Analysis Overview
SHA256
614c3bbd21decd89fa9045ef7960de748ddd0ab3574645441ca014f81e1002d9
Threat Level: Known bad
The file cf389a6edfd132de5bfeb2deb343d5e2 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-16 22:22
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 22:22
Reported
2024-03-16 22:25
Platform
win7-20240221-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exizj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quneah.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\higov.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exizj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exizj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quneah.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe
"C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"
C:\Users\Admin\AppData\Local\Temp\exizj.exe
"C:\Users\Admin\AppData\Local\Temp\exizj.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\quneah.exe
"C:\Users\Admin\AppData\Local\Temp\quneah.exe" OK
C:\Users\Admin\AppData\Local\Temp\higov.exe
"C:\Users\Admin\AppData\Local\Temp\higov.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2612-2-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2612-23-0x0000000002840000-0x00000000028A8000-memory.dmp
memory/2376-33-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\quneah.exe
| MD5 | e704188fe23337989ae3292c82c8bbfe |
| SHA1 | 635a70acc93d1946f921750eadf9ceb1a21d86cc |
| SHA256 | 481d648b2f1bcadb3dd7fee44a1872369690e15218ad829876fdcdb27716bb59 |
| SHA512 | a832b1a179894444403f7a911f8606507096061d3fe100d32e7accd4b7983942857ecbdb44f5a8b9255cc4466490a97e650285e6a332b2b175ca4be6b65a23ab |
memory/2624-34-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f0a542051f587925e773aed510551c0a |
| SHA1 | bd0f7fe15646e1bb9b381ce964be431b56c83189 |
| SHA256 | ab4e945db38780543ff3997c5e9e5e2c58e974caf1f8c8e540897208d1991f90 |
| SHA512 | c9109665f93150eb7eebc895c0ad5357500f3c8707cd5d50a9548a732e15bb9efa948570e4f72c80ccf8a0ddb152f8972a7e202ada6faf05c1f877ce8c6dcc26 |
memory/2376-25-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/2612-22-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\exizj.exe
| MD5 | 5a9568a8db95af832bac7903cdab2eea |
| SHA1 | 133e36356ebc3c99808fb6c21ffbfaee52605ecf |
| SHA256 | afb89bfe1d09cae0e9c0c8265aabcd9f05dedd1428730467ef7ee3227efc02eb |
| SHA512 | b0c177b2603b652ee36cfb1824e5c654df5be1ab288bc750ec693528ebdb83756a2714d696f150f0004c118ddfbec4b7f2adc8098ce0ca07536b3620df84e794 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8597b27c3ba89aac3aec691f8ef9d237 |
| SHA1 | 8ee9089671609eb1d4eaabe1b0786abccbfedf2b |
| SHA256 | 2acfe09400322b1389b8e2c1a6ffe3734aaae6835bd1ac6839956fab25ef3337 |
| SHA512 | a351f0be3182d9a8ebf80676ea9408ba54fff9abcc9f6970f62d4f3d94717a55a35802291cd82d7b0bd513f8e3eb162fe6773a3d65380ed9345d8557f0b95921 |
\Users\Admin\AppData\Local\Temp\higov.exe
| MD5 | fe3af1797945ecdb8528731f06d57fcc |
| SHA1 | 01bbfcd082ecde962e4db36013e068f3465a8f63 |
| SHA256 | 88c665becd36e6dfb4673e9f8fc6389506304ae2e8baab095acecdd71c2a98dd |
| SHA512 | fe171a3d4d704ddae7906e36c330d257cc2081f193f14e39af94886288999ddb87c7eb500ed2afc66e19310867bfc5b4f4218741c8f470d74dc58b37065c8468 |
memory/2624-40-0x0000000003C10000-0x0000000003CB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | dfecc9686f56f40bd7bd79b69f9c43bb |
| SHA1 | 3e94767cb5d7bd7cfc00965fd32041a99fa6822e |
| SHA256 | 038d99a8b5b0141f780250a1a86cd7c969263ebf18dc8539b89f0b6dff6cf2e2 |
| SHA512 | 2b12fb561bc6005424da26dbacff65c1d9ff2de249b4d7255ad35152a63c95cf3571faee0752b90793bb11ef97087aaac5648913bd374f13cdda24a001cfa116 |
memory/1904-52-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2624-51-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/1904-54-0x0000000000E70000-0x0000000000F10000-memory.dmp
memory/1904-57-0x0000000000E70000-0x0000000000F10000-memory.dmp
memory/1904-58-0x0000000000E70000-0x0000000000F10000-memory.dmp
memory/1904-59-0x0000000000E70000-0x0000000000F10000-memory.dmp
memory/1904-60-0x0000000000E70000-0x0000000000F10000-memory.dmp
memory/1904-61-0x0000000000E70000-0x0000000000F10000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-16 22:22
Reported
2024-03-16 22:25
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\axrot.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ukfooh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\axrot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ukfooh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moeqo.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe
"C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"
C:\Users\Admin\AppData\Local\Temp\axrot.exe
"C:\Users\Admin\AppData\Local\Temp\axrot.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
"C:\Users\Admin\AppData\Local\Temp\ukfooh.exe" OK
C:\Users\Admin\AppData\Local\Temp\moeqo.exe
"C:\Users\Admin\AppData\Local\Temp\moeqo.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| PL | 93.184.221.240:80 | tcp |
Files
memory/224-0-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\axrot.exe
| MD5 | f2dd01151aac9dec5c94e0915854d166 |
| SHA1 | 36df3452129b5c3fd834f307a53930867648f97b |
| SHA256 | 8f89a44e9800457ea0ff0724a17bfe52a0796797f70ea5cbe4188830c9345bb5 |
| SHA512 | ec102f17a6d90832ff3e3f9c1a91255e58f4a9753afcf683b15a5f79404b16d7cec5b28a308f598dba1f9df8f9ab853928b87e394c3f3dbb97715fce729d98ad |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 153b993f7150d69b54d15d6e043f5ab2 |
| SHA1 | b46e2c96c8af461bb4bd9613bd5c91aff7c60285 |
| SHA256 | f12543d9c55ccd4a62246dfb9fa5537b117d5c509cd199d505498ea0950bf7c0 |
| SHA512 | 014f5db1efb4254053e6657d4462f7eaa586ec47e17c68d6c6c5b2f37fa265bd20a4e19924bc96c3f1c6a5bfd5bf104920b45d043fa258a35d7a01591bcd6cbe |
memory/1756-10-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/224-16-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f0a542051f587925e773aed510551c0a |
| SHA1 | bd0f7fe15646e1bb9b381ce964be431b56c83189 |
| SHA256 | ab4e945db38780543ff3997c5e9e5e2c58e974caf1f8c8e540897208d1991f90 |
| SHA512 | c9109665f93150eb7eebc895c0ad5357500f3c8707cd5d50a9548a732e15bb9efa948570e4f72c80ccf8a0ddb152f8972a7e202ada6faf05c1f877ce8c6dcc26 |
C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
| MD5 | e77d27b9eae260ff545524c162422c90 |
| SHA1 | 63d310c0ae42e1972e8037fa29834aa26d49b6da |
| SHA256 | b8feb420b237fb0fdde21edc85bf6331fccad5b74c361f635e1a939a85c90106 |
| SHA512 | 471fd5b23c562e271d03a2f6a3f005bd0025a4c402ab7e674c20fdbd478043a3dfc314c5c809e496b78916b2fea3f595c42d7dee955328a4502fd83731491e2b |
memory/1532-26-0x0000000000400000-0x00000000004679C5-memory.dmp
memory/1756-25-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\moeqo.exe
| MD5 | 0596b7e46278d25cfd1c98793f258fc1 |
| SHA1 | 6d92961907b41ad0354e1fd1ade0f3433d5a5e11 |
| SHA256 | 927ec232b92f27231c62cb865334a2aed934c67cfba606e3e6c66fce229d4c7f |
| SHA512 | 277af5f06be1743ce23734a95cdf760e50aade670be6778400c1f35231f69deff5dd984582ec737b147c4b72faebb5c39be276b29844ae6cb415753df0701f7d |
memory/1388-37-0x0000000000F40000-0x0000000000FE0000-memory.dmp
memory/1388-39-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1532-40-0x0000000000400000-0x00000000004679C5-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 5a29d1f10053285c2d1f60faae33dfe2 |
| SHA1 | 6baab06febca88249ee6e9a8a5e644961dd5b834 |
| SHA256 | 59971e8d793ae473e572e6cf6cbd1d39594bbb28c18ac6ea4e452bdf243e3f4f |
| SHA512 | 5d7cbbcb9da7d02a84a4afd67bf0a93410e94aa50d7fde96478aacb4bdad9085ff3ec7435777e090ce4a399d8c9dccbd9e97c4d64eb7c47b6f5075924ec62998 |
memory/1388-43-0x0000000000F40000-0x0000000000FE0000-memory.dmp
memory/1388-44-0x0000000000F40000-0x0000000000FE0000-memory.dmp
memory/1388-45-0x0000000000F40000-0x0000000000FE0000-memory.dmp
memory/1388-46-0x0000000000F40000-0x0000000000FE0000-memory.dmp
memory/1388-47-0x0000000000F40000-0x0000000000FE0000-memory.dmp