Analysis Overview
SHA256
903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa
Threat Level: Known bad
The file 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-16 22:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 22:12
Reported
2024-03-16 22:14
Platform
win7-20240220-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
Urelas
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe
"C:\Users\Admin\AppData\Local\Temp\903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe"
Network
Files
memory/2924-0-0x0000000000A70000-0x0000000000B71000-memory.dmp
memory/2924-1-0x0000000000A70000-0x0000000000B71000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-16 22:12
Reported
2024-03-16 22:14
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yjotj.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yjotj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fuifg.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe
"C:\Users\Admin\AppData\Local\Temp\903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe"
C:\Users\Admin\AppData\Local\Temp\yjotj.exe
"C:\Users\Admin\AppData\Local\Temp\yjotj.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\fuifg.exe
"C:\Users\Admin\AppData\Local\Temp\fuifg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/3696-0-0x00000000000A0000-0x00000000001A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yjotj.exe
| MD5 | a8055794d2dec79da0112dea6b8ef552 |
| SHA1 | e643b91b947c7e2d2d7e5cbbeaea7f97a89d9ade |
| SHA256 | ea999bf2f5cf34bb8fd64e252536e87d08a34cc5bcb759e883f22f48bfff41b1 |
| SHA512 | c2e28a75dd71fd0a470affc5759c1c36d4bef59eae9b1b285ed26f4a63a6e041f7559a46b8e6c8655fe72d6b141462c0e3cb09bcbc709d4847c3a7774683dec0 |
memory/2176-11-0x0000000000C80000-0x0000000000D81000-memory.dmp
memory/3696-14-0x00000000000A0000-0x00000000001A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 827b4aafc0c688654d4d4e69badef025 |
| SHA1 | 46ea28f78071ecd31bf26dd507c93685c4e3df64 |
| SHA256 | 2475d13e06f0c3dc90ea77f5648911d3d511360aaf4023657dfcfebff73e05d2 |
| SHA512 | c7424e991390d3b5c1bbe579779d073934e828264eb68fc4ec8c2a96de3843cc46bf6956be04d7de0387371502cea69ceb09998adcacaa5fb0c5b7de92b24918 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d932c4fab73bdebc6db37a4b7eb28af2 |
| SHA1 | c707d3cb09ee8fef900d41aa8a1cc27b6f4d2cc5 |
| SHA256 | 342f32c64b09c856dc3730659bb9ac6f02979c94028ec63ef4dcf2a618256a20 |
| SHA512 | 0cfb01a33784ecedac74515227182e099ee3ec69133b0b276bd90e65ba86ad57de25aee3ba0f912ba38acb8544e3a13df581dabc7cff8b26c73b0798a136eca0 |
memory/2176-17-0x0000000000C80000-0x0000000000D81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fuifg.exe
| MD5 | cd141b438362e2c09ea0c9bcd3e39825 |
| SHA1 | 10299a5f758a8417a4e63bbd0d2bca388695880d |
| SHA256 | 37e13e816bc70c3d6221a0f60e5cd6937a178d83c9047f2b0c6001d0e7f47c91 |
| SHA512 | 56d6db1410ab92dab047090c5925c9707de735352c0bf1b17fffad53b11f7ff12b0a0428beabebe2a64488c40b4cc5936270004b11737a2c87d300499e351ac0 |
memory/2176-28-0x0000000000C80000-0x0000000000D81000-memory.dmp