Analysis Overview
SHA256
e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83
Threat Level: Known bad
The file e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 01:23
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 01:23
Reported
2024-03-11 01:25
Platform
win7-20240220-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feorw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\awdio.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feorw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feorw.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe
"C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe"
C:\Users\Admin\AppData\Local\Temp\feorw.exe
"C:\Users\Admin\AppData\Local\Temp\feorw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\awdio.exe
"C:\Users\Admin\AppData\Local\Temp\awdio.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
\Users\Admin\AppData\Local\Temp\feorw.exe
| MD5 | 065b727f2141881b1e93946fc3f50539 |
| SHA1 | eae211b112a0f64718885e4a1222413e7be0cbfa |
| SHA256 | c7d31cacc05532ab36c6754a2d333500022d0cb1f2316223ebfc084dc5718c64 |
| SHA512 | 98ba68cfd71fdf39ecd958864c3a2640c4dbe8d48d88f79a14e30cf4ab11b13804f7b8b21c56d772af4e29b249d8d6bc1e66400c97bad4cd6abf1d25021bc785 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b3f3a09e69a384384dee5a7aab5b1eb9 |
| SHA1 | c824ef2a85127360a79c6f9e05cb17dbe3487482 |
| SHA256 | 0096b4fb55ac09fbad09fe5de526ebd1eee8fc9a93d42d78c7e75e1fadc846ce |
| SHA512 | 6c65782abbef3f0034dc1d7c2f6d79597a8fa502dcda529e4c4811770a677a72c02c561643045af92a3570c5f2a89c33da94c70e562998e82eb708285defdda7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 11025d3ee0e292dcc6b9635c688b1e84 |
| SHA1 | 6523501aedef0956ea3ebb77b743a054b380443f |
| SHA256 | f765ba0311a3a07705238be8e94a7f782b82cd2b986134a4e84c8ef0bdcbfe44 |
| SHA512 | aeb4266f6f99d44944d13f58670be19c02e1d5e8fa26a335d6b5c068e555fdad453258e5208fcdc654213a7ca23d1b9ffa6f9a2e371d46f206a366614ee8492b |
\Users\Admin\AppData\Local\Temp\awdio.exe
| MD5 | 80122baeb27b1b184b7d83f040dfe3c1 |
| SHA1 | 5f22f47907188bff50185e9c4d64311c5f06cf98 |
| SHA256 | b345558ba27baa6e91b2d030160acbd3886e6ae5d8954a597f23986fe293847d |
| SHA512 | 8305f96e2231b8f14fcbc90d4162d0b0822f3dacf8fad3b2a6b6e8ae4e58bf90d9e526a059c484fc4d293ccb2fc4147a9ef04d801662004e3b7714eb3071a50f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 01:23
Reported
2024-03-11 01:25
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kuwos.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kuwos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qytur.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe
"C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe"
C:\Users\Admin\AppData\Local\Temp\kuwos.exe
"C:\Users\Admin\AppData\Local\Temp\kuwos.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\qytur.exe
"C:\Users\Admin\AppData\Local\Temp\qytur.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\kuwos.exe
| MD5 | fe81a55854a3fef3e20991d17671c5b1 |
| SHA1 | 8dad84d5874a76158d89d2ee861e98df86221453 |
| SHA256 | 2b345db394559844e2b33708697c76c23fd137968378e025d6326114a1e470f5 |
| SHA512 | ca8d38e6800c13d624007b79ec93c14f05a671efd8cf2b97f8f2da3187154e6d1c35d8f8d9b10b5770e86f9ce0adfa28ad71e1328e4c87cf8537f2f0d8dece89 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b3f3a09e69a384384dee5a7aab5b1eb9 |
| SHA1 | c824ef2a85127360a79c6f9e05cb17dbe3487482 |
| SHA256 | 0096b4fb55ac09fbad09fe5de526ebd1eee8fc9a93d42d78c7e75e1fadc846ce |
| SHA512 | 6c65782abbef3f0034dc1d7c2f6d79597a8fa502dcda529e4c4811770a677a72c02c561643045af92a3570c5f2a89c33da94c70e562998e82eb708285defdda7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d74d0126be76b801d73a4216cbabe375 |
| SHA1 | 39c1023960e22acca2e78517321db24318239cf9 |
| SHA256 | d7f12cd0a3ff68dfc6aec812083fb7b4ea9305ef41b724051fb75fdd07e61567 |
| SHA512 | ea38c4d7eab6c72c286aeb9f51102609e3435fe0a9ba34103ada38590c16b325d526963cb205affc24651f40c65de8d44fa7c9c53a6c590f042a86fbdd9d08c6 |
C:\Users\Admin\AppData\Local\Temp\qytur.exe
| MD5 | 9ae3cd6b502a09fb77937f7d3b0f7a7a |
| SHA1 | 9210a676b51ab0cab42008a9121634ac90881a14 |
| SHA256 | 81fccec4a237bc011c361858eae6a8647662581167db39e466c962bc334f8e8f |
| SHA512 | 8399fb006784297aef0e083ddbcb9157fcd536b34474d1ee20c6b533fee5a1c342760fea4f5fc6db0f706cfdd3f8faf799bc0be15386181e24a0d3502d963031 |