Analysis Overview
SHA256
8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36
Threat Level: Known bad
The file 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-16 22:09
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 22:09
Reported
2024-03-16 22:12
Platform
win7-20240221-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zybon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mylow.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zybon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zybon.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe
"C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe"
C:\Users\Admin\AppData\Local\Temp\zybon.exe
"C:\Users\Admin\AppData\Local\Temp\zybon.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\mylow.exe
"C:\Users\Admin\AppData\Local\Temp\mylow.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2364-0-0x0000000000E80000-0x0000000000EE2000-memory.dmp
\Users\Admin\AppData\Local\Temp\zybon.exe
| MD5 | 4336d443b29538c747bae73fb2f3d3a1 |
| SHA1 | f00690a10f9ee4b5eeda7682f5e253c47d0ff4c3 |
| SHA256 | f782775be0e407d240d03f74f57eea5fcb367dfdcea868f68b83f4b1f851703b |
| SHA512 | 89857223f5b52f6c7551c4ea03deeeac43222a166c35387a2eca82fbb5b36c97c27ef4b9304b004276ff8752ed0a3c6be2372f2ea029a85fb42190746a14dc08 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b652ce937e0c122bd97f3d0ce6dca2cc |
| SHA1 | 9d2d5ae6790eb024997332be1601baebae93d698 |
| SHA256 | 079f20efb72e006948103e222c1ab454336f81a4a155a23d02d4b0eab67e4500 |
| SHA512 | 628c2a75afcec7499bc103fc3cec36c9eb9d9e98f8b4c0fff4ca40ee63172fea098ebe7acc72adb3cabfdf941424abb4e98ae4e7db65127e8cc3b6af706438a9 |
memory/2836-17-0x0000000000CE0000-0x0000000000D42000-memory.dmp
memory/2364-18-0x0000000000E80000-0x0000000000EE2000-memory.dmp
memory/2364-6-0x0000000000550000-0x00000000005B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9616e57dd48c5c3fe324766d21a64cf6 |
| SHA1 | 22a7bbdb894d8d555b8a12bb3183f8d5e079f27b |
| SHA256 | 3e96daf233e34a7ae604a68164724ed4ea5571df9f95d847cccf60412008de0d |
| SHA512 | 10e3f663bb908e4bd9c88a83891cd0d1249cbcfd062839105f0dd8d5803107602e178aae9c5e9abbc93297a9762b92f5ad4a9e1f05e0398496b7ab51ae557ebf |
\Users\Admin\AppData\Local\Temp\mylow.exe
| MD5 | e229b37bbdb6f72168884cab28b02be4 |
| SHA1 | 28c6beb1c82e6928023dc3f131b37434de711439 |
| SHA256 | dacb1a8ae43e9cde31e3aa20327321cefe772f6ebde2fe412a9049db650321ea |
| SHA512 | aa7cdcccdd2695bd0138e4feed7ce6df37dd3b947f65cb40320ddde8551a41ebe5aca078210fba2603de1e29702af6b953da1eff3b4ee0501731f0d37d6a7fa7 |
memory/2836-29-0x0000000000CE0000-0x0000000000D42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zybon.exe
| MD5 | 7bab6a396207ce7ca9a7284e8a4d2ef0 |
| SHA1 | de0380e89df31e2ad348bff69773885cfe6e20d6 |
| SHA256 | 08e0780631515ce83bc71661e4dfa67d1e82ee83428faf847e6bdb8f8eb56107 |
| SHA512 | 89cef161ce1e36ec53607a1cfcd09b30a2d38e07bc69accbace74d2c5516739740ad20363acb68efa0d164f3ae36becbb91b56548188dd5c35a599290c5c8188 |
C:\Users\Admin\AppData\Local\Temp\zybon.exe
| MD5 | b90cabdce11eafd910a7bf9ec8a3ba4b |
| SHA1 | cabfe274186858d82ec957f62ad9729d6cc4d3cc |
| SHA256 | d4bd89ac0bacafc4cd1f72809b5e9ee7a677bd3ac9c576f66f09653ea92b99df |
| SHA512 | fbda802152c4cf1a1b2b29568bf267f0e35b8fe85b57186d41d7b9a552d3755b28ee6bf69eabbd7cb3ce352738ab70e8efe83ed68a573f185956664a582269ad |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-16 22:09
Reported
2024-03-16 22:12
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tomeg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tomeg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xuxou.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe
"C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe"
C:\Users\Admin\AppData\Local\Temp\tomeg.exe
"C:\Users\Admin\AppData\Local\Temp\tomeg.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\xuxou.exe
"C:\Users\Admin\AppData\Local\Temp\xuxou.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
memory/2512-0-0x0000000000880000-0x00000000008E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tomeg.exe
| MD5 | cf14346fb50285f785935e2397b8be04 |
| SHA1 | b13e87878ba585b14b4f7708aafea87b4667fa9b |
| SHA256 | 0aeeb889eafba82d102f38660aa00040b9aae49500d087cb926f50a00bf5bebb |
| SHA512 | e3bd63a4025330dcfd8dab921512ecc9367494a941b349edadbba5992507dbe647bd456cc894cadd1296c7da9a2684806de43130ed9e5b7c674f89b0e2cb4bca |
memory/2340-12-0x0000000000580000-0x00000000005E2000-memory.dmp
memory/2512-14-0x0000000000880000-0x00000000008E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b652ce937e0c122bd97f3d0ce6dca2cc |
| SHA1 | 9d2d5ae6790eb024997332be1601baebae93d698 |
| SHA256 | 079f20efb72e006948103e222c1ab454336f81a4a155a23d02d4b0eab67e4500 |
| SHA512 | 628c2a75afcec7499bc103fc3cec36c9eb9d9e98f8b4c0fff4ca40ee63172fea098ebe7acc72adb3cabfdf941424abb4e98ae4e7db65127e8cc3b6af706438a9 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | cd76e4a485c1ce375664ade6e89414fb |
| SHA1 | b1db70711b5d36665ffb81841c9ba4c636c58c4c |
| SHA256 | 0c2a0bf09635852eec726dd5d04d4142f409371986c36a907045a52831b22942 |
| SHA512 | 666f3224a7635f352811b1ec80fd22723d204074880f3816cc6e4a709a5563856a7a820e052b1e7fc91ebf109ab7c15f25dd92f52efab8042065b1d32f574879 |
C:\Users\Admin\AppData\Local\Temp\xuxou.exe
| MD5 | f3f9a2cea6dc17c8cdddb5b6d2576758 |
| SHA1 | 53767ababebf2eb566d69c596abe5fb27b33550c |
| SHA256 | f2bb125ac0329eb78648e594ae182837f567fc9bf6c3dfd92c96032dd280b383 |
| SHA512 | 8e7e5a4793026a3ca77742db922c3509858da137930eebc2b80df3f5e3976ebda68cb3d785d268b004a2c6185c17f2cc936265c7eb949bcf07aec2972b82da02 |
memory/2340-25-0x0000000000580000-0x00000000005E2000-memory.dmp