Analysis Overview
SHA256
751a1bfb73fc05bb9915827c69ea6febf9a9b9a9e73046098c5be031b6587912
Threat Level: Known bad
The file 8c998e707315ec9b559a8cb61a188090N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 03:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 03:50
Reported
2024-07-27 05:29
Platform
win7-20240704-en
Max time kernel
119s
Max time network
90s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gujyf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xisiif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bynii.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gujyf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gujyf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xisiif.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gujyf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xisiif.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bynii.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gujyf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xisiif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bynii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bynii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bynii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bynii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bynii.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe
"C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"
C:\Users\Admin\AppData\Local\Temp\gujyf.exe
"C:\Users\Admin\AppData\Local\Temp\gujyf.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\xisiif.exe
"C:\Users\Admin\AppData\Local\Temp\xisiif.exe" OK
C:\Users\Admin\AppData\Local\Temp\bynii.exe
"C:\Users\Admin\AppData\Local\Temp\bynii.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2732-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2732-14-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2732-12-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2732-11-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2732-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2732-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2732-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2732-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2732-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2732-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2732-36-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2732-34-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2732-31-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2732-29-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2732-26-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2732-24-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2732-21-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2732-19-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2732-16-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2732-40-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2732-43-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2732-42-0x0000000000400000-0x0000000000EEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\gujyf.exe
| MD5 | ecae46589a5c273c23ded35c46dae687 |
| SHA1 | fcf15ce57874dc7791283608841c9e592ca23818 |
| SHA256 | da1a8613cf68fc0241b14ca5f795e252489fb74c490dc7f4d2a73fea0d49db20 |
| SHA512 | de8a26659b06805c34bd123dac6179fab6e59efa1be355b5130be94248cb0fa866b2ad7d3bd72f6d6cc0e28113532dd9c39153f2eddb12d589e503be16dcd1cf |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | c00dbd601b4f93ffc7f0050d209906c4 |
| SHA1 | 6bcffea011e9bc0f58f945b4df44ad3a5e23a7f4 |
| SHA256 | 371790975c164b3a2059ac1da9a3ff4e2d5edb9f22409b786d5acd4caec43cae |
| SHA512 | c757396fa72262e1d7ca906de8dedd9446e6cb3cfc22abd0947423fbf0f7dad6ee296cfab344d11afc54fbbf0380f7d87eb1d936c1b413771bdd3e6f66b54059 |
memory/2732-54-0x0000000003820000-0x000000000430C000-memory.dmp
memory/2732-52-0x0000000003820000-0x000000000430C000-memory.dmp
memory/2732-63-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2732-94-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2584-88-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2584-86-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2584-83-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2584-81-0x0000000000260000-0x0000000000261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 581bd5273f17f124e1ade1764ed854bc |
| SHA1 | 2ba926b3b8a3ee1d3ada189b608b3a0e97949265 |
| SHA256 | 19072ad4fd29862d1fb1b1890374023f6e347ff28a72c1beffdcaac4f34f5860 |
| SHA512 | 2dd4bdbaf15b9468922e2fc6ac06c27ca71b25ab08089071df040afd612b320c59f539e87f5ae81463e7eb4946208a90bbb6a9a3fe747438c909a4648cd5135a |
memory/2584-103-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2584-114-0x0000000003C80000-0x000000000476C000-memory.dmp
memory/2584-116-0x0000000000400000-0x0000000000EEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\bynii.exe
| MD5 | 15c806cb8bc43724b6253363d96d74f5 |
| SHA1 | f3c66c83bfe6d65faf7966fe349413a20fbd96ba |
| SHA256 | efe0b6e41d638472ded5158bcf132438aaa86abcfdf43a326263d5655565218e |
| SHA512 | 6ad3e682a74ef94fd7ff8f4b9db4cedd798095f725cd14a58dd92a955f53504534ca243eda34b8a48ee741d28274146d059f0599034c190589a4c1a41167fc64 |
memory/452-161-0x00000000041B0000-0x0000000004349000-memory.dmp
memory/556-163-0x0000000000400000-0x0000000000599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | bed9430cdb2ea12464bd91b7285b1544 |
| SHA1 | 9212215cc411c72612cab24411e1fbd8ce6787ad |
| SHA256 | 2abc4fbf370d5ff40382fcf986d7589799c807839d91b77ab40859a1b78b8d3f |
| SHA512 | 5877b392002abd199a7d40b7f28c0b04d840423b64dc9063ff5f64dbed5d73f6683239daaef6575513d3867b597bb1ece3df69766604036489f9f45d57ba3f37 |
memory/452-171-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/556-176-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 03:50
Reported
2024-07-27 05:29
Platform
win10v2004-20240709-en
Max time kernel
119s
Max time network
114s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\joepy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rukery.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\joepy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rukery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zymav.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\joepy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rukery.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zymav.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe
"C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"
C:\Users\Admin\AppData\Local\Temp\joepy.exe
"C:\Users\Admin\AppData\Local\Temp\joepy.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\rukery.exe
"C:\Users\Admin\AppData\Local\Temp\rukery.exe" OK
C:\Users\Admin\AppData\Local\Temp\zymav.exe
"C:\Users\Admin\AppData\Local\Temp\zymav.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| IE | 52.111.236.21:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3556-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3556-3-0x00000000010C0000-0x00000000010C1000-memory.dmp
memory/3556-9-0x0000000000526000-0x000000000087A000-memory.dmp
memory/3556-7-0x0000000001120000-0x0000000001121000-memory.dmp
memory/3556-6-0x0000000001110000-0x0000000001111000-memory.dmp
memory/3556-5-0x0000000001100000-0x0000000001101000-memory.dmp
memory/3556-4-0x00000000010F0000-0x00000000010F1000-memory.dmp
memory/3556-2-0x00000000010B0000-0x00000000010B1000-memory.dmp
memory/3556-1-0x00000000010A0000-0x00000000010A1000-memory.dmp
memory/3556-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3556-14-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\joepy.exe
| MD5 | 7a937eee07f35dfcaeefeb61472ca110 |
| SHA1 | 0ba323999bfe9269bee87628b32cf9ccd7bc711c |
| SHA256 | ecfb8a1545904768779d50c9038ceccad6b3a986d3c1fc755f22e47337bff9d8 |
| SHA512 | 0d2232aae79b50ff036099aa1f65d2788051e5d4f72b865a5557dea2815473ff3ae583887b406514bb522d230af7589350dff60ebba77c41934bf435c60def73 |
memory/3556-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3556-26-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | c00dbd601b4f93ffc7f0050d209906c4 |
| SHA1 | 6bcffea011e9bc0f58f945b4df44ad3a5e23a7f4 |
| SHA256 | 371790975c164b3a2059ac1da9a3ff4e2d5edb9f22409b786d5acd4caec43cae |
| SHA512 | c757396fa72262e1d7ca906de8dedd9446e6cb3cfc22abd0947423fbf0f7dad6ee296cfab344d11afc54fbbf0380f7d87eb1d936c1b413771bdd3e6f66b54059 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 433f9470cdee864f3a73653a46db9421 |
| SHA1 | d7cc4ad83bde83cfabf0eb3bfd79dff4f0a0f0b2 |
| SHA256 | f4cdc192c6611038f96628258b71ba7cdcb2a6787ff18c2f50d3b9d136de0e85 |
| SHA512 | 51efb2d633529f37bbdafc1773a9ab306a67f6b8e504770e0aab1335e44713d60e7a70a758916c64170cee9354a72d11c16d0f2be2f842267618ccd597bebb49 |
memory/5016-35-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/5016-34-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/5016-33-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/5016-32-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/5016-31-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
memory/5016-30-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
memory/5016-29-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
memory/5016-28-0x0000000000F40000-0x0000000000F41000-memory.dmp
memory/5016-38-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3044-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/5016-47-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3044-56-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3044-54-0x0000000001000000-0x0000000001001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zymav.exe
| MD5 | 3e3abdb15e483f36c902ce2651ce88b8 |
| SHA1 | 1a8fc6478c85778a155a84829fd9e36d947051a1 |
| SHA256 | 6f6ce07ba7237e93def0d2f0067c0717a47c48143594f4e3ef22098b9b16fab2 |
| SHA512 | 332ca8aad9eaa19958d222d29e8f0b2e95ade3f8033c37508bcdc376568bdbb02f3f67c3726e590f591b59cc31d51fb5e2289c1e5dbc07ffdd7ea1db141968a5 |
memory/1244-70-0x0000000000400000-0x0000000000599000-memory.dmp
memory/3044-71-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | abc7549465caa3417ab2e5a58f03250a |
| SHA1 | 8ae3ba55cca93c8703f45001506458ad00acae33 |
| SHA256 | e3cd6d8ae3fee7f95da822ca162c65c1219f696e5cf642e13f757b043acaee40 |
| SHA512 | 3623bd4f1610be597402986c397e6b484bee2b031d5f5f0f7a8210b399d5399a921a29f0fa5309169a10c7eabfc6b9989538bb54fcce4decc06e1bf0cbb05e94 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/1244-74-0x0000000000400000-0x0000000000599000-memory.dmp