Analysis Overview
SHA256
7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8
Threat Level: Known bad
The file 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Deletes itself
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 22:20
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 22:20
Reported
2024-03-10 22:23
Platform
win7-20240221-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duodt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zuzem.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duodt.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe
"C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"
C:\Users\Admin\AppData\Local\Temp\duodt.exe
"C:\Users\Admin\AppData\Local\Temp\duodt.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\zuzem.exe
"C:\Users\Admin\AppData\Local\Temp\zuzem.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2196-0-0x00000000003E0000-0x000000000044C000-memory.dmp
\Users\Admin\AppData\Local\Temp\duodt.exe
| MD5 | 72c768068f99bdf8e842fef6a69d6177 |
| SHA1 | 86a5236161a29739a22f0a9e1235704d012b7d6f |
| SHA256 | 90955741a3d20bbf2855f56854bbf9214657822e9ee3ca814cdeede05c6cf0a6 |
| SHA512 | 3589973f70eb65a4b07b54a0dfdb2f190c8e19a7f16606fb3d068b6cca8879f1632229dc09704ca4ee1843f2a8c9dfa259b1a5cfac290d3ae51d6dcfca843295 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | ac3bd8d778a3d9b13118e5436129ec4e |
| SHA1 | f3f56fc870cfc346232a18e9002bb39195a8d205 |
| SHA256 | 86e389c79054b75bd858cd6af1d29986b4f1c16ddad6115530e661c25ba75ec2 |
| SHA512 | 145e3d20fd17e56f7e079339df760d76b163c2da5978c5b6967536cd998fa4fde5e53149462c4802125b7d0001532dc8f510ee552c4896d89f301a8f1a15567b |
memory/2508-11-0x0000000000E20000-0x0000000000E8C000-memory.dmp
memory/2196-9-0x0000000001FA0000-0x000000000200C000-memory.dmp
memory/2196-18-0x00000000003E0000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 035ca531a4e0a839c67e7900a6af7b8e |
| SHA1 | d6c6348ca3156fcc6cabeec771199eec95d988a7 |
| SHA256 | e48ce32dc15ef2ca696e8db23db7b0179476d58ed109131bc01ea3d8f72cb54b |
| SHA512 | 5d762e537583d29e926f07006fcc446364e4fe742fc3891c63e8fa9c7351ecd8d88412e1e510f642bff12db1f3e31f68d245abd0c1bf0049b6e5643ed478f2e7 |
\Users\Admin\AppData\Local\Temp\zuzem.exe
| MD5 | a2cbb3b7d44451e2e34255e983330839 |
| SHA1 | 6c2954a0671a8b12e5afa8d55cd16952ea0635d2 |
| SHA256 | c5205c71cc8177c14caa47ee659c0133d09ce746bc9b7db06766cf90a3bfe690 |
| SHA512 | 9f999f83e0248657c1d775b79942c36593a65536e453cb6bac036b093f21855d14c063add41933be369f671eca8bf7e1ad173098c1fb8fba5a10068d0c583341 |
memory/2508-28-0x0000000000C20000-0x0000000000CBE000-memory.dmp
memory/1668-29-0x0000000000B00000-0x0000000000B9E000-memory.dmp
memory/2508-27-0x0000000000E20000-0x0000000000E8C000-memory.dmp
memory/1668-30-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1668-32-0x0000000000B00000-0x0000000000B9E000-memory.dmp
memory/1668-33-0x0000000000B00000-0x0000000000B9E000-memory.dmp
memory/1668-34-0x0000000000B00000-0x0000000000B9E000-memory.dmp
memory/1668-35-0x0000000000B00000-0x0000000000B9E000-memory.dmp
memory/1668-36-0x0000000000B00000-0x0000000000B9E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 22:20
Reported
2024-03-10 22:23
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\migyk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\migyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uzpou.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe
"C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"
C:\Users\Admin\AppData\Local\Temp\migyk.exe
"C:\Users\Admin\AppData\Local\Temp\migyk.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\uzpou.exe
"C:\Users\Admin\AppData\Local\Temp\uzpou.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/4200-0-0x00000000003B0000-0x000000000041C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\migyk.exe
| MD5 | c5c46065eec6bd7cad585a2c4022b7e7 |
| SHA1 | 3b994d212946c400aa03744ae1fef58e3d121a40 |
| SHA256 | bb2ee2febe6cbd3c037e01bfab4b191f61653d42d45dcb5ca57a281cd9bc7b47 |
| SHA512 | 3a6485d87b5c1985d390789951854e4fc7de4813aed0f1eda393219e86b5a926edc2b6a10184ec2df1f5f640cded49aa1d8ac762a04da8b2ef0765e4ccf4a191 |
memory/4920-12-0x00000000004D0000-0x000000000053C000-memory.dmp
memory/4200-14-0x00000000003B0000-0x000000000041C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | ac3bd8d778a3d9b13118e5436129ec4e |
| SHA1 | f3f56fc870cfc346232a18e9002bb39195a8d205 |
| SHA256 | 86e389c79054b75bd858cd6af1d29986b4f1c16ddad6115530e661c25ba75ec2 |
| SHA512 | 145e3d20fd17e56f7e079339df760d76b163c2da5978c5b6967536cd998fa4fde5e53149462c4802125b7d0001532dc8f510ee552c4896d89f301a8f1a15567b |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9acf2ce558deb780030ee92771bd4524 |
| SHA1 | b2072cc6d80944fe84318ab6158f46b8dc9cfdfc |
| SHA256 | e5fff7cd0376001ddfc83d5591af57e9ed93f044a146c2265d3bbf46d2156005 |
| SHA512 | 327e0c61d2d5aef2c2f35adecffdb575c7a87f7f695a3d017ad09d1600e93500874a9fac67e376e56f848514624075e992aeb4b572bcc962730e30adafbf7f19 |
C:\Users\Admin\AppData\Local\Temp\uzpou.exe
| MD5 | 849ea3fd5a01bae37e2350b8187fe89a |
| SHA1 | efb90a15b393b770acf2428a71d4a77e51b81934 |
| SHA256 | 07cbb54aab2d9af99d9da07b8073ce513eb4165219736ba07b2c0b36233de309 |
| SHA512 | a226721d345eafe0d0446a8753c7e1958662ae67e749fd3306d84958f40d8720843e0869c5715ec722909d7708d80a73ff9906c5c0d375095c8a3b59ce71dfbc |
memory/4920-25-0x00000000004D0000-0x000000000053C000-memory.dmp
memory/2392-27-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
memory/2392-26-0x00000000006B0000-0x000000000074E000-memory.dmp
memory/2392-29-0x00000000006B0000-0x000000000074E000-memory.dmp
memory/2392-30-0x00000000006B0000-0x000000000074E000-memory.dmp
memory/2392-31-0x00000000006B0000-0x000000000074E000-memory.dmp
memory/2392-32-0x00000000006B0000-0x000000000074E000-memory.dmp
memory/2392-33-0x00000000006B0000-0x000000000074E000-memory.dmp