\Local\Temp\unkul.exe
| MD5 | d75ad696fd114a013a2caa8f75596329 |
| SHA1 | eda724c207f338f062b1ee7866974462c3168744 |
| SHA256 | bbaa393592596c1ecba268a7c0589797710495829e63b7c5f5c0d6a62a2e3337 |
| SHA512 | 9a6363a2d78989482ecdae0f63c3084b21c63d878ae6545af4226156c5953c74812af889d491865d68bb6a332f8921d2c8608abeb61f4e2ed46dc669fed0a32b |
memory/2992-30-0x0000000000400000-0x0000000000465000-memory.dmp
memory/832-31-0x0000000000240000-0x00000000002D4000-memory.dmp
memory/2992-32-0x00000000037C0000-0x0000000003854000-memory.dmp
memory/832-34-0x0000000000240000-0x00000000002D4000-memory.dmp
memory/832-35-0x0000000000240000-0x00000000002D4000-memory.dmp
memory/832-37-0x0000000000240000-0x00000000002D4000-memory.dmp
memory/832-38-0x0000000000240000-0x00000000002D4000-memory.dmp
memory/832-39-0x0000000000240000-0x00000000002D4000-memory.dmp
memory/832-40-0x0000000000240000-0x00000000002D4000-memory.dmp
memory/832-41-0x0000000000240000-0x00000000002D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-05 02:21
Reported
2024-03-05 02:23
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ibhop.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibhop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cypuh.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe
"C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"
C:\Users\Admin\AppData\Local\Temp\ibhop.exe
"C:\Users\Admin\AppData\Local\Temp\ibhop.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\cypuh.exe
"C:\Users\Admin\AppData\Local\Temp\cypuh.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
Files
memory/4016-0-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ibhop.exe
| MD5 | f4535a61af99f166e08f80cd9323aecd |
| SHA1 | bec15e9d468f804c6085b2d69fe9c9fbf7c0f8a1 |
| SHA256 | 244c4020b858272d8e141240306923518afe85aaa672342b14b5c32148635a3a |
| SHA512 | c0d8f2d935e1542ac7fa9aad76cf1587022dd23aadebee82c746c5f0b5e0dc1946957e56bb97fddeb9e9dcb8260e79fc615fbcc813f06778b5bb0fd6760becc6 |
memory/1688-12-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4016-14-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | f0d4c528db1a5a3deab717cc3f4844a9 |
| SHA1 | 3b46c4d928e3dce0afff3ea5ed8425af472b4995 |
| SHA256 | 7a51e5f482fbe5350a629f76b31bdf3114f38fdce4f049920467feec74a12389 |
| SHA512 | 68e238d9b7166e321cb722416b82121d9c0d3e3dbc8619b01f6a5b8edba52a058d33fe4cf649be4e22766259f7543806fd17049dc4753b7c08b2a2e07ef89b05 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4a5a906094a1838e0448c5be6d4c376b |
| SHA1 | 228d9464f2bc418b66fc397cda340fe6316375f6 |
| SHA256 | cf5298f94621fd6c03864fd022eacfd50bf6e79ad3a4a152cc82b0d20e8c0ff9 |
| SHA512 | 497e0d838f474764efdf2f94a15f46d586d3d1274595f20f5dba944502cedb2bf739ff16953c2c674e39ce07d3431cdce1706f099f2379d69385fd713fc08bb5 |
C:\Users\Admin\AppData\Local\Temp\cypuh.exe
| MD5 | 4fa79894f90b494e3ad3b79ef9970b08 |
| SHA1 | ab37328cd01c5c6f725ea392ca4f3d6903359e6c |
| SHA256 | 3ab8c0b7acbc610ce09077ce4a571d33aca5416c6133f43b5640ffad3020d6e9 |
| SHA512 | b6e94e90e364cf9a4c53379990b0da2b173ed7af7c515784d2e934191ef6f94120721b7dc161a2a7a9943c90a59f394cdd251d287ff88e307e03a934a639d57e |
memory/1688-26-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4232-28-0x00000000003A0000-0x0000000000434000-memory.dmp
memory/4232-29-0x00000000003A0000-0x0000000000434000-memory.dmp
memory/4232-27-0x00000000003A0000-0x0000000000434000-memory.dmp
memory/4232-31-0x00000000003A0000-0x0000000000434000-memory.dmp
memory/4232-32-0x00000000003A0000-0x0000000000434000-memory.dmp
memory/4232-33-0x00000000003A0000-0x0000000000434000-memory.dmp
memory/4232-34-0x00000000003A0000-0x0000000000434000-memory.dmp
memory/4232-35-0x00000000003A0000-0x0000000000434000-memory.dmp