Analysis Overview
SHA256
f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688
Threat Level: Known bad
The file f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688 was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Checks computer location settings
ASPack v2.12-2.42
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 05:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 05:27
Reported
2024-05-16 05:30
Platform
win7-20240419-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fujum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pojuv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fujum.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe
"C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"
C:\Users\Admin\AppData\Local\Temp\fujum.exe
"C:\Users\Admin\AppData\Local\Temp\fujum.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\pojuv.exe
"C:\Users\Admin\AppData\Local\Temp\pojuv.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2188-1-0x0000000000020000-0x0000000000022000-memory.dmp
memory/2188-0-0x0000000000400000-0x0000000000468000-memory.dmp
\Users\Admin\AppData\Local\Temp\fujum.exe
| MD5 | 4771ff8555ccffe148aac82ae76d00ea |
| SHA1 | e9e99f5965d8ff8faf6c938e6d8f19339b6aef7f |
| SHA256 | feb48e4d4a087c48d57432a78dbe95a5069092ef455cb73581843e0944e74e07 |
| SHA512 | edcb6e68c06fa803e9300feb37e2942531becc0831396fe058bddaaaab5344ad88a4bcff107abcb5dcc3ac82d5e379cc9bacf2abe1ffb78641e9d210f4656f1e |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 2dd4c59f8cf29c07a29920d74d85222a |
| SHA1 | 2ddf9f8dd6ec640960265884ca9876d34f7af925 |
| SHA256 | 729cb2e8d2580599ab02345b6f6a9c78507356bb0ec1fbf5a15b81e0d533a7cc |
| SHA512 | 918e7d0cd049bd025ff662d9b061b7f8e416b790de09d783af9b6f9f3f0cfd94e57ea790ea0329d152b3ae97566b87d4b498c845398c4d48446c26d24e3e399e |
memory/3004-24-0x0000000000020000-0x0000000000022000-memory.dmp
memory/3004-23-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2188-12-0x0000000002BC0000-0x0000000002C28000-memory.dmp
memory/2188-22-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 88e9fa0c1f043a07b7d474bea2b70e8e |
| SHA1 | 022015e39fd85876024f6c80355bf9948455196c |
| SHA256 | 0a96653ceb619e7c50876af9c8917e3f87ee8597e1dcd63c9159db14cd89780b |
| SHA512 | d3baf163ccfd1f53a3bd417118951f44f0948ae0a3c8061d11e24b0c25342ab7e430a16ca9a422a980ac0c14782ab4152eb4bb14fe428915d386abf32acd9bd0 |
memory/3004-27-0x0000000000400000-0x0000000000468000-memory.dmp
\Users\Admin\AppData\Local\Temp\pojuv.exe
| MD5 | f8e100d8516a1f6c76d3de7a45fafc5a |
| SHA1 | f6dbaf5e8600ec467f3011d85292c6c3378d8673 |
| SHA256 | 75ea14fd95dd65b74b838ea0b0920acd8500f1d459d7ad37bc07d93d9980e3a5 |
| SHA512 | 0df52df44fe07623fc76a08ffaec889305656d82c2e502f33867aa8d9ed4f886fcd9e1322d3ccec37eb11a2d1a07e506ba701f3b819de094df0f534deef84b03 |
memory/3004-42-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2400-44-0x00000000012E0000-0x0000000001382000-memory.dmp
memory/2400-45-0x00000000012E0000-0x0000000001382000-memory.dmp
memory/2400-47-0x00000000012E0000-0x0000000001382000-memory.dmp
memory/2400-46-0x00000000012E0000-0x0000000001382000-memory.dmp
memory/2400-49-0x00000000012E0000-0x0000000001382000-memory.dmp
memory/2400-50-0x00000000012E0000-0x0000000001382000-memory.dmp
memory/2400-51-0x00000000012E0000-0x0000000001382000-memory.dmp
memory/2400-52-0x00000000012E0000-0x0000000001382000-memory.dmp
memory/2400-53-0x00000000012E0000-0x0000000001382000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 05:27
Reported
2024-05-16 05:30
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mofua.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mofua.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cakow.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe
"C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"
C:\Users\Admin\AppData\Local\Temp\mofua.exe
"C:\Users\Admin\AppData\Local\Temp\mofua.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\cakow.exe
"C:\Users\Admin\AppData\Local\Temp\cakow.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4420-1-0x00000000001D0000-0x00000000001D2000-memory.dmp
memory/4420-0-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mofua.exe
| MD5 | dffb5d29b31620ca517a0b5c55b125e5 |
| SHA1 | 0e84da6ecb68b0a0906542dc70d2cb4b2e22f3db |
| SHA256 | 5338702a1a0098d9f038a77f112d742d5582f039769369b95a9d12b129430495 |
| SHA512 | 300b46a879f5ab9806318ae9d3bfb39b7ba1170428474498d806515d1dc818e41ec629ae1867299835c0e7be0edcec3644a489c9eb378ad780407af6e798ad46 |
memory/1816-15-0x00000000001D0000-0x00000000001D2000-memory.dmp
memory/1816-14-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4420-17-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 2dd4c59f8cf29c07a29920d74d85222a |
| SHA1 | 2ddf9f8dd6ec640960265884ca9876d34f7af925 |
| SHA256 | 729cb2e8d2580599ab02345b6f6a9c78507356bb0ec1fbf5a15b81e0d533a7cc |
| SHA512 | 918e7d0cd049bd025ff662d9b061b7f8e416b790de09d783af9b6f9f3f0cfd94e57ea790ea0329d152b3ae97566b87d4b498c845398c4d48446c26d24e3e399e |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 5baedff35430945085580c3c2899d042 |
| SHA1 | 02884acc4385d474f6b3b281ef5d15ba9ebfcf22 |
| SHA256 | 28112cfbf7d54344dd2724c62c2aeac7ca8566f6294c57872f13b29d4bb8fdda |
| SHA512 | 15e1b8b59bccde3ed709ff4db790c9ca54fd460d57e3e4c27cc2ca0e62c2fc5a7ec0a78d588a1f4915d33c6001dd112b9791228fbf2eddebce9952a3befb275c |
memory/1816-20-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cakow.exe
| MD5 | 56a3778286809160ebba2b7ed8544e2b |
| SHA1 | 214ee556b63c1bf8e09d3f9a4092462f00ae7bc1 |
| SHA256 | 313a5dcdcd49630549be47db90998e812cb4b64f6109590149c7a7e3c5b0abb9 |
| SHA512 | d7481bfa4c59206ace94e8c1598ee0c2f8a5517a9d41e52bf1b9b9f6426b6566e4a9bc35b6c115278575b0a6b36d11ac77081c02359a90deb967cd753a61bddf |
memory/1816-41-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1884-40-0x00000000009C0000-0x0000000000A62000-memory.dmp
memory/1884-39-0x00000000009C0000-0x0000000000A62000-memory.dmp
memory/1884-38-0x00000000009C0000-0x0000000000A62000-memory.dmp
memory/1884-42-0x00000000009C0000-0x0000000000A62000-memory.dmp
memory/1884-44-0x00000000009C0000-0x0000000000A62000-memory.dmp
memory/1884-45-0x00000000009C0000-0x0000000000A62000-memory.dmp
memory/1884-46-0x00000000009C0000-0x0000000000A62000-memory.dmp
memory/1884-47-0x00000000009C0000-0x0000000000A62000-memory.dmp
memory/1884-48-0x00000000009C0000-0x0000000000A62000-memory.dmp