Analysis Overview
SHA256
983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de
Threat Level: Known bad
The file 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Loads dropped DLL
Deletes itself
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 23:11
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 23:11
Reported
2024-03-10 23:14
Platform
win7-20240221-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyese.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\daqyhu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\itjil.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyese.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\daqyhu.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe
"C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe"
C:\Users\Admin\AppData\Local\Temp\nyese.exe
"C:\Users\Admin\AppData\Local\Temp\nyese.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\daqyhu.exe
"C:\Users\Admin\AppData\Local\Temp\daqyhu.exe" OK
C:\Users\Admin\AppData\Local\Temp\itjil.exe
"C:\Users\Admin\AppData\Local\Temp\itjil.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2240-0-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\nyese.exe
| MD5 | 447ff945d5bb27deda72ee0a5f87c710 |
| SHA1 | 581227c3b71a0cf160a51aba9deecd762b74a737 |
| SHA256 | 0ed3dfc7ba1a61dae27512ab4887cf40cff45b07c152ffadf92cfb1f1b93d48e |
| SHA512 | 9d3d2e7f8be6356a524da56a2b8d9db022df56f4cfd75bc11443a2086e985cc162757b27637ed3ac2fcff262b21df8191b448d38a807a817be077946912cbc47 |
memory/2240-16-0x0000000002830000-0x000000000289E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 5daa47aaa9e4aa03e4df4bc7da3889dc |
| SHA1 | eb5f15e7e4c3d65d15060d7e2f49ca8dfd1db34e |
| SHA256 | 10548c39cb9c5647a3d737d12104a09c0b9c669aa02ade016c7e650d52bdec10 |
| SHA512 | 14224f828891d7baf6bf91bf6cdae3e2ccfbcd454c6ea59fe830d6dfa2e03d4474cd957e958585f23743279dae542de2dfff883e7d20e23cd1c9be3f235b70cf |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 43f42de9af0c02a250a217edf5fee2c2 |
| SHA1 | ea8a2611d1f2ccd4e81b23092ce671613fec179e |
| SHA256 | dfd2099c5cf4d56f417d186bb6924c7d17c17d73b99c74b173f146b69e72380f |
| SHA512 | f6cb49cad1245a92496d01caae804c01e32227f1f4c902abe053c466214ff9e67191848a2708ed16814fa91615d3c840ec7aadf2ca3bd7125ac534e820ffc29b |
memory/1064-18-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2240-19-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\daqyhu.exe
| MD5 | 1560522260d9173969f0904ab3901513 |
| SHA1 | 3526984c2dc8606bc985b9be8b9e9a8dac5fe6fd |
| SHA256 | 388d964b8a13d0a803aa16545b405cf492b32253c2731b43d1bbe8628a6e876f |
| SHA512 | 86765dc1707e05240b2971cb194fbe78524ac335de438098e4cb42557505ffcdaf3163c4cde473d215962c3624efd1636c30bd0b43dcb67399210577371b9dea |
memory/1064-28-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1064-27-0x0000000002030000-0x000000000209E000-memory.dmp
memory/2676-30-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\itjil.exe
| MD5 | 40922bf2c7508623f5b64147191bf8ff |
| SHA1 | ad944542967434ba74b918b0fc0f640ebecb9c4c |
| SHA256 | 873dfe2bb6aacf14a62b0518e1ebe6f8100361a64037fcd5dc905c0c7b5d6ca2 |
| SHA512 | d377d55942a6b94095b8074508be14cd24c05ecd5e3764502a75852e6faa4ea0edb9262621c6db860fd477d7bb33283fc85acc1854f37c10eb652f255d61cc21 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f60f7740cefc537f50fa1e2615ff83c3 |
| SHA1 | c445d737ce4842defa1a379b729e6d257f9eefee |
| SHA256 | 8ef33ac7a6718fd5c3cc58f4677b61d7cf43c8e46a8bd86985a1f12b4c07dd3b |
| SHA512 | bb24c62c4b7e6eb665bf1b1093b75722c7a53dc181f58114681ce41e41f1607bc709590e3ac1ef86d9b64d692fb8425836ad60e990bd42769e284e287e93bedb |
memory/1620-47-0x0000000001390000-0x0000000001430000-memory.dmp
memory/1620-48-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2676-45-0x0000000003180000-0x0000000003220000-memory.dmp
memory/2676-44-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1620-52-0x0000000001390000-0x0000000001430000-memory.dmp
memory/1620-53-0x0000000001390000-0x0000000001430000-memory.dmp
memory/1620-54-0x0000000001390000-0x0000000001430000-memory.dmp
memory/1620-55-0x0000000001390000-0x0000000001430000-memory.dmp
memory/1620-56-0x0000000001390000-0x0000000001430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 23:11
Reported
2024-03-10 23:14
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qybyq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nupecu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qybyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nupecu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rexiy.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe
"C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe"
C:\Users\Admin\AppData\Local\Temp\qybyq.exe
"C:\Users\Admin\AppData\Local\Temp\qybyq.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\nupecu.exe
"C:\Users\Admin\AppData\Local\Temp\nupecu.exe" OK
C:\Users\Admin\AppData\Local\Temp\rexiy.exe
"C:\Users\Admin\AppData\Local\Temp\rexiy.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 13.107.21.200:443 | tse1.mm.bing.net | tcp |
| US | 13.107.21.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
Files
memory/2840-0-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qybyq.exe
| MD5 | 3e7f54828b694386051064d776859eeb |
| SHA1 | 56652d869e572d1aa847956924039fceaab5a179 |
| SHA256 | dd34a5a33d0289f455fe53c7c1e1a708797be0ed94d2b47c9d56b15d8f5145a3 |
| SHA512 | 7a3833686bc5cacdcf9277e0d494877193bdc54c961ecad184a9bd3bad2f822e29031f883a9d1d5b266d1eead9b8451885d7b77fdfbd8f513e92f3e7aaea5cc2 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d14fd8ebf7c23324ef18c9e2d56f8269 |
| SHA1 | e01785109625c81d7abe284b826a173d1116cee5 |
| SHA256 | da9ebcb9066d9180b1fce6cf8680a346c253e3c7b24dd5a347959da62778319d |
| SHA512 | 21583e2900f5a76959c6ba30e073328d4cfcffd267cbc713a74bb02636aeb9692837649395e66b5a76d313794c95d2eddac061fa5a894cd1283a2dc331ba3fa4 |
memory/2840-15-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 5daa47aaa9e4aa03e4df4bc7da3889dc |
| SHA1 | eb5f15e7e4c3d65d15060d7e2f49ca8dfd1db34e |
| SHA256 | 10548c39cb9c5647a3d737d12104a09c0b9c669aa02ade016c7e650d52bdec10 |
| SHA512 | 14224f828891d7baf6bf91bf6cdae3e2ccfbcd454c6ea59fe830d6dfa2e03d4474cd957e958585f23743279dae542de2dfff883e7d20e23cd1c9be3f235b70cf |
C:\Users\Admin\AppData\Local\Temp\nupecu.exe
| MD5 | 7caa611e6fc705d04050aed8499a8f96 |
| SHA1 | 878c8c85b835f2b6c9c393e9ad6975f3a7fc8946 |
| SHA256 | 784f0f279d4dd118e08b2cb6900400c2ac5742a68df7c688cff2643ee4225b9a |
| SHA512 | b2c879261580b8366e2bd371a131fc9b7d13066cbafef7e72bd4a2793263b3f8c8ce0e61204feff1bb3d5e2085b80492bcdb5304df98bd6f6dec4c4e5d23182a |
memory/4328-24-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rexiy.exe
| MD5 | cfb49e4a797b7be70cb6d9f0fd40d369 |
| SHA1 | 4d8a6ace75d7d6149df42546fba989f947915752 |
| SHA256 | 13756f031fe61ed3fa3a4536279f4890db045e25db21eec2406574c2bee81b8c |
| SHA512 | c77e30ed46ed0e4dd32351590d2418feb8f9aa40f0bab37a86f09c954336d8a30d4991e9f6e48f6861c776ba72640638b4d31aeb5b8269717a6cbac68088d915 |
memory/560-34-0x0000000000F10000-0x0000000000FB0000-memory.dmp
memory/560-35-0x0000000000B50000-0x0000000000B51000-memory.dmp
memory/4632-39-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | e6ebdf5980fb7a3176360e98c8066f3e |
| SHA1 | c7b37f5c31ed68331fd90ad1c5165968f0b5f754 |
| SHA256 | 7b7153c0e0dc361c113fb68590faf5a11096b24106db591c248c4ee04a85c836 |
| SHA512 | c752b70d5a1bec3ad33b93bc9efdd6461db2e524d64cfd436d76d19545fc0ba43fb59b3ded40a0f897b7e3f3b86687d9dece6975307a0070dd1a8dc125990952 |
memory/560-41-0x0000000000F10000-0x0000000000FB0000-memory.dmp
memory/560-42-0x0000000000F10000-0x0000000000FB0000-memory.dmp
memory/560-43-0x0000000000F10000-0x0000000000FB0000-memory.dmp
memory/560-44-0x0000000000F10000-0x0000000000FB0000-memory.dmp
memory/560-45-0x0000000000F10000-0x0000000000FB0000-memory.dmp