Analysis Overview
SHA256
efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f
Threat Level: Known bad
The file efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 01:50
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 01:50
Reported
2024-03-11 01:53
Platform
win7-20240221-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kogym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tohila.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\woabo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kogym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kogym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tohila.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe
"C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe"
C:\Users\Admin\AppData\Local\Temp\kogym.exe
"C:\Users\Admin\AppData\Local\Temp\kogym.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\tohila.exe
"C:\Users\Admin\AppData\Local\Temp\tohila.exe" OK
C:\Users\Admin\AppData\Local\Temp\woabo.exe
"C:\Users\Admin\AppData\Local\Temp\woabo.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2100-1-0x0000000000400000-0x0000000000467000-memory.dmp
\Users\Admin\AppData\Local\Temp\kogym.exe
| MD5 | b68eddd384fab07bd291ec48ee95a869 |
| SHA1 | da3ed821b1e37384c80d1b80d5f0c760de3a75d6 |
| SHA256 | 85e593e2dd99f55a1e9c7de741320c5f897557934a319444acb4f55cc26a348e |
| SHA512 | 80c00edc26ba34fbc5be25b07494dfd9580be4a7bd1e75ab0e94aa3da393342b74d2ce2d3373a9456ac72d0c164950a3e5c34951322905bd778afb9af9d7bc1a |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | a65cffa3f9e4bd1aacd4d90db2c6bae6 |
| SHA1 | ab3ef5fe18dc0f4353c5f04dd72e62b52fb14aa8 |
| SHA256 | 797d4c939a4bf6d97f3375d70afe1036ca8902cd94ddf8bc94a190e4383481e2 |
| SHA512 | dab3b8439c0131a5fda0dbee08bd8c5a307717ec53a24eded50ed667505f6b236d4e9720bf0b3d8ced9699e3601f10a9d36d82cde6133492bfa4e5e6cd3602bf |
memory/3048-22-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9025a1b469b436d5ace14b11db8f9320 |
| SHA1 | 8e8c547cc5f9e8b607eace99825ee51dbb45ecfa |
| SHA256 | 4fa268c98094fac2710247b27f250a1c45ee80f82cd9e73eb8fc542c55d82a6f |
| SHA512 | e13bfab6d24775133cd048f0891a09ccfec1ef21d19888a01938c764c7cac640d094a16395835853869c507f6b673923ef8c1844bec9b568d5df6f3d72acfe7e |
memory/2100-23-0x0000000002BA0000-0x0000000002C07000-memory.dmp
memory/2100-6-0x0000000002BA0000-0x0000000002C07000-memory.dmp
memory/2100-19-0x0000000000400000-0x0000000000467000-memory.dmp
\Users\Admin\AppData\Local\Temp\tohila.exe
| MD5 | 25f3fbe899e1b8bc5adc425387651e2f |
| SHA1 | ac9886742c808b7cc01a9795a8c5eb4c19488c46 |
| SHA256 | 4f3b99256846ea458008e33af829433df1cce1dfd3fc905d8b2f5fd39dfad143 |
| SHA512 | af7fcfa8ffba5532a1e1a5533263d0431adc780f1c4df0a43fb97002b1786a37e724a7a88d880b22fdf63ab5bf49ea402196f4c72f731eb06ebb62b6e71daa7e |
memory/3048-35-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2220-36-0x0000000000400000-0x0000000000467000-memory.dmp
\Users\Admin\AppData\Local\Temp\woabo.exe
| MD5 | c80ab196cc1a05158e6e636f5bf9964d |
| SHA1 | 6fd66410f6be5e5bf7ebe1496ce7d8a314ba2b17 |
| SHA256 | 985b79d220f30caafa99b5b5e6a9e8bb09e6e605901e2421265499622a341a3e |
| SHA512 | eae99f87f8eb58095b2f697655028ff6724980f1ba0d7984e40fcd15070e4b5343c6d276749e7622df28f6da52fd953183e006c4d8774cfde26657d9c83280fc |
memory/2760-53-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2220-52-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | a6b30500fb174ccfc632f67210cec8e2 |
| SHA1 | b8b9e2126592d3cc1d84b55f243646d9e236afd1 |
| SHA256 | 419b28765f51d96e6fc7024a750aebfa33361cbc13a635db623150b2c1fcd1bf |
| SHA512 | 42e1fe10173d262834a2d3c00949640a840e4b17fc38d4d63a90eb5b129a6172ee1cdfd99be0fcb5d3db4316bd915223233f866f1c593e357121bd703d86e8dc |
memory/2220-44-0x0000000002E80000-0x0000000002F20000-memory.dmp
memory/2760-54-0x0000000000880000-0x0000000000920000-memory.dmp
memory/2760-58-0x0000000000880000-0x0000000000920000-memory.dmp
memory/2760-59-0x0000000000880000-0x0000000000920000-memory.dmp
memory/2760-60-0x0000000000880000-0x0000000000920000-memory.dmp
memory/2760-61-0x0000000000880000-0x0000000000920000-memory.dmp
memory/2760-62-0x0000000000880000-0x0000000000920000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 01:50
Reported
2024-03-11 01:53
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tyemk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ugkepo.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tyemk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ugkepo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lunoh.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe
"C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe"
C:\Users\Admin\AppData\Local\Temp\tyemk.exe
"C:\Users\Admin\AppData\Local\Temp\tyemk.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ugkepo.exe
"C:\Users\Admin\AppData\Local\Temp\ugkepo.exe" OK
C:\Users\Admin\AppData\Local\Temp\lunoh.exe
"C:\Users\Admin\AppData\Local\Temp\lunoh.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| GB | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/532-0-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tyemk.exe
| MD5 | 64811161a55bfa10c9f47c2f5d949174 |
| SHA1 | 4648dd963a905074b5bb9b25688ab308b89c39d7 |
| SHA256 | 26f4d6de578fc1fca3dbc32a82a6905945c94a4a1b68ec1c9068e9d1847fbdd6 |
| SHA512 | d180f84b744199a1fe40d4c0a72e115ac321a74b27663efbe285f8db0d301af15a3f70f54777893703890bb46238a8429b7d2627ca11d833a0dda0032f6f78d7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4f466e6bd8ce8e9145583c87fe175352 |
| SHA1 | 2c911abccc9440e86972af23fc179bb0ee23f2b4 |
| SHA256 | 42b80647200bea21f8607bd59d998a24d44fface212d6d6c065f0cc14c4a5c2a |
| SHA512 | d10ef6faa6a9a748a830a9b6eedbd910509f526854aa143101797d9ed70e01161eecbb8adc6769a82bdd52ca877432380704bd80218d36cc8ebff0c8e4f7b047 |
memory/4856-12-0x0000000000400000-0x0000000000467000-memory.dmp
memory/532-16-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | a65cffa3f9e4bd1aacd4d90db2c6bae6 |
| SHA1 | ab3ef5fe18dc0f4353c5f04dd72e62b52fb14aa8 |
| SHA256 | 797d4c939a4bf6d97f3375d70afe1036ca8902cd94ddf8bc94a190e4383481e2 |
| SHA512 | dab3b8439c0131a5fda0dbee08bd8c5a307717ec53a24eded50ed667505f6b236d4e9720bf0b3d8ced9699e3601f10a9d36d82cde6133492bfa4e5e6cd3602bf |
C:\Users\Admin\AppData\Local\Temp\ugkepo.exe
| MD5 | a6d835de333da9ff8cc1cb2e25ee29f7 |
| SHA1 | 989a6f4b462d2641cd8631767048fd7462a92f83 |
| SHA256 | 2b4f22445ba475d67eaa90dfa73e50b89b1efc1da9ae411f6855c21b05d5680f |
| SHA512 | d90a3c543a87d5c5646c3bfdb5a30fd3fee59ee8b32e14906fc3a68a36f7627b23cd9adb4c146e228fc402c685f88ef32e7fc779e8316d67d5bc702186c2e79f |
memory/208-25-0x0000000000400000-0x0000000000467000-memory.dmp
memory/4856-26-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lunoh.exe
| MD5 | 9ce426467a64883feec9db95a6a8594f |
| SHA1 | d587104e480c2734bdf1b75ab5a92abdcd9f0821 |
| SHA256 | a3bf84b102412137ab610a66a7030f3d65df238995c088c23669a18d54501ca6 |
| SHA512 | 0cc9ff459fd414de589a705e6f558f60db644b02bcff206643fd7975c9ed156221fdee8b289cc358851d64bd73f375f020aea57c920b3384f11abf37cf98a230 |
memory/5092-37-0x00000000009A0000-0x0000000000A40000-memory.dmp
memory/5092-39-0x0000000000940000-0x0000000000941000-memory.dmp
memory/208-41-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | fca81d33e0876b26896217321508cacc |
| SHA1 | a1d3a2a38b0b476ffb3810dc6b0f45f125bfebac |
| SHA256 | a5052add7e1504063a4b8e2095333c9d594966801c5509c08f508d2510478d13 |
| SHA512 | 1499b88f12d5b650c86210a7c36f93cff01987eebfafc70500f4044f94a183d95906e3064ab25f675965da3c067e0ad9bcc06d0ca057463b0274850b32683b24 |
memory/5092-43-0x00000000009A0000-0x0000000000A40000-memory.dmp
memory/5092-44-0x00000000009A0000-0x0000000000A40000-memory.dmp
memory/5092-45-0x00000000009A0000-0x0000000000A40000-memory.dmp
memory/5092-46-0x00000000009A0000-0x0000000000A40000-memory.dmp
memory/5092-47-0x00000000009A0000-0x0000000000A40000-memory.dmp