Analysis Overview
SHA256
14f8f5e1845ef3a5e480b4d8eb1d6927cdebb85bb149c7c5f4bab48e913e9004
Threat Level: Known bad
The file bffd92387ce2f42ec3bef3676dc450c5 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 05:44
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 05:44
Reported
2024-03-11 05:46
Platform
win7-20240221-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jifyi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\juboce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huiqt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jifyi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jifyi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\juboce.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe
"C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe"
C:\Users\Admin\AppData\Local\Temp\jifyi.exe
"C:\Users\Admin\AppData\Local\Temp\jifyi.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\juboce.exe
"C:\Users\Admin\AppData\Local\Temp\juboce.exe" OK
C:\Users\Admin\AppData\Local\Temp\huiqt.exe
"C:\Users\Admin\AppData\Local\Temp\huiqt.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2920-0-0x0000000000400000-0x00000000004679C5-memory.dmp
\Users\Admin\AppData\Local\Temp\jifyi.exe
| MD5 | 8e799cd1ede1ce2da654b9ebe4e96872 |
| SHA1 | 0d5e2d90e0550e0d255076667ec604be33c66ed5 |
| SHA256 | d098c1fb0714634603d50bbdaec0bd9f70ab9baecf5869b6521bbf83f6cfbe8e |
| SHA512 | 581e6c1cbe936a9c1e0e7f9ff3567f2eef04617e4aa6162a7f34b10475def5bd1202e9a5e786d3e95b40fb8dd3c30ae8c387d31a7b8c9e0ab0cdb9135fcd24e1 |
memory/2920-19-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2920-10-0x0000000001F30000-0x0000000001F98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6bc18f939cb5b9b400e5b7fdc296bc0b |
| SHA1 | 7cf463319130f8c24bf224a45639313182e829b6 |
| SHA256 | a40dde9a81a24cb3d72c661a1b8077b76a3a6371149213833efc179a67404620 |
| SHA512 | 043274de024d9284b07bf6ab4c63967e090e19792090d6a9c372b4b044c6e1d02f3c8411162c3141ed8af9513657e92a0e813ad4c0a04ef79654052548d77320 |
memory/2948-22-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f847b5d9d2475fb8fa19d0287199e436 |
| SHA1 | bd25e1e5bbddc343e6233ce1051d979dac880002 |
| SHA256 | 2e4736cae2231b7b9583c1e768aec1712bc99247eff4662152c7eac6a3ad8b68 |
| SHA512 | c6a19eb2e99857c697a3c71b04ecc9ec1751d4785d753e59c69cb3891821ecc09451814ed23aa5571e39bbcd69b4e0b7fe47a7c69e9c8b2f312412dc3638fb14 |
\Users\Admin\AppData\Local\Temp\juboce.exe
| MD5 | 53791e86a69b6433ea0b7eb63e7ba3d1 |
| SHA1 | 74bfbfa87010bf79db162146a295f720bca0c263 |
| SHA256 | 045a11efe0bf7ec498ee4efdf7d27c0ee9d9d01aab07f4946df595aabd7a9f22 |
| SHA512 | 543d9daaf957c304c9ff8d8be05a08669a3e9ad8eb54c584be934460fde9c7ddef1892fd6dc78ffbfc4a330a2b48f2bcf420d96d58a5604b3acd81df93b13223 |
memory/2948-34-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2684-36-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2948-33-0x0000000003680000-0x00000000036E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\huiqt.exe
| MD5 | 685da7bd1286817247ce5b1d32e90428 |
| SHA1 | 1d4cf39b8144e58a9024cc7d809140368ae4ddc2 |
| SHA256 | 17e4f1128f7a48b679328629d521e8595ad37935683406574ce387294303a5da |
| SHA512 | 24c6e2ec6580fe85119528d4bf8b1eb86da0f089a61f14a50ceacf31781734fe96d0edc4368e2e41681afc0136dd75ee4c21aaaf49106f057baf17b030189386 |
memory/2684-52-0x0000000003B50000-0x0000000003BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 6eff6bacee80448346f6332df43a9b76 |
| SHA1 | f7b7c8b9b9b8943ac907cfae58299941819d30ed |
| SHA256 | 5d75fa2e2104684e6300dccc103f0e7af138556d95b5f9d0d260ec89153b4fef |
| SHA512 | 72f6d1c1fab34124172db8a44740e725418b0bbddb91d37d12523f5c7c1cc9041d05745089f8d6d6ae8e76f22fba27ad6dd182637834cd3aa95565814e4b5f01 |
memory/2684-51-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2496-53-0x00000000002E0000-0x0000000000380000-memory.dmp
memory/2496-54-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2496-58-0x00000000002E0000-0x0000000000380000-memory.dmp
memory/2496-59-0x00000000002E0000-0x0000000000380000-memory.dmp
memory/2496-60-0x00000000002E0000-0x0000000000380000-memory.dmp
memory/2496-61-0x00000000002E0000-0x0000000000380000-memory.dmp
memory/2496-62-0x00000000002E0000-0x0000000000380000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 05:44
Reported
2024-03-11 05:46
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bisue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ezvopu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bisue.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezvopu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tyvoa.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe
"C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe"
C:\Users\Admin\AppData\Local\Temp\bisue.exe
"C:\Users\Admin\AppData\Local\Temp\bisue.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ezvopu.exe
"C:\Users\Admin\AppData\Local\Temp\ezvopu.exe" OK
C:\Users\Admin\AppData\Local\Temp\tyvoa.exe
"C:\Users\Admin\AppData\Local\Temp\tyvoa.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/4004-0-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bisue.exe
| MD5 | ac989931471050c1b394b4262a760c54 |
| SHA1 | 7bf31b8ba11c10cca02a24f00f6ed88bf3948b51 |
| SHA256 | efc1a205b03cb8cb0db49431196bc566b9a7e6c89d85f762c9903b3d2a44384d |
| SHA512 | 5aa643d2066f51f47f5bb0262f6db33338339b76828b6e2fde38ef8a072d3eb3f765fa71e8488ebccff61d06ac813fc8e8ddac68ed94d803423b6c9ff97fcdfd |
memory/4696-14-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 3f5cc9d83a0d6a5a29fa2ae2f9527251 |
| SHA1 | 8745fae64eaf681c22b32d21c14bcccb854aaf5e |
| SHA256 | 5d6d3f168d29c4a825e3cadc097d0403b97a5d1ca583e8fcba9473555dd359d0 |
| SHA512 | 2c03f30906ad3c5ccdee9e098807c66bb98f9163a1005bf338f2497cfca3cd750b0161527f988e36491978f19c983f4553a5c00f6858313c42c0c673e1a2e995 |
memory/4004-16-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f847b5d9d2475fb8fa19d0287199e436 |
| SHA1 | bd25e1e5bbddc343e6233ce1051d979dac880002 |
| SHA256 | 2e4736cae2231b7b9583c1e768aec1712bc99247eff4662152c7eac6a3ad8b68 |
| SHA512 | c6a19eb2e99857c697a3c71b04ecc9ec1751d4785d753e59c69cb3891821ecc09451814ed23aa5571e39bbcd69b4e0b7fe47a7c69e9c8b2f312412dc3638fb14 |
C:\Users\Admin\AppData\Local\Temp\ezvopu.exe
| MD5 | eaf04b7d70749f5b53965aea752282dd |
| SHA1 | 873912339192ec629f1ef5e2dc418e92d66da6fe |
| SHA256 | c918add1d89d6f1ce0bf8bfafe6d2eaa42b4f0c6dcb85bbdda3e512f84b183fd |
| SHA512 | a7b36264aa641f592d7919837e91b70977acab9c3b23e2475b1c5a0ada63ab92c20f79f295ea537e580955a18d6bb886a5581de6c44532d135bbc8ebe5b2ca77 |
memory/4696-25-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/1428-26-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tyvoa.exe
| MD5 | ea6316028571c979478ada853dd551b0 |
| SHA1 | 2057de0e40263250c52e4c57134c7db0bfdcc53c |
| SHA256 | 30ab8ad54f5d6bca13ffbe6d1b13f5605b9e8f5e4733bfa7a822a63aaf055ad9 |
| SHA512 | 08d31ac48980923a42445bb69c885de631b99feb11f8ad0577ffdb55e5232f16066e91d2693924248034e372d07729932938b0b878fdcb4df94e74f659e8aa9f |
memory/1924-37-0x00000000005D0000-0x0000000000670000-memory.dmp
memory/1924-39-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/1428-40-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f87230f2dc5208f9a86475f1cb49ebed |
| SHA1 | 06e13e5b55b018b695e72a955620b00aba32ebad |
| SHA256 | 847270e4de05d2b6b44992bf791f4883e5c70e464caba00bf6e766e4e81cdcec |
| SHA512 | c91873ffa8770ed324ffff57f803fcdc8d86e5ea561de405f8e097001b39ac00990e0d9ebd3189a16f897a84e3099a92d28d3d9fa0badda5601c7b9fa51e2c7c |
memory/1924-43-0x00000000005D0000-0x0000000000670000-memory.dmp
memory/1924-44-0x00000000005D0000-0x0000000000670000-memory.dmp
memory/1924-45-0x00000000005D0000-0x0000000000670000-memory.dmp
memory/1924-46-0x00000000005D0000-0x0000000000670000-memory.dmp
memory/1924-47-0x00000000005D0000-0x0000000000670000-memory.dmp