Analysis Overview
SHA256
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6
Threat Level: Known bad
The file 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6 was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 00:19
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 00:19
Reported
2024-07-28 00:21
Platform
win7-20240705-en
Max time kernel
150s
Max time network
129s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezifh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ilmun.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezifh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ezifh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ilmun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe
"C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe"
C:\Users\Admin\AppData\Local\Temp\ezifh.exe
"C:\Users\Admin\AppData\Local\Temp\ezifh.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ilmun.exe
"C:\Users\Admin\AppData\Local\Temp\ilmun.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2676-0-0x0000000000400000-0x0000000000490000-memory.dmp
\Users\Admin\AppData\Local\Temp\ezifh.exe
| MD5 | 6986e75ebab12aae4ea67ab626d1e6bd |
| SHA1 | a6cc6971457220aa17d1f225f2c8daa7286776d0 |
| SHA256 | 130e02bf5684015d71e7d2dcc0148041a0984bb19d839bfb414db0b12f25b979 |
| SHA512 | d8323fab690686312c74d0ef13f4f5198682925a5fbec7847d470dc7214d0bc28c1041a70c9e23814bab080283eb37c11de438e45ee642fb7279099990a945f0 |
memory/2676-9-0x0000000002B50000-0x0000000002BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d99a5f0afa5abf38f0f6ba217b2fef4e |
| SHA1 | e2b5bd266d10f7916fe4cf23589a0bd047256c50 |
| SHA256 | 6602f7ea5cf6eafecaad20bc0d8a855780844123f02e69a97d51bed8ee90d97d |
| SHA512 | e572e92d778b3f20d3467bb649ad692246f52ca4f4afe22e308c8aab46e437435a1eab043521d2bdb2e3dd987a1b837df1698860b145834a456a79b4dc9f29f7 |
memory/2676-18-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0c6319259e0613acb36047aa9dee83d5 |
| SHA1 | f99688b42665f3602ac7c75c2602c3549d840422 |
| SHA256 | a3b314db36771596611b731a476c78c0e22d7f01d0671102051d56d1b0c00b3a |
| SHA512 | 42662d9e527e932c6c48bf31de64f93174f26f11c038dd9178da1258b50e23d98e47d50c9c6d113ae49d1936271ae870fe800af392f28ad8d801fe460c7ba432 |
memory/2700-21-0x0000000000400000-0x0000000000490000-memory.dmp
\Users\Admin\AppData\Local\Temp\ilmun.exe
| MD5 | c7c183c509dbda43c749c8ac747ddc68 |
| SHA1 | 2690d36417f8e5fc5490792827f33e710648d1fd |
| SHA256 | aea54e7e14bf1c6cac7ffb279cc73f329f2d6dbd3e0f34cadf9343e2c0b9d2ef |
| SHA512 | ff464f4080d9b99e1f359abdb4f62f35795c31e0eb9fdb6a44d1edf81141c2041ef1a4484a871e0b1ce0eed9e816b11f927ae1c975fb43c8cc72791dcb8155c8 |
memory/2700-38-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2700-34-0x0000000003190000-0x0000000003246000-memory.dmp
memory/2192-39-0x0000000000AB0000-0x0000000000B66000-memory.dmp
memory/2192-41-0x0000000000AB0000-0x0000000000B66000-memory.dmp
memory/2192-42-0x0000000000AB0000-0x0000000000B66000-memory.dmp
memory/2192-43-0x0000000000AB0000-0x0000000000B66000-memory.dmp
memory/2192-44-0x0000000000AB0000-0x0000000000B66000-memory.dmp
memory/2192-45-0x0000000000AB0000-0x0000000000B66000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-28 00:19
Reported
2024-07-28 00:22
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dufui.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dufui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\detyq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dufui.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\detyq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe
"C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe"
C:\Users\Admin\AppData\Local\Temp\dufui.exe
"C:\Users\Admin\AppData\Local\Temp\dufui.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\detyq.exe
"C:\Users\Admin\AppData\Local\Temp\detyq.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/532-0-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dufui.exe
| MD5 | 8e9bd4e4f9cc91d9765256e158a7022b |
| SHA1 | 8e0934f0d363af548aae5ff1cbdef3c6d0601c82 |
| SHA256 | daa24eafd4c551aeaf50aa897338884979985651caf3786926c26f7115df09f4 |
| SHA512 | 3b35fc7b6e8a2757836343b84a568936495ef3ede412c04864b6e9958f669cd974cb078395d9476f65eea786b45bdd3e35edb865241de50ab09ea68e5b4ad607 |
memory/3624-12-0x0000000000400000-0x0000000000490000-memory.dmp
memory/532-14-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d99a5f0afa5abf38f0f6ba217b2fef4e |
| SHA1 | e2b5bd266d10f7916fe4cf23589a0bd047256c50 |
| SHA256 | 6602f7ea5cf6eafecaad20bc0d8a855780844123f02e69a97d51bed8ee90d97d |
| SHA512 | e572e92d778b3f20d3467bb649ad692246f52ca4f4afe22e308c8aab46e437435a1eab043521d2bdb2e3dd987a1b837df1698860b145834a456a79b4dc9f29f7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | c905a760f1cb2d31e5ccbff0084ef579 |
| SHA1 | b36eb9ebaaab504131c18666ee3069e2e9531634 |
| SHA256 | 56ef4a3dc7737fc04b121cd2d6669285ee6a3097283adf98ac9d5050e82cbcfa |
| SHA512 | a8e1c26de0df20c9265d5775791dc2d1afc64a2f8df36d5518de1c467a369c40ecf21b3f5e7176cbd013fb423373763b7a1c59e4fb30d1ec1718059e854b39be |
memory/3624-17-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\detyq.exe
| MD5 | 563a51f1a4e5a6374fb32f916aa658b4 |
| SHA1 | 8103c7403e8e1168f519a8f59eed23037ba04338 |
| SHA256 | 4fcbf8bad0fa761daa97890ec3cdd04b6b800875a0a4f9200753c04ba69d5a41 |
| SHA512 | 029d489df4045b766852d95b221459c5060bac2d2546aa3716ea082e192e825857c2ce6fc682cec7e23697e1b0ff49c2c49ffc6cced19e16abe916f02cb1f3cf |
memory/4956-37-0x0000000000CA0000-0x0000000000D56000-memory.dmp
memory/4956-36-0x0000000000C90000-0x0000000000C91000-memory.dmp
memory/3624-35-0x0000000000400000-0x0000000000490000-memory.dmp
memory/4956-39-0x0000000000CA0000-0x0000000000D56000-memory.dmp
memory/4956-40-0x0000000000CA0000-0x0000000000D56000-memory.dmp
memory/4956-41-0x0000000000CA0000-0x0000000000D56000-memory.dmp
memory/4956-42-0x0000000000CA0000-0x0000000000D56000-memory.dmp
memory/4956-43-0x0000000000CA0000-0x0000000000D56000-memory.dmp