Analysis Overview
SHA256
6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11
Threat Level: Known bad
The file 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 22:01
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 22:01
Reported
2024-03-10 22:03
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\leach.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\leach.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\foalh.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe
"C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe"
C:\Users\Admin\AppData\Local\Temp\leach.exe
"C:\Users\Admin\AppData\Local\Temp\leach.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\foalh.exe
"C:\Users\Admin\AppData\Local\Temp\foalh.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.134.221.88.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\leach.exe
| MD5 | b3ae69d330bae5313d546469e6e00380 |
| SHA1 | 18374fb112ff8d222638df7743dd4943a4e428c8 |
| SHA256 | 0ce9e81ae1fec1108765ae5ff460e6b74b5e78d60046a1dc3e9696f54af91ac1 |
| SHA512 | b232db36770b037d0f2631b233d3b3ed10eab94c82c90da82d44e5d9d59a57ad99d11374483e175887f30d7482a0e26fd3a5ce37b4a178e5eed82a93efad0cb9 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | c36cc7a66bee5343f965f727b38c9c21 |
| SHA1 | f2dcc3f6eeabb7fa708a0b1c20e445f281aa6205 |
| SHA256 | 0cc44b6266b52cb1d945f0d24d6ad2b77654381859a9791c7bc2c449295da5c8 |
| SHA512 | 5c3cfa31e36a8e83314d5d6f9c009cbb1ecc54bafa78eb1e196558502a36476db16fe69c742473c4fcf8d4fa2a0edc7d723929cbb9e742f31cc50717f219b780 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e992a3b7bcd068cb98086705d38b76d4 |
| SHA1 | e4cf5c21094b65125b944ce4975ed8000922e744 |
| SHA256 | 35501f1d801a21aecfb4f7e7590a232b8f82bd23ec6e82ee1fe4bf9d72078818 |
| SHA512 | b2a020339c3d34d57b9874063cabddf2a6a5e30afb4171fa45a9d4886e6804822b4bd022878c3552cc9ee9ebc5b9207956c14c7bfd0bb3f08ec1ee59a0181cdc |
C:\Users\Admin\AppData\Local\Temp\foalh.exe
| MD5 | e0ea2b439d3c2ff0a785510c81293409 |
| SHA1 | 1c27892ea0090c61a6ad83e5a7dc10f9c814af86 |
| SHA256 | edc1742b64bd4f141e76bc49b032d7da36b60be4c400d7045d3889a20b5643c4 |
| SHA512 | 91822d55c7bec913f8c62fa09b6cbb7b91761d8cd146bd0b57bbe5d5fd2601ee36dd0de7ec90275eca941b8cb0cf37719dd0d4c854200e99556471172cf7d144 |
memory/3976-22-0x0000000000400000-0x000000000049C000-memory.dmp
memory/3976-23-0x0000000000600000-0x0000000000602000-memory.dmp
memory/3976-25-0x0000000000400000-0x000000000049C000-memory.dmp
memory/3976-26-0x0000000000400000-0x000000000049C000-memory.dmp
memory/3976-27-0x0000000000400000-0x000000000049C000-memory.dmp
memory/3976-28-0x0000000000400000-0x000000000049C000-memory.dmp
memory/3976-29-0x0000000000400000-0x000000000049C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 22:01
Reported
2024-03-10 22:03
Platform
win7-20240221-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afvit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gokue.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afvit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afvit.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe
"C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe"
C:\Users\Admin\AppData\Local\Temp\afvit.exe
"C:\Users\Admin\AppData\Local\Temp\afvit.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\gokue.exe
"C:\Users\Admin\AppData\Local\Temp\gokue.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
\Users\Admin\AppData\Local\Temp\afvit.exe
| MD5 | c51cc273264e0c1d5d1891a89afb64fe |
| SHA1 | 7a26168f44ce5ad566906ad899c3ffb3d036baa8 |
| SHA256 | b6351cbeb2658c2a29f594e2a651b8b26792c0d5c08f82cb7b08d5416aa00ce9 |
| SHA512 | bf9a158bd8a0044b528627a4a025894b462458a55f3f627c8e7ce9dd9c105c6910f00c907bf6a4072bbaf0c17a515c797d344ac4407ad3ee81123e404d1a8d13 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | c36cc7a66bee5343f965f727b38c9c21 |
| SHA1 | f2dcc3f6eeabb7fa708a0b1c20e445f281aa6205 |
| SHA256 | 0cc44b6266b52cb1d945f0d24d6ad2b77654381859a9791c7bc2c449295da5c8 |
| SHA512 | 5c3cfa31e36a8e83314d5d6f9c009cbb1ecc54bafa78eb1e196558502a36476db16fe69c742473c4fcf8d4fa2a0edc7d723929cbb9e742f31cc50717f219b780 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ba4b53657b875ec1664fd1236e9f9f4a |
| SHA1 | 474d9285d0a0147c9152de2ee357c882ffb6299f |
| SHA256 | 88f3c52573d2e6fb1e3b49fed430e926b067fc1fb5e384d2874c6f13dce0df82 |
| SHA512 | 78cdb4a10261e229c0efb5675e2b67838658047a618c30c79df73d4f6ebe49250c81c01ccce38e20b9b3e89ca3a5b4b8eb08f326fa069ba20536a18438d1412b |
\Users\Admin\AppData\Local\Temp\gokue.exe
| MD5 | e70be8762384cd0ad00d70d0f9d5e2aa |
| SHA1 | 11aa4b5f339c7a131b8c780b1567fd6c9dd33854 |
| SHA256 | f13c9f96627ff12b3ae4d569d28f3999c2c88550dc4616af1ec3d3e51108ac55 |
| SHA512 | 5fba4bf592595c9c8e8fe25be461613c38433d1ee89a7d4222a530bf3a6437a524941e478d361ed747b5915e968834e5b18666806a3eb38b5f8088ca825086e2 |
memory/1212-21-0x0000000003100000-0x000000000319C000-memory.dmp
memory/2568-27-0x0000000000230000-0x0000000000232000-memory.dmp
memory/2568-29-0x0000000000400000-0x000000000049C000-memory.dmp
memory/2568-30-0x0000000000400000-0x000000000049C000-memory.dmp
memory/2568-31-0x0000000000230000-0x0000000000232000-memory.dmp
memory/2568-32-0x0000000000400000-0x000000000049C000-memory.dmp
memory/2568-33-0x0000000000400000-0x000000000049C000-memory.dmp
memory/2568-34-0x0000000000400000-0x000000000049C000-memory.dmp