Analysis Overview
SHA256
92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7
Threat Level: Known bad
The file 92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7 was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 01:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 01:37
Reported
2024-07-28 02:38
Platform
win7-20240704-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kiojx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesio.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kiojx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tesio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
"C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe"
C:\Users\Admin\AppData\Local\Temp\tesio.exe
"C:\Users\Admin\AppData\Local\Temp\tesio.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\kiojx.exe
"C:\Users\Admin\AppData\Local\Temp\kiojx.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2708-0-0x0000000000D50000-0x0000000000DD1000-memory.dmp
memory/2708-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\tesio.exe
| MD5 | 1ffd38de0a2c72b3d664f54c45534055 |
| SHA1 | 6f19b029db9630451dface97ecf288b6f1af06f0 |
| SHA256 | 36f4b813842871e5b7ac56c3f595ccc3693f6bff64d0ec5f2ec649ced4a3d27d |
| SHA512 | e2c12e0a9adcb98612c9ba744f8ebf6c933eefef684b0e8f65930370f3a97de3bb8c0de8a90503dd573d8f29621712b6472fe64c1bfc5eb1197408daca6bdf04 |
memory/2708-10-0x0000000002BC0000-0x0000000002C41000-memory.dmp
memory/2856-11-0x0000000000320000-0x00000000003A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7b1968032ea98a7b0730c758d2d8c25a |
| SHA1 | dddb106ddc8444ea4386745aceb0cbb6e11a6002 |
| SHA256 | 8b7781c5aaf6ce44d1d2b53539365aa2a185e89ac33189dd452651157ed40402 |
| SHA512 | bfac538425702d252a18f0bbe05a8c1a5187d66950f8ae9ffed40608488c88c660a697c68bd0e547240b2bacd2ac58f1d9bccc809fa260692ff94d019d4174d5 |
memory/2856-18-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2708-21-0x0000000000D50000-0x0000000000DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 37df1ac1f7bd0f6bd5add08dd9cd09c6 |
| SHA1 | 64045f37c96c44d70bfe0e596dfc3ee8aa6f1260 |
| SHA256 | a09aea54a512a094b892a79baa7093f007f684e9c64c37beec6a01b824cc5056 |
| SHA512 | 15c1e6580562242b6400ae80903e45b4206af00e4e157f9d571d0b7c52afa8ef851599afd0241a0077a294d7ba9b97ce310c9c419958552c4b66c011907bdee1 |
memory/2856-24-0x0000000000320000-0x00000000003A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\kiojx.exe
| MD5 | 261c8cfce53eba5dfcea9e1fda05b34a |
| SHA1 | 58d5cb6c541d0963c62aa632812b551c07e24a77 |
| SHA256 | 06d319f13144b56fcde3791c58246f4409394afd787976fdd2ab1c0716c18acc |
| SHA512 | 97416492c3a82960edb712d99d3b7fbf4330cae864f187a68d3bff38e763648dc71b0d01393f7e852c18c59ad3d3100aaa618d0202804cb42ba4d5a205d7dd90 |
memory/2856-37-0x0000000003290000-0x0000000003329000-memory.dmp
memory/2856-41-0x0000000000320000-0x00000000003A1000-memory.dmp
memory/2972-42-0x0000000000AA0000-0x0000000000B39000-memory.dmp
memory/2972-43-0x0000000000AA0000-0x0000000000B39000-memory.dmp
memory/2972-47-0x0000000000AA0000-0x0000000000B39000-memory.dmp
memory/2972-48-0x0000000000AA0000-0x0000000000B39000-memory.dmp
memory/2972-49-0x0000000000AA0000-0x0000000000B39000-memory.dmp
memory/2972-50-0x0000000000AA0000-0x0000000000B39000-memory.dmp
memory/2972-51-0x0000000000AA0000-0x0000000000B39000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-28 01:37
Reported
2024-07-28 02:38
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ynzyw.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ynzyw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xuewu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ynzyw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xuewu.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
"C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe"
C:\Users\Admin\AppData\Local\Temp\ynzyw.exe
"C:\Users\Admin\AppData\Local\Temp\ynzyw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\xuewu.exe
"C:\Users\Admin\AppData\Local\Temp\xuewu.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4764-0-0x0000000000350000-0x00000000003D1000-memory.dmp
memory/4764-1-0x0000000000800000-0x0000000000801000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ynzyw.exe
| MD5 | 182ba22c8700222a8ee9136aa118bfee |
| SHA1 | 5cdf21c6d535827a92b06df4e0cd94ca37652867 |
| SHA256 | e85a6dedd9341eef6141731cdd2869aa0062abedbe1c375f6ccd38a4cd9bbea5 |
| SHA512 | c76027d9d4a82fc310c005ab960e7ca6e68c8438b02a65a411e4bbbb91d6f9af33fd3c71e458de59f763d9209ca832e84d907e2dd7d20fad0a2c46f3b6f239b6 |
memory/1492-14-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
memory/1492-13-0x0000000000A10000-0x0000000000A91000-memory.dmp
memory/4764-16-0x0000000000350000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7b1968032ea98a7b0730c758d2d8c25a |
| SHA1 | dddb106ddc8444ea4386745aceb0cbb6e11a6002 |
| SHA256 | 8b7781c5aaf6ce44d1d2b53539365aa2a185e89ac33189dd452651157ed40402 |
| SHA512 | bfac538425702d252a18f0bbe05a8c1a5187d66950f8ae9ffed40608488c88c660a697c68bd0e547240b2bacd2ac58f1d9bccc809fa260692ff94d019d4174d5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9b0cbcdd1336fa1a5a58b286131f05ab |
| SHA1 | aa988a5ae10f4a718a8279d333ebd30e77e291e0 |
| SHA256 | dbfc0450dd1c0563861f8d1f05231dcc6cd4d7726931e05198d90f7e398b90c6 |
| SHA512 | 6087ef0a28a3a8068e2f19744ae9b9a2faafbcacd900dad1d19a01040cc81c378edf93f7a83ef8ad64b187d7c836af037d74c30701e97fba2c8f61cf9c501148 |
memory/1492-19-0x0000000000A10000-0x0000000000A91000-memory.dmp
memory/1492-21-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xuewu.exe
| MD5 | af3aed7b406c629fd4475ef711459e75 |
| SHA1 | f5909aa25e75653f9c3d72e7ad7712180c3bf097 |
| SHA256 | 9710a9b158e1c27ceb14756c2facf01f1961f7875274e92fc56e7cc3494d435b |
| SHA512 | c3514328819572c4ddb6d88ac56a3473300c056efeda87d07df564487404bfce6ce5ec466b3948e1b39ff90ecea865af4d41a23983239c8039cf1c7b31b74634 |
memory/1492-38-0x0000000000A10000-0x0000000000A91000-memory.dmp
memory/2108-39-0x00000000008F0000-0x0000000000989000-memory.dmp
memory/2108-43-0x0000000001420000-0x0000000001422000-memory.dmp
memory/2108-42-0x00000000008F0000-0x0000000000989000-memory.dmp
memory/2108-45-0x00000000008F0000-0x0000000000989000-memory.dmp
memory/2108-46-0x00000000008F0000-0x0000000000989000-memory.dmp
memory/2108-47-0x00000000008F0000-0x0000000000989000-memory.dmp
memory/2108-48-0x00000000008F0000-0x0000000000989000-memory.dmp
memory/2108-49-0x00000000008F0000-0x0000000000989000-memory.dmp