Analysis Overview
SHA256
a4ba88a728adc6608e0589a1b1f473e1c3b841d7b3b074735e89de4896c56d9c
Threat Level: Known bad
The file cfd5c1aa6724937811319258b8ef1acf was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-17 03:40
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-17 03:40
Reported
2024-03-17 03:43
Platform
win7-20240221-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ygleg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duloxo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\simyc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ygleg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duloxo.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe
"C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe"
C:\Users\Admin\AppData\Local\Temp\ygleg.exe
"C:\Users\Admin\AppData\Local\Temp\ygleg.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\duloxo.exe
"C:\Users\Admin\AppData\Local\Temp\duloxo.exe" OK
C:\Users\Admin\AppData\Local\Temp\simyc.exe
"C:\Users\Admin\AppData\Local\Temp\simyc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2004-0-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\ygleg.exe
| MD5 | 9ac5c56008564d493791fd16f533ced3 |
| SHA1 | 15f136d84ad7d84d885724da029aee91181387e8 |
| SHA256 | f4436b9f15c3131a3a791d5fe45c127a3cd52dee67b470cbe08e53e8e2cb5fc5 |
| SHA512 | fd1177c8f136005baea1a6bc65076aec126deb1d4d48ffa0dccbbb67eee255f2839b661613da3f0549b51c3ba5523a37bee37946bb7186c0a9a17a56c430dbc8 |
memory/2004-6-0x0000000002BC0000-0x0000000002C2E000-memory.dmp
memory/2004-16-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 65fd3a13a52c711374fd6ddd251f4568 |
| SHA1 | 5e03bab03cd1243d2381f725b1b70b505d88b236 |
| SHA256 | 3caab30d0f3b69820e0cfdf003a77831da6e053417d8ecb744a4b097122ef4b0 |
| SHA512 | 5858224a2f573c9bf6034be522b21500bcae5066b6d56a0d4709095ef500ec1e9224b46633bb23dbee58ae4abc715d8fda698657fe9d5adbd01459b063623bae |
memory/2088-19-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 3598d114d7086fd1cc2bfb5853f9d900 |
| SHA1 | 170bd1f4831aca145318380536f73141d1549edd |
| SHA256 | ccd56ffaeedeef855550b6f10efeacb133452f36475d0f108b5b0e3592b03815 |
| SHA512 | 2a49d76d3ee4994e5099fdbd1f2e08be3fba8f548c01f72637f4bd02924c1615110d9f6521a8501cb41259e9002c6114a4bd0002bf5ad26ed484f34e92182aef |
C:\Users\Admin\AppData\Local\Temp\duloxo.exe
| MD5 | f9bad2a336f0fdfbb02390e6329e5425 |
| SHA1 | 145558c3254d4ac773b43dcb77e657a5497935dc |
| SHA256 | 86c5bf0c174c305036f7aeb4cbed7ca79ce3bb8032c71dcc4aaa79a76d6a6ae2 |
| SHA512 | cf16e147af3655f5731c76dcc1edafdce5e29bde49e1e8532f33e0f8d3790064a308519a3b2d4bc421ad3a2fbd493f7c9c18d82803270908e75a713c65ac9077 |
memory/2088-28-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2540-29-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\simyc.exe
| MD5 | 2a84363eb633d17990f7bf2169aa5c54 |
| SHA1 | d4e509b6c002e934a3520ce538d277610649b380 |
| SHA256 | ff92e3e5bb7d3d2205ca1aada8774146c2d8abd88b95288612d7eade2b93cda2 |
| SHA512 | fb5e79113cc9e635ae884f93e2337bfb362163ce2fb7dc22f6798f1660f992c7f106f9a3b7b0df8e8abbfadc33dcd5f9a2e4530b5931a282b0e1b8e53174c551 |
memory/2540-35-0x0000000003D80000-0x0000000003E20000-memory.dmp
memory/356-46-0x0000000000AE0000-0x0000000000B80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 5583b82a3be6ed8b547e222bfceec3f1 |
| SHA1 | 05c3bfa771aae75842fc5a0327a69246f2775dfa |
| SHA256 | 986fa65fc9595c06ed90e9403fcdfd085df8c9598d78fd8156fdb2d40737fd03 |
| SHA512 | e140a14aa6f25e34b683c1e8b3b74d6e442766a8c445df7e923f46fdf18a5586447a828a9c330e5f007f28a84e4a8d96889219adb0769346ea65a821c5a5fead |
memory/356-47-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2540-44-0x0000000000400000-0x000000000046E000-memory.dmp
memory/356-51-0x0000000000AE0000-0x0000000000B80000-memory.dmp
memory/356-52-0x0000000000AE0000-0x0000000000B80000-memory.dmp
memory/356-53-0x0000000000AE0000-0x0000000000B80000-memory.dmp
memory/356-54-0x0000000000AE0000-0x0000000000B80000-memory.dmp
memory/356-55-0x0000000000AE0000-0x0000000000B80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-17 03:40
Reported
2024-03-17 03:43
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dyhoc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bymufi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dyhoc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bymufi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vusys.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe
"C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe"
C:\Users\Admin\AppData\Local\Temp\dyhoc.exe
"C:\Users\Admin\AppData\Local\Temp\dyhoc.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\bymufi.exe
"C:\Users\Admin\AppData\Local\Temp\bymufi.exe" OK
C:\Users\Admin\AppData\Local\Temp\vusys.exe
"C:\Users\Admin\AppData\Local\Temp\vusys.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 96.17.178.176:80 | tcp |
Files
memory/4432-0-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dyhoc.exe
| MD5 | 77f3992aac81e83a052927f680561bcd |
| SHA1 | f859715e1b2d60c543f5c8991cf59656e39bd4a6 |
| SHA256 | b4e1a3c93a9f733de1cec1327801c104ddddc63068cf15f33e18f1542f11a26a |
| SHA512 | efd7955b2ea3ed8dfc63abfdbda739abe648d9b9e4da7843be80381a83daceed40ed61ff7c35650027c28edfe129eca766c9544234c96483d3f68efd3015f0dc |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 403ea4c0dea8f0f87aa3eac611ec8d20 |
| SHA1 | 1a8cc056435375d9f27c35ea1fd281ec182b91b8 |
| SHA256 | 51d09f8d7a9a38670010c3e8d04368d5609cfc5748ba7bdb24f76494e16623d3 |
| SHA512 | e915737f25945ec9822d628ea7e739c8dbc3a3fbae7d0af4e13cda7e6fac64dbec840cd67d1eb0bca69a6502d51db09aeee06902b5731cd92cb5b25edd4aafc0 |
memory/4432-15-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bymufi.exe
| MD5 | b0c5c080cb839794f2a2c4e61bdf243a |
| SHA1 | 55f2008372bd3243a6e67d86f5a18da7565269f6 |
| SHA256 | dc7d4c9288f1c981e89b5a384ab620f867f0e688f44e499dab6ffd96c5bb3af2 |
| SHA512 | 640b0e61842934e40956134fdcc74e93adc0c2d833043ed3de5e2ddafb98718bf8b39ac091f8113afda72f29f04681356da9c2bdf2a8ca5bf9081b29fe49c510 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 65fd3a13a52c711374fd6ddd251f4568 |
| SHA1 | 5e03bab03cd1243d2381f725b1b70b505d88b236 |
| SHA256 | 3caab30d0f3b69820e0cfdf003a77831da6e053417d8ecb744a4b097122ef4b0 |
| SHA512 | 5858224a2f573c9bf6034be522b21500bcae5066b6d56a0d4709095ef500ec1e9224b46633bb23dbee58ae4abc715d8fda698657fe9d5adbd01459b063623bae |
memory/3172-24-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3476-25-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vusys.exe
| MD5 | a494863f04468eb9176edbc6cde9c68c |
| SHA1 | 84fd029b8bab7331f3c351927541a5cc029052a1 |
| SHA256 | f4a78c60627b58bb61dc7eb772666f8c3e74c3e1f8c2c7a912467b5f891e0492 |
| SHA512 | 667f93c7f237c5a685ddd0ef570e5e9dadb86267fc2ee19a0b3f077e4b177320599f6520d7d8e0d8ee2609acaaaa88d64085f2a94d13c386c2db219d095e8746 |
memory/456-37-0x0000000000540000-0x00000000005E0000-memory.dmp
memory/456-38-0x00000000004D0000-0x00000000004D1000-memory.dmp
memory/3172-39-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 1ecfb1f41115c25e5379f6d19b5f93eb |
| SHA1 | ea02f15a6821c55e490b0e319eec608d36831648 |
| SHA256 | aebc6e271d131987c9cf9429352ce390e3a500813ca8b734bc1feb3ffc657fc0 |
| SHA512 | 8b1cd7b56df2fe7d6c18f0f070071c07e3849bad4308ee08040b9d327edda0d9f9efecc9cba25f77e10e135a649d125e9d9ec5318754cd9e119c6c67ada532ba |
memory/456-42-0x0000000000540000-0x00000000005E0000-memory.dmp
memory/456-43-0x0000000000540000-0x00000000005E0000-memory.dmp
memory/456-44-0x0000000000540000-0x00000000005E0000-memory.dmp
memory/456-45-0x0000000000540000-0x00000000005E0000-memory.dmp
memory/456-46-0x0000000000540000-0x00000000005E0000-memory.dmp