Analysis Overview
SHA256
b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa
Threat Level: Known bad
The file b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-16 23:28
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 23:28
Reported
2024-03-16 23:30
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vebaz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\acziv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vebaz.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe
"C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"
C:\Users\Admin\AppData\Local\Temp\vebaz.exe
"C:\Users\Admin\AppData\Local\Temp\vebaz.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\acziv.exe
"C:\Users\Admin\AppData\Local\Temp\acziv.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11120 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| JP | 133.242.129.155:11120 | tcp |
Files
memory/2908-0-0x0000000000400000-0x000000000047E000-memory.dmp
\Users\Admin\AppData\Local\Temp\vebaz.exe
| MD5 | 3d58b9d6a4ffd41235c5fc8d5f98abd1 |
| SHA1 | 189038a5c58218d1ca3309f0d70c4f8a5df44851 |
| SHA256 | e801ced563ac2a074a14dc2480ef30b4b030a13446de22a4653d8b564c8420ca |
| SHA512 | 50e19884aaafd69b620cc7815872fbfef014de491895489424020b4df61a318619c0e8382e773b031e3123022c59611d43aa7e17ff2eeac4ef67cd0f55aa072c |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1c505d0bca466dac41c60aaffcc4998a |
| SHA1 | 4e38ad56df8f28c47eb7ea8fc2bf5014a80d669a |
| SHA256 | 118208fb8df7fda363c09ec165ec6e3bcc33e1f15eaa05a5221d8b8b98b32ce2 |
| SHA512 | c2da05ccc4a3fc4f536705f29d0b733bd5f9d0268d919ca285c2ba1e04165a06e8403f2f3633b7b8b98fc56ecfd6435e3eefdf6afe75d42c627b612cb85ff522 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 282c7b52c77debc45eb5e421090b3ca4 |
| SHA1 | 5f5c73a9760436f773f5adafaf59bb374b10764a |
| SHA256 | 399eb00b2ad200275d3b9aa266ff9d2a5425e01af946210ced14f2981b31a8ab |
| SHA512 | a24fa5450ab47bb6290655e51a28d3f97e149dbbca2b8bc94f14fd3badf6321dbfbee2c75acdcc8d40ed4cd481fc1dd3383bc5758677ae112578422cd6126eb8 |
\Users\Admin\AppData\Local\Temp\acziv.exe
| MD5 | 6735778949012ce94581ba1e2ef15ca2 |
| SHA1 | c584d34d2860f269df26c40dbb178781bf2fcbaf |
| SHA256 | e783545b45189b5e2b74fec73984f4a6c7ab6c2eb682ac41734a2bc1cc11746a |
| SHA512 | a5da9ff86035140b4f31be39208408b06d4e59817ccd1fca87ea6245da846a08fcfa636227a386be3a821afe764aa7d9c4beee93c4baef5c14a94d7236ff80ef |
memory/1304-24-0x0000000002E70000-0x0000000002F24000-memory.dmp
memory/1852-26-0x0000000000E00000-0x0000000000EB4000-memory.dmp
memory/1852-28-0x0000000000E00000-0x0000000000EB4000-memory.dmp
memory/1852-29-0x0000000000E00000-0x0000000000EB4000-memory.dmp
memory/1852-30-0x0000000000E00000-0x0000000000EB4000-memory.dmp
memory/1852-31-0x0000000000E00000-0x0000000000EB4000-memory.dmp
memory/1852-32-0x0000000000E00000-0x0000000000EB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-16 23:28
Reported
2024-03-16 23:30
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sykur.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sykur.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exajr.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe
"C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"
C:\Users\Admin\AppData\Local\Temp\sykur.exe
"C:\Users\Admin\AppData\Local\Temp\sykur.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\exajr.exe
"C:\Users\Admin\AppData\Local\Temp\exajr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11120 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| JP | 133.242.129.155:11120 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/4784-0-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sykur.exe
| MD5 | 5ec262871a9ac32cd663e562238dbe2f |
| SHA1 | d99987dbdf7dedb3915abe6f3bd2b76b082d8f37 |
| SHA256 | e00406cfd02f341a912931d54cfae968d1086820b06fa1ca5e1c9c371b14c721 |
| SHA512 | 263ca922d4eae31341e3e18052cb5f64a14e34afbf2d2d3353b193f00ddfa56cdea2260b0afcfc15def2648d930e055113c8733a14f6858de825e61dc87da456 |
memory/2140-13-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1c505d0bca466dac41c60aaffcc4998a |
| SHA1 | 4e38ad56df8f28c47eb7ea8fc2bf5014a80d669a |
| SHA256 | 118208fb8df7fda363c09ec165ec6e3bcc33e1f15eaa05a5221d8b8b98b32ce2 |
| SHA512 | c2da05ccc4a3fc4f536705f29d0b733bd5f9d0268d919ca285c2ba1e04165a06e8403f2f3633b7b8b98fc56ecfd6435e3eefdf6afe75d42c627b612cb85ff522 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 070d3d90270ce5a3bc8f330c1f083ce5 |
| SHA1 | 75ce0382285c21923f718c2cfeeeb1b8be8af833 |
| SHA256 | 4197336ef812f77916546e8c4aed777a17db94097926e7d40cffab12e63be025 |
| SHA512 | 1f2191f13a6e0c8e7dd94c075a3da4cebe3a20714d6f666bf4e9121722f6ba50c8e15c0951bab8c0dae08474d8475a38223679d4d7374cb49f5b9e29d45e22d3 |
C:\Users\Admin\AppData\Local\Temp\exajr.exe
| MD5 | f2d93f3789e69294fd9adcfb409d7db9 |
| SHA1 | e9b777b8868512d41f816821d767f68ccb9ff195 |
| SHA256 | b213c0eead4ff41f70be5ada1ebc3890694af49abe296d0ee56de7ce849b1bd2 |
| SHA512 | 40fe52d0fbcfcdbff9f4d7c7ec167eaa6f2db2258e920818dd8849f937a1e88e695672e92665e89114e2783b162c111a5ef7f0ce141c17b14d82738b8a568e72 |
memory/4232-24-0x00000000004B0000-0x0000000000564000-memory.dmp
memory/4232-25-0x00000000004B0000-0x0000000000564000-memory.dmp
memory/4232-27-0x00000000004B0000-0x0000000000564000-memory.dmp
memory/4232-28-0x00000000004B0000-0x0000000000564000-memory.dmp
memory/4232-29-0x00000000004B0000-0x0000000000564000-memory.dmp
memory/4232-30-0x00000000004B0000-0x0000000000564000-memory.dmp