Analysis Overview
SHA256
79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a
Threat Level: Known bad
The file 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 22:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 22:23
Reported
2024-03-10 22:26
Platform
win7-20240221-en
Max time kernel
155s
Max time network
130s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nygei.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quzip.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nygei.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe
"C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"
C:\Users\Admin\AppData\Local\Temp\nygei.exe
"C:\Users\Admin\AppData\Local\Temp\nygei.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\quzip.exe
"C:\Users\Admin\AppData\Local\Temp\quzip.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2228-0-0x00000000001D0000-0x000000000029C000-memory.dmp
\Users\Admin\AppData\Local\Temp\nygei.exe
| MD5 | 43d3e90a93c04d31fb52ee433b440fbf |
| SHA1 | 75f06bf883297c31f8e487246206d093b7497093 |
| SHA256 | cf2efedccaf37742f77209e3ffbd04f49cd14298246ee3c0cb660cfd711a96f1 |
| SHA512 | 9f64d26db25d6137ce7516d422ffc3db3ff8de30bcbef7c54874282afa3d929751d74cc0cef333ae01b6714755320d4d6386b856bd578d9b5a4a28e1fc8857b8 |
memory/2228-9-0x0000000002630000-0x00000000026FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b578d81e6d8a659877eec06c889f404d |
| SHA1 | 0aaa73802f52d360dab41648e193e1ae018800e6 |
| SHA256 | ceee0e409d840995b1dad0b8672930433b60c91755ae2eccc384a718e3d67acb |
| SHA512 | 24d03f93441094c6e0aa72135af914b1c7492009670679c71e0d38659fbcf048ad5a995ce0c1987d333627268cba43415cd526e8d3d3b459693949b9bf12c329 |
memory/2228-17-0x00000000001D0000-0x000000000029C000-memory.dmp
memory/2288-18-0x0000000000A60000-0x0000000000B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d8820b97004f80843d137983ddd1a598 |
| SHA1 | 34caaa0f9f21b6362aab17aa95c64f06a7e9870c |
| SHA256 | d601b0ec48a7585ab76c89cabb6512817048af8795c02d7c4c52da9f6b104309 |
| SHA512 | 4492f56c2fdce91b53670307193966c003167eeaf71ac56cf019c4626d43779c23405cccf9041f1dc91173695a78c15a7834d0f0082ea4302e6017c56ac65f52 |
memory/2288-21-0x0000000000A60000-0x0000000000B2C000-memory.dmp
\Users\Admin\AppData\Local\Temp\quzip.exe
| MD5 | 06324984245bdd928b5b45c50aaa235e |
| SHA1 | a0fc9c9e65624c4e6deadd773edfef5b21cb1234 |
| SHA256 | e9c7214c2cc7e5d7ca95fa670c9ddadc4043ee7f72e69b135d66bd8d838cf7f1 |
| SHA512 | 4af47427e80d3a12692f74c314df585df260495ffca619402f2eb63b1fc83f7a296de041835a9a84e7e1a870882ffc003d1a198993d653719e58fe811ea2987f |
memory/2288-34-0x0000000003030000-0x00000000030C0000-memory.dmp
memory/2288-36-0x0000000000A60000-0x0000000000B2C000-memory.dmp
memory/1968-38-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1968-39-0x0000000000230000-0x0000000000232000-memory.dmp
memory/1968-41-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1968-42-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1968-43-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1968-44-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1968-45-0x0000000000400000-0x0000000000490000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 22:23
Reported
2024-03-10 22:26
Platform
win10v2004-20240226-en
Max time kernel
165s
Max time network
171s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ezgux.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezgux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ruwoe.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe
"C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"
C:\Users\Admin\AppData\Local\Temp\ezgux.exe
"C:\Users\Admin\AppData\Local\Temp\ezgux.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ruwoe.exe
"C:\Users\Admin\AppData\Local\Temp\ruwoe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
Files
memory/1164-0-0x0000000000090000-0x000000000015C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ezgux.exe
| MD5 | eccc7864bf3ca12987dd3723925b2017 |
| SHA1 | 8877b0d99a4652c746b0568d7a41acb297d04f16 |
| SHA256 | e9b4dbe232e520b3a5848e051c1841bd6a182a3baac81943f0a0555783a2d8ea |
| SHA512 | a5beaef1c0ebbddb43d50862dbfc9c91cf06b9784c6b9cfa62df1970d02b38fb345db7c82fc7582554f6ad237731ea5b525492b416c3f0c0fe72e8d39f9c4aa6 |
memory/1164-14-0x0000000000090000-0x000000000015C000-memory.dmp
memory/2156-13-0x0000000000200000-0x00000000002CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b578d81e6d8a659877eec06c889f404d |
| SHA1 | 0aaa73802f52d360dab41648e193e1ae018800e6 |
| SHA256 | ceee0e409d840995b1dad0b8672930433b60c91755ae2eccc384a718e3d67acb |
| SHA512 | 24d03f93441094c6e0aa72135af914b1c7492009670679c71e0d38659fbcf048ad5a995ce0c1987d333627268cba43415cd526e8d3d3b459693949b9bf12c329 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 35543edf7f2cdc358b57b97d1e84c109 |
| SHA1 | 3566c31d2958540fb8bffdc2b636413617c2effa |
| SHA256 | 485fbfa83e26780f64a270aadf8b677f09f9d3f03198a30a31dc23851faaf74e |
| SHA512 | 018c7df44fabc30e3da6cd0e1fce6c02bf945705fe5b21f92c4cf2e81243196af96eaa577072383b48b2db500117a80dec82e1b440432a300c13566febe82eb7 |
memory/2156-17-0x0000000000200000-0x00000000002CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ruwoe.exe
| MD5 | 1fd1ef41e89a0138d87ffaafc676f785 |
| SHA1 | 75856eb0a7adde21667133d74357ef6a6f20fc5f |
| SHA256 | 04e35c01977d3aab40b720ed96c5472f8546e8f2c7c01d90954854a92a25b102 |
| SHA512 | b1a63f9a14782d225a68a8358ec3eda824751c3cadfdea15575e8f130514ae2dcdbad429278fd1609e7cc6b003cf8da4b5817b50a6ab3bc1adf2b4b9c9607e92 |
memory/4556-35-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2156-33-0x0000000000200000-0x00000000002CC000-memory.dmp
memory/4556-36-0x0000000000570000-0x0000000000572000-memory.dmp
memory/4556-38-0x0000000000400000-0x0000000000490000-memory.dmp
memory/4556-39-0x0000000000400000-0x0000000000490000-memory.dmp
memory/4556-40-0x0000000000400000-0x0000000000490000-memory.dmp
memory/4556-41-0x0000000000400000-0x0000000000490000-memory.dmp
memory/4556-42-0x0000000000400000-0x0000000000490000-memory.dmp