Analysis Overview
SHA256
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1
Threat Level: Known bad
The file a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1 was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 01:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 01:36
Reported
2024-07-27 01:45
Platform
win7-20240705-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cywyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zylea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cywyq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zylea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cywyq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe
"C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe"
C:\Users\Admin\AppData\Local\Temp\cywyq.exe
"C:\Users\Admin\AppData\Local\Temp\cywyq.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\zylea.exe
"C:\Users\Admin\AppData\Local\Temp\zylea.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2168-0-0x00000000008E0000-0x0000000000961000-memory.dmp
memory/2168-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\cywyq.exe
| MD5 | 1c1ee8aa40b1e3c5d0ead6270e0c54a4 |
| SHA1 | aab6a78cd80727fd39bad1526fb2242dcf5a88f9 |
| SHA256 | 79aab4a98cd49dc748ea75174ec1a736dd800d48de38f82351e01c10e71f075a |
| SHA512 | 3a05637d24c54c5b7cea8d1b595d8e3ce8e19285f39c78795c203c13b8505919535ebafb372e0f097e63b9b7f13b02cfd15e65c8faa41d4ef67d7a4a774ed8f9 |
memory/2168-10-0x0000000002230000-0x00000000022B1000-memory.dmp
memory/3040-12-0x0000000000020000-0x0000000000021000-memory.dmp
memory/3040-11-0x0000000001320000-0x00000000013A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 8ebe2ce36bf8db13f65993dc0c550fbe |
| SHA1 | 5af0c513a485e4fc02bd82d4e0776b4585dca293 |
| SHA256 | b4a92629d5605aac1390196386f832432c060e4bdbb12611d899f5d209c29b01 |
| SHA512 | d7c7df9f090d7af178bec8b25a6d3c9291503b2b233d84c4f3b05afcf515ea4bed2c0f85647037953fd68996259df729c6a946f044a99f481cbc2ee02dca1488 |
memory/2168-21-0x00000000008E0000-0x0000000000961000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4f84896559711ae2bdb68b5f61f50dcc |
| SHA1 | 793a753783d8b605515aa4cc37f4e71765f67678 |
| SHA256 | 7fe17dfd633c8885e99696f6e18958fb3d600d8980665dce1ed26112e98ec1c5 |
| SHA512 | 7e3b6b2587d4a102771343fabd52a0d5d4f6ae3830861f51c6845cb559876b429e4e639455bbc8d78c5adfdfd28f88d7c2630ddb49804ac83df996f4a9f31032 |
memory/3040-24-0x0000000001320000-0x00000000013A1000-memory.dmp
memory/3040-26-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zylea.exe
| MD5 | 0512ed62e34a512e155b8895e67304f0 |
| SHA1 | 7c9b8cce465e721f0dee5c07ec50261fb1e7ab5c |
| SHA256 | 171a8c9844cb36bc823030281f80327ed8b3a76980aa01a221dc58b6590e8613 |
| SHA512 | 0d8d2f893c3cde45f477c04c6eb6e65ff5717a9c56c7b70c84dd340cf379c8a3c0a951899bc2c36e51751465e2761db1a09d6306abc5b096f5baf791e5d76e2d |
memory/3040-41-0x0000000001320000-0x00000000013A1000-memory.dmp
memory/2348-42-0x0000000001170000-0x0000000001209000-memory.dmp
memory/2348-43-0x0000000001170000-0x0000000001209000-memory.dmp
memory/2348-47-0x0000000001170000-0x0000000001209000-memory.dmp
memory/2348-48-0x0000000001170000-0x0000000001209000-memory.dmp
memory/2348-49-0x0000000001170000-0x0000000001209000-memory.dmp
memory/2348-50-0x0000000001170000-0x0000000001209000-memory.dmp
memory/2348-51-0x0000000001170000-0x0000000001209000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 01:36
Reported
2024-07-27 01:45
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
130s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mygus.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mygus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ivqia.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mygus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ivqia.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe
"C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe"
C:\Users\Admin\AppData\Local\Temp\mygus.exe
"C:\Users\Admin\AppData\Local\Temp\mygus.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ivqia.exe
"C:\Users\Admin\AppData\Local\Temp\ivqia.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/4672-0-0x0000000000BF0000-0x0000000000C71000-memory.dmp
memory/4672-1-0x00000000009D0000-0x00000000009D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mygus.exe
| MD5 | ca7912e2f9dde1aa017403e3c3b55b38 |
| SHA1 | bdf43fa8c8d0c8e764611573eaf4637a7a64ebc8 |
| SHA256 | 1846fb7d86807cb2842e268a10b09da213f69110c44c04c29dcb352f9499303a |
| SHA512 | e8808d8403e30a423f3be47270de4b04eec337de65bf605583bb8e354e4763cff6a54c1ec9975b68421e29f55416f692789ff9dc9907d5bb39deed333620aa40 |
memory/4824-14-0x0000000000F50000-0x0000000000FD1000-memory.dmp
memory/4824-15-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/4672-17-0x0000000000BF0000-0x0000000000C71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 8ebe2ce36bf8db13f65993dc0c550fbe |
| SHA1 | 5af0c513a485e4fc02bd82d4e0776b4585dca293 |
| SHA256 | b4a92629d5605aac1390196386f832432c060e4bdbb12611d899f5d209c29b01 |
| SHA512 | d7c7df9f090d7af178bec8b25a6d3c9291503b2b233d84c4f3b05afcf515ea4bed2c0f85647037953fd68996259df729c6a946f044a99f481cbc2ee02dca1488 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9e18dc232c3c429a759f24329983b704 |
| SHA1 | 065a92554f1ac43a6980bcffbf2f5d269b0e6475 |
| SHA256 | 93e310d1369793e2b51a6ed8c6aa60a89d92e08ea4031073293281f13830bce9 |
| SHA512 | b9f08ef33dd9f2ef12b3dfd0961902133b225079c1f6aba1219f0219f20c59d52db3146a0eb2a886c8c15af3b2eb14cca9ed39bc0e0dc0711c5386ec4cc9011e |
memory/4824-20-0x0000000000F50000-0x0000000000FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ivqia.exe
| MD5 | 284cabe981a835dedf7f2465ec8c67d0 |
| SHA1 | e0e6edae134aa1de77752b62bb4b802693d0fdf0 |
| SHA256 | 30cb91c352772b6d57b6e8a0fe014d01446bfb621bdf1b5120d06042ab474574 |
| SHA512 | c9ac8a2018b34d4c1b25443b84224c748c65ef9e5d36e60c0ee1fdcebeb24b9832c2c25c8fcef4c9b5738a36c77e571ca9c7f4e5e23aaf1fef50a2a0544987f0 |
memory/4864-40-0x0000000000B40000-0x0000000000BD9000-memory.dmp
memory/4824-43-0x0000000000F50000-0x0000000000FD1000-memory.dmp
memory/4864-38-0x0000000000180000-0x0000000000182000-memory.dmp
memory/4864-37-0x0000000000B40000-0x0000000000BD9000-memory.dmp
memory/4864-45-0x0000000000B40000-0x0000000000BD9000-memory.dmp
memory/4864-46-0x0000000000B40000-0x0000000000BD9000-memory.dmp
memory/4864-47-0x0000000000180000-0x0000000000182000-memory.dmp
memory/4864-48-0x0000000000B40000-0x0000000000BD9000-memory.dmp
memory/4864-49-0x0000000000B40000-0x0000000000BD9000-memory.dmp
memory/4864-50-0x0000000000B40000-0x0000000000BD9000-memory.dmp