Analysis Overview
SHA256
2b26868cdea1e236721c55cf842cce7d4a0aec370543c6a819dda8ccb8570d43
Threat Level: Known bad
The file b8f788750bcdec10cdca7daa18c166f0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 10:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 10:47
Reported
2024-07-27 10:51
Platform
win7-20240704-en
Max time kernel
120s
Max time network
93s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wiilg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nureo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wiilg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wiilg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nureo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe
"C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe"
C:\Users\Admin\AppData\Local\Temp\wiilg.exe
"C:\Users\Admin\AppData\Local\Temp\wiilg.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\nureo.exe
"C:\Users\Admin\AppData\Local\Temp\nureo.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2436-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2436-0-0x0000000000D10000-0x0000000000D91000-memory.dmp
\Users\Admin\AppData\Local\Temp\wiilg.exe
| MD5 | 5482a6c1902767752742709b8fbf1d86 |
| SHA1 | 0a99db74890ee7da60458d0e85846ae20ef6a994 |
| SHA256 | 4539ce13c37dce1f70179abefe7a34f23fa8c42448ee8066c4ad531e3ae5a0af |
| SHA512 | 6f60fe03a17013bd0a7ecafd0fdfa7ea4373e067f709b70914105abd0342445ceccf36a62aee7db58be8107a4eab3283979f32619637f1d6da0135195ad7f562 |
memory/2436-7-0x00000000028F0000-0x0000000002971000-memory.dmp
memory/2452-13-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2452-12-0x0000000000FA0000-0x0000000001021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 4bdf2c8288ae06e45710056749f1d337 |
| SHA1 | 3b88947abd5b1fca78c668f647393a26f0307073 |
| SHA256 | 11e92f37d446d4b84dc610d076e96f67471fa566245d5c0299084a8086b68e2a |
| SHA512 | 83f8aa91fabc6d745ae8d5efc621da8e951cf3cb5f7b1727ecdc72bcdd5b6d78d2f7c81495befaaaa6a3ecc416b4df6a0c0bcc98cbe5fee86155c51a6a082999 |
memory/2436-20-0x0000000000D10000-0x0000000000D91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0f197c97bd93a24239da3c685b55332f |
| SHA1 | 6f7d0c721b147f3c5c2584234a770dbbd7df526b |
| SHA256 | 59486b9d1d2d800e8e4515d85da0586fdc544f154c24458d2067ea8bcacc351a |
| SHA512 | fe3895909df0a9ae216c24a6c9348b473af893ced4884e78327b57aef995fdff9ecce56ecaaf050e9ff248e08e190462da17d0225cefbf076713d4e952d26fb3 |
memory/2452-23-0x0000000000FA0000-0x0000000001021000-memory.dmp
\Users\Admin\AppData\Local\Temp\nureo.exe
| MD5 | 73c2a8bccb03eb4bee86971fd7b8748a |
| SHA1 | 8bf11a5b5e750f25a05dfe366e6638163238a238 |
| SHA256 | f498fe5f3056b87a2bbdf1db74f483d5f20c34b8987bd9cf553faec2f456d9cb |
| SHA512 | 6c1482e641b2480bcba3fe49417df57db872345a93d11781e9ec51f93825998e92bf38137fac399442b42c433d7126c36fadf73af52c4c24dd7c255fcbe12701 |
memory/2032-40-0x0000000000820000-0x00000000008B9000-memory.dmp
memory/2452-39-0x0000000000FA0000-0x0000000001021000-memory.dmp
memory/2032-41-0x0000000000820000-0x00000000008B9000-memory.dmp
memory/2032-45-0x0000000000820000-0x00000000008B9000-memory.dmp
memory/2032-46-0x0000000000820000-0x00000000008B9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 10:47
Reported
2024-07-27 10:55
Platform
win10v2004-20240709-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zirid.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zirid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tuxyi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zirid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tuxyi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe
"C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe"
C:\Users\Admin\AppData\Local\Temp\zirid.exe
"C:\Users\Admin\AppData\Local\Temp\zirid.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\tuxyi.exe
"C:\Users\Admin\AppData\Local\Temp\tuxyi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2600-0-0x00000000004A0000-0x0000000000521000-memory.dmp
memory/2600-1-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zirid.exe
| MD5 | 88d17865cd64642743993691b0981d96 |
| SHA1 | 29adb5d43a8ccbdb13923b1b4995a8b472068f15 |
| SHA256 | 3ff0de3e93d44c856db03571c07956e28a98b566c6b0b6d25b2ceb718726fd8a |
| SHA512 | b5d3069e5a6eee3f3605fda26e7306337de2a7ddd2681acef0453560e2c5a5c77c8f51c72a1c34c450f2339ac3c31ede2c335eab952e0102bf91876d5d4d7124 |
memory/2080-12-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
memory/2080-11-0x0000000000AF0000-0x0000000000B71000-memory.dmp
memory/2600-17-0x00000000004A0000-0x0000000000521000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 4bdf2c8288ae06e45710056749f1d337 |
| SHA1 | 3b88947abd5b1fca78c668f647393a26f0307073 |
| SHA256 | 11e92f37d446d4b84dc610d076e96f67471fa566245d5c0299084a8086b68e2a |
| SHA512 | 83f8aa91fabc6d745ae8d5efc621da8e951cf3cb5f7b1727ecdc72bcdd5b6d78d2f7c81495befaaaa6a3ecc416b4df6a0c0bcc98cbe5fee86155c51a6a082999 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9c3160dd18e8b83e8caefddffbb79ed5 |
| SHA1 | 27e623dbeeab71b4b9fb41776ed1801f3528001a |
| SHA256 | f6b87362a92883d13ac8990c11938277aa09d34a77ac720d85ba589701bc7506 |
| SHA512 | 25608d13adf73633ea40f0c1ad13bb99fca75428d19aa47aab45b1105922496995c104b9dce54e53580e980a430f5371c0b0322b36902ddaa1d654730330cbfc |
memory/2080-20-0x0000000000AF0000-0x0000000000B71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuxyi.exe
| MD5 | fff2c0bbc1e5a1b7d3642abfced2e894 |
| SHA1 | 63604a55e724783334cc21c33d3969aa9c8e58b5 |
| SHA256 | f997cb76fa67b167a41e42d8bf41202c563115a6cde2e21a5dedc7d92ecfc033 |
| SHA512 | c19cddf237014f0b4f31565fe2cf9b04e1218e279c9f83c5ab3a10da05f2d3c9ab7fab7250c68235d01f9707c2ec14ee5def6385d7a2a9045a5663ae4c0ec33b |
memory/1432-40-0x0000000000E00000-0x0000000000E02000-memory.dmp
memory/1432-41-0x0000000000E80000-0x0000000000F19000-memory.dmp
memory/1432-39-0x0000000000E80000-0x0000000000F19000-memory.dmp
memory/2080-38-0x0000000000AF0000-0x0000000000B71000-memory.dmp
memory/1432-45-0x0000000000E80000-0x0000000000F19000-memory.dmp