Analysis Overview
SHA256
addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e
Threat Level: Known bad
The file addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-16 23:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 23:06
Reported
2024-03-16 23:09
Platform
win7-20240215-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cisyz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nigowi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gyrol.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cisyz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nigowi.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe
"C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"
C:\Users\Admin\AppData\Local\Temp\cisyz.exe
"C:\Users\Admin\AppData\Local\Temp\cisyz.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\nigowi.exe
"C:\Users\Admin\AppData\Local\Temp\nigowi.exe" OK
C:\Users\Admin\AppData\Local\Temp\gyrol.exe
"C:\Users\Admin\AppData\Local\Temp\gyrol.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2896-0-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2896-3-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2896-4-0x00000000001C0000-0x00000000001C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\cisyz.exe
| MD5 | 3305ec17a2c8583f6ad04f0c35f05966 |
| SHA1 | f8bc33baeb6ca433724af114384cb17957bbd520 |
| SHA256 | 1326aae1549af67915a388060b6db22cfe68057fe0abbb3b0b0c3263e8cf56c7 |
| SHA512 | 936dd276cf320cf2737c8a36bd1f41d4f80324e17d20308f9ac5efddda4f35b8d742633eee97c1217143ea8dd529faa6d81d0c165e68d573eae110e49275bcbe |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 633205ec749975506223464132d91c15 |
| SHA1 | 65a767479594aedf26b17ab0252bf06f45020cb3 |
| SHA256 | ca36527edbcf227f7d06d1b784ff170bc82363fe534c78e4d9272b7d8104b221 |
| SHA512 | 2a4c72d658e2dc1a859101e1e7be378179a71545b6e839fe9c362cdf6c766eb6459ce6c8ac77406018e77e96cf717dd0c200a09f02bd95bdc59ce4a9f7fe1ed3 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e5df67d153f327d244f3c05fa5485889 |
| SHA1 | 340597a9037191a48fd76df4f8daa36de8b78845 |
| SHA256 | 16c4af27114a1542e008ce519e0cbcdcacefc348e269425b130125200996fa16 |
| SHA512 | 1aeb136bd3e3d0c851ef760ac2ace10cb74bde0be3598ec754c89bb9536966835126e2f333c26d5d7684c68bb03d041d420728a69669cffe6e69b94bfb0e4816 |
memory/2908-20-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nigowi.exe
| MD5 | caa1b7ddcee696a9c6ae78566f2abb88 |
| SHA1 | 0797d8cc0f822fe575ea291d88d570016657ca17 |
| SHA256 | 40b738aeecf59c400db2861eb14f2692ca8a468b3ce493f32f88721c8777982d |
| SHA512 | a855fe013d9c8ab8409db9a48b022e6f07b9812f39f4bd5cff3ea83a9258dd58ec5ca592bbbf0af7b77aebebe65d826cf3d8680825c1372f3ba0a03bc6070445 |
memory/2908-22-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2896-19-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2908-30-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2576-33-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2576-34-0x0000000000400000-0x000000000046F000-memory.dmp
\Users\Admin\AppData\Local\Temp\gyrol.exe
| MD5 | df61975e83ef564c718326d68b5dd40d |
| SHA1 | 8c7928857586025512a66cf0d0a51c21cd3f1e15 |
| SHA256 | d38c6b1313a305a92c8d50a37ebd8e03bef0b7508daaa9633f16f308a64935f0 |
| SHA512 | 23bbeb76a4f5c58fce400b0fbd13960e9b777f656737b499c55d9df384388fddac84e9e99583f5fb7dcab309274779b263f8dedc8f2610c5b068d0dc87dfe1ec |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f96e79f0f7d92f772bf4e0fbc999fabb |
| SHA1 | 1af182ceb066ba43d67a1022aba478709f052dab |
| SHA256 | 320a7deae8a910faaef321244610135053e32bd1d370962e9498ba7b77119e0d |
| SHA512 | 0ed67bc433d8000b152d8de6854de72533b827a16e90a5fdf34a0e8a52e0ef89dcaad14102065b68b706d84c50b11fb37af2d2e3c4b56b06183c764da3235729 |
memory/2576-42-0x0000000003D10000-0x0000000003DB0000-memory.dmp
memory/1752-51-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1752-52-0x00000000011A0000-0x0000000001240000-memory.dmp
memory/2576-50-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1752-56-0x00000000011A0000-0x0000000001240000-memory.dmp
memory/1752-57-0x00000000011A0000-0x0000000001240000-memory.dmp
memory/1752-58-0x00000000011A0000-0x0000000001240000-memory.dmp
memory/1752-59-0x00000000011A0000-0x0000000001240000-memory.dmp
memory/1752-60-0x00000000011A0000-0x0000000001240000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-16 23:06
Reported
2024-03-16 23:09
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
141s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ujjyt.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qyresu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujjyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qyresu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ufogw.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe
"C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"
C:\Users\Admin\AppData\Local\Temp\ujjyt.exe
"C:\Users\Admin\AppData\Local\Temp\ujjyt.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\qyresu.exe
"C:\Users\Admin\AppData\Local\Temp\qyresu.exe" OK
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\ufogw.exe
"C:\Users\Admin\AppData\Local\Temp\ufogw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3704-0-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3704-2-0x00000000021D0000-0x0000000002213000-memory.dmp
memory/3704-1-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3704-3-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ujjyt.exe
| MD5 | b4354da8a4809ffd67ec1ebf38cbdb39 |
| SHA1 | 96286e0b0bf78f3d5a4ad480c27f09eda96f63c1 |
| SHA256 | 5c86f9b7f40c740ca16a24c17641865c4c94d84043e2496215040de362dde293 |
| SHA512 | 2c7c0f9e2392597e83e1a3ac33cd32a366d7eae5ae774d0489eb129351e0e92162c776bcd9d874cb418ed8e42545146ca1ce3a66ada31f64db53c7118679de1d |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 07073eb0c2388e49ab3e96a8384064b2 |
| SHA1 | a815cb39d58138068fa01ca42a089260ab4cfebe |
| SHA256 | f348e20e6cf3f8d546de665db01372bdaa874906f6147f18a66f20289e093d02 |
| SHA512 | 418b9d7e5718dbb3d6228c0209ce61122113601d65301ccb378ccede01e27d5f7dc79a3f403035546692abedae97ba440b0f591e866dc278cb64c8259ddde4c8 |
memory/4740-17-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3704-20-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 633205ec749975506223464132d91c15 |
| SHA1 | 65a767479594aedf26b17ab0252bf06f45020cb3 |
| SHA256 | ca36527edbcf227f7d06d1b784ff170bc82363fe534c78e4d9272b7d8104b221 |
| SHA512 | 2a4c72d658e2dc1a859101e1e7be378179a71545b6e839fe9c362cdf6c766eb6459ce6c8ac77406018e77e96cf717dd0c200a09f02bd95bdc59ce4a9f7fe1ed3 |
C:\Users\Admin\AppData\Local\Temp\qyresu.exe
| MD5 | a62f77fc6f5cf3135dc519e60066c226 |
| SHA1 | 164d7f5b6a24584cd3f037fd4eedbe715cd83542 |
| SHA256 | d942689254065f7ac74d6aa94def53c420d97471de059c194539fde5de1d6a63 |
| SHA512 | f0481a3f83e227210633b4ee38714d3c7d5c0470fb71b56de2aa555e2853faf5c335dbd2d38a6c48c263d72a3473c5aa335155845b9ffc3f3ff7abec536ad921 |
memory/4740-29-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1336-30-0x00000000005B0000-0x00000000005F3000-memory.dmp
memory/1336-32-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1336-33-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ufogw.exe
| MD5 | ac8ccfb03cae0dea0480f0ccfe47b16e |
| SHA1 | 1524d516b5a84b8a0b678679d3ed9422288e6810 |
| SHA256 | 22a491ac53fb6aba9864e45ab17a7d0912d84fb10ab5e074f3e325831f58ef0b |
| SHA512 | cb15ff9aa8902fca35c22061304226b21b3b67c6de9d4faa8a90c11b7e9310bd1ef4a00f0c2d5e973096a7c15468597d71ef8a467cbabc9ec992ecdee6ffd8d8 |
memory/916-44-0x0000000000B70000-0x0000000000C10000-memory.dmp
memory/916-46-0x0000000000780000-0x0000000000781000-memory.dmp
memory/1336-47-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 9a8503d17c559b2af93906532bf42f05 |
| SHA1 | d0137f68f47dc67830ee8e448cfa2cb2ecc437d9 |
| SHA256 | 33b63c5cea03524e0139018d8d7861a0ffa6c6b8af874d80e06c7304cad24458 |
| SHA512 | db33775d1a07d3417f9f748ca47dfd13756ccbb6a2fcd7bd13b16343a502eff9f56546aff551d966f9330d3df1e0c5d1be80f5c8af242d0280c2fdd8e08ef723 |
memory/916-50-0x0000000000B70000-0x0000000000C10000-memory.dmp
memory/916-51-0x0000000000B70000-0x0000000000C10000-memory.dmp
memory/916-52-0x0000000000B70000-0x0000000000C10000-memory.dmp
memory/916-53-0x0000000000B70000-0x0000000000C10000-memory.dmp