Analysis Overview
SHA256
8718c0f1b157df2752a6062e070b0a51fabb42d6e1c2e6bc1fea01904d6970c7
Threat Level: Known bad
The file 0be85afca6aaa8cdaae0f26a4a2fc380N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
UPX packed file
Checks computer location settings
Deletes itself
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 22:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 22:18
Reported
2024-07-27 22:26
Platform
win7-20240704-en
Max time kernel
116s
Max time network
82s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mosuv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qienpi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\civog.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mosuv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mosuv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qienpi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mosuv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qienpi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\civog.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mosuv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qienpi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\civog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\civog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\civog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\civog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\civog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\civog.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe
"C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"
C:\Users\Admin\AppData\Local\Temp\mosuv.exe
"C:\Users\Admin\AppData\Local\Temp\mosuv.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\qienpi.exe
"C:\Users\Admin\AppData\Local\Temp\qienpi.exe" OK
C:\Users\Admin\AppData\Local\Temp\civog.exe
"C:\Users\Admin\AppData\Local\Temp\civog.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1772-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1772-37-0x0000000000526000-0x000000000087A000-memory.dmp
memory/1772-35-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1772-33-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1772-41-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1772-30-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1772-28-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1772-25-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1772-23-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1772-20-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1772-18-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1772-15-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1772-13-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1772-11-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1772-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1772-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1772-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1772-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1772-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1772-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1772-43-0x0000000000400000-0x0000000000EEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\mosuv.exe
| MD5 | b9048a18f5934eb7ad9fcf4bc3846ad3 |
| SHA1 | 9a7f7a4d10ef957dbdc638a3a7b60e95df5ba6f6 |
| SHA256 | 25592762f6078878786ddedb40ae2d21f141bf38cc66e2322102e060be410937 |
| SHA512 | e72a225386b91358490ab1d065166733d0d64cf56736c3a8cac7c39dfa6e802379fd4c655d6dcfb8bfb7887484b79e94234c9b7cca0de035af7574fe1f76cef6 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 89d1175ccc22de444733c8b8c183b51f |
| SHA1 | 60de7c4bb5f8029c7b92d0c27a3003b500210993 |
| SHA256 | 143add2de2b3d039a8f69bcc322d7e77035526aa2dd129dec469889f8d31ddc5 |
| SHA512 | 556fb939865bfa503dff724c591d9d545f8301ce4a7802058554fa1eec33547c961490decec6e67eba71f545e85887109a63eb763586e8343ed3ef92a6f341f3 |
memory/1772-61-0x00000000042E0000-0x0000000004DCC000-memory.dmp
memory/1772-60-0x00000000042E0000-0x0000000004DCC000-memory.dmp
memory/1772-62-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1772-63-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9ee54eba1649954268d1f3f37c274921 |
| SHA1 | cbb481c73a79a81b116e67d7aa275dfdf829a875 |
| SHA256 | 48982c78e545c80f0e989d647a878d63ecc856e5dfbafd08ed7414cd86023bc2 |
| SHA512 | a17565f9f074095b623c6c1155ad34b7bbf9f48a3982d6a11755b1a7fb1993256039eaaa3da8982c6edbc1f2528854de929359632afdffd6bc3297f4436cd8b1 |
memory/2160-114-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2160-111-0x00000000042F0000-0x0000000004DDC000-memory.dmp
\Users\Admin\AppData\Local\Temp\civog.exe
| MD5 | 2f6bdd8a9cc01c26e21b8710f5214acf |
| SHA1 | a2ae41268ee73e972929ced6f210e50ee281288e |
| SHA256 | 127233514d41cbdd22b1c0edf3e822edebadc7b02a0321661530f13064faf9c2 |
| SHA512 | ed9f258e4dbfa3d91b466338c4acf1ca3e4236cb45109d5747a6819c72493644c015390d95e5a4fa860c3bb5b68f9cc74060b64085d2e5d32dd1ab8133174892 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | c746a45a01e7ec649f583035a7e479a0 |
| SHA1 | 9bd498d4f5f25fcbf7ead3240e85715aa309dfcd |
| SHA256 | 000c087007c31a7ead7d2b1b163d6312a19cfbd1a999d86a3f0f55898aea586b |
| SHA512 | ecf6f0700fdd2229f983bb9829073f8ff18abd88442df4b5f5e07f82c028a80b2812b930d4dc830ec01153db7a34bcc661e9e05453a2514b9c100fcb82f6add6 |
memory/1316-168-0x0000000000400000-0x0000000000599000-memory.dmp
memory/2608-169-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2608-159-0x00000000046A0000-0x0000000004839000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/1316-174-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 22:18
Reported
2024-07-27 22:27
Platform
win10v2004-20240709-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\evysz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\irgezy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\evysz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\irgezy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\utpuj.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\evysz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\irgezy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\utpuj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe
"C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"
C:\Users\Admin\AppData\Local\Temp\evysz.exe
"C:\Users\Admin\AppData\Local\Temp\evysz.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\irgezy.exe
"C:\Users\Admin\AppData\Local\Temp\irgezy.exe" OK
C:\Users\Admin\AppData\Local\Temp\utpuj.exe
"C:\Users\Admin\AppData\Local\Temp\utpuj.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1112-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1112-2-0x0000000000526000-0x000000000087A000-memory.dmp
memory/1112-8-0x0000000002C80000-0x0000000002C81000-memory.dmp
memory/1112-7-0x0000000002C70000-0x0000000002C71000-memory.dmp
memory/1112-6-0x0000000002C60000-0x0000000002C61000-memory.dmp
memory/1112-5-0x00000000010A0000-0x00000000010A1000-memory.dmp
memory/1112-4-0x0000000001070000-0x0000000001071000-memory.dmp
memory/1112-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1112-3-0x0000000001060000-0x0000000001061000-memory.dmp
memory/1112-1-0x0000000001050000-0x0000000001051000-memory.dmp
memory/1112-14-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evysz.exe
| MD5 | c49071bb0d92505f7b82e682d9e5f6d7 |
| SHA1 | 3754018af72336c3a1603ed5c489b45c904233f7 |
| SHA256 | 6e3a54c3e35285577f168e2aa2c1eb4b8caae6d6b981f680113ccb51109e3420 |
| SHA512 | dd76cf0a6d4edda9a49db59f73bc210d5bc0e64e0b1330ad79a887c1ece19e485eded60e2707f7987cfe0da229047dfeb6d22952011d56494f16e47e2265c563 |
memory/1292-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1112-26-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1112-27-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 89d1175ccc22de444733c8b8c183b51f |
| SHA1 | 60de7c4bb5f8029c7b92d0c27a3003b500210993 |
| SHA256 | 143add2de2b3d039a8f69bcc322d7e77035526aa2dd129dec469889f8d31ddc5 |
| SHA512 | 556fb939865bfa503dff724c591d9d545f8301ce4a7802058554fa1eec33547c961490decec6e67eba71f545e85887109a63eb763586e8343ed3ef92a6f341f3 |
memory/1292-35-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/1292-34-0x0000000002B70000-0x0000000002B71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1715d782fd22e1e249d1dc84a38068f1 |
| SHA1 | 62b659e6de863e395e75bd6dec46f75a49ee90d6 |
| SHA256 | a7b62918649a0140c7bb388d3677c0ced1455ff7401c1ebf4ba685a0bce7beaa |
| SHA512 | 32e720d644acd7618976fa9cdc588b39af48f751cca36fb834be8121250bba6cba7f38eaa04915f1124034e3d41dfe91d78e1c700707403c42a687060e23ab75 |
memory/1292-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1292-33-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/1292-32-0x0000000002B50000-0x0000000002B51000-memory.dmp
memory/1292-39-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1292-31-0x0000000000F70000-0x0000000000F71000-memory.dmp
memory/1292-30-0x0000000000F10000-0x0000000000F11000-memory.dmp
memory/1292-29-0x0000000000F00000-0x0000000000F01000-memory.dmp
memory/1164-49-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1292-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1164-56-0x0000000002B90000-0x0000000002B91000-memory.dmp
memory/1164-55-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/1164-57-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1164-54-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/1164-53-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/1164-52-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/1164-51-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/1164-50-0x0000000000F10000-0x0000000000F11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\utpuj.exe
| MD5 | 260d07179168706353b4c6679b728af5 |
| SHA1 | ddc017d61c959e4697f784b07f2fcc7bcfa7095b |
| SHA256 | 4de81441c86e3e7243853af58205d5b04d1cff6152b00e431a98f34cbb5fb2f4 |
| SHA512 | 99b98dd757dd0c91c6b64ee8007dce6d92207611bb44677f0942b15a73c655cbcb6c328252d24090ad1cf1bc3c78501d75cccd15f0a0e123bf8b6cd20a153dc8 |
memory/2528-71-0x0000000000400000-0x0000000000599000-memory.dmp
memory/1164-72-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | a05f4f76ee04c374111e12e296fa87b5 |
| SHA1 | c6deba5f430f32a0812f548d95556fa280b3c3dd |
| SHA256 | 33ba234ae1cd905e6663e8f1bfc8d41c043a3557ef3b42310481205d62bc9bb1 |
| SHA512 | 7cbab0aa0fa0ec296581adb7fc161772ee9bf068f177abcc2441111ca9d83fb9b40b6c42cdf243fb843fccf27b99e7d65eb51af8ce799827b0a835c4efa64ace |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/2528-75-0x0000000000400000-0x0000000000599000-memory.dmp