Analysis Overview
SHA256
89ed2ff188c84fc98fa5aec6914dc96d5e480bc6a1160050aa89cbbdd822e890
Threat Level: Known bad
The file 3bfb0560881a2192e0e5822998cf9a90N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Loads dropped DLL
Deletes itself
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 04:25
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 04:25
Reported
2024-08-01 04:27
Platform
win7-20240705-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ryhog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qybec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ryhog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ryhog.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ryhog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qybec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe
"C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe"
C:\Users\Admin\AppData\Local\Temp\ryhog.exe
"C:\Users\Admin\AppData\Local\Temp\ryhog.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\qybec.exe
"C:\Users\Admin\AppData\Local\Temp\qybec.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
\Users\Admin\AppData\Local\Temp\ryhog.exe
| MD5 | 8d6d60f5c43b6c3de20b729aa018826e |
| SHA1 | 53db40b03577e89586541d8e99f4c43997af47af |
| SHA256 | b021ab45e478b4bb21fae0d6b9957c942b760b162717bdbdff0b58a783ccab6f |
| SHA512 | 261a345811b2e3759a32ee37f3d43db6e190bd24a34004a1fa542cbe56fb48badf71a3fa178ca8aa888d0cda25de6a8662a120d71cbd67d817c7aef433687796 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 63dac65e49c3d5c950d92037a21460a1 |
| SHA1 | 8a344ccefb34634747379346a17af075add97c3f |
| SHA256 | 43951d7fb4735c2decbf40ca8656ff7f9917796c771943a0b4d7557157e4f355 |
| SHA512 | bc854428d78d962da9c0e11a0be84c4e607f5f5140c9acae30ec8d209e291ae3eedb3a79626d9ab7710223dc0bd1c256e962b09d14b015267467ecfdaa0f8a85 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 954e14b5370b87b5b94f72b10458537a |
| SHA1 | 45c9d3199e80465309475c204bdeab5b906d6ebf |
| SHA256 | e3de093705c0a169cc543524a6a031ab8164033f44382946406b9135e26598ea |
| SHA512 | 3d01610c82b2f423004fd884e8c94b8403cbdffd05876bfe74bd292e989a1312de70b299f8861aa9dcf6e9f337e1df6b0a85dec54e5e710e429a018d4960ded8 |
\Users\Admin\AppData\Local\Temp\qybec.exe
| MD5 | 47d714f76f29cef8f758f76516e5bdf9 |
| SHA1 | f62d7d53f57038755990d95be0cb81825573e654 |
| SHA256 | a4f5f533fc533173cde4e9dd434d1f444d24abd490d89815a185522a4ff80895 |
| SHA512 | 4a72317ce1ae4a8ab21ffeb1d71de11b9a6bcb0efa7b648d10ae1c71f346cf36c6c072bf7f1e689ef61660390ae482219e4ddcd3720ff4418f5cedc44260662a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 04:25
Reported
2024-08-01 04:27
Platform
win10v2004-20240730-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qoqug.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qoqug.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jeodg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qoqug.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jeodg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe
"C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe"
C:\Users\Admin\AppData\Local\Temp\qoqug.exe
"C:\Users\Admin\AppData\Local\Temp\qoqug.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\jeodg.exe
"C:\Users\Admin\AppData\Local\Temp\jeodg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\qoqug.exe
| MD5 | 7467a7b0ade2656b1939fd3941429068 |
| SHA1 | 7d0c12c5d34f68120e8d60b00c898acd01c51057 |
| SHA256 | a2b996c4e7136d40e42fbb11b74909719298b84305d24baace66777040a68eaf |
| SHA512 | 7edac92db49eb80bf5a3450fdc664e6b6fd5146b52173ed7024919a306d055342d5d34d107ce045cf0539663646d721cf05a447e38e3fda0cf49bfe2886b6b98 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 63dac65e49c3d5c950d92037a21460a1 |
| SHA1 | 8a344ccefb34634747379346a17af075add97c3f |
| SHA256 | 43951d7fb4735c2decbf40ca8656ff7f9917796c771943a0b4d7557157e4f355 |
| SHA512 | bc854428d78d962da9c0e11a0be84c4e607f5f5140c9acae30ec8d209e291ae3eedb3a79626d9ab7710223dc0bd1c256e962b09d14b015267467ecfdaa0f8a85 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0b08283183776ba7cf50ec259a29b001 |
| SHA1 | 847af9b8bd24a0b437da3f151395d0df42ac0bcf |
| SHA256 | 8b3c3f2fe6ef6cc6ce99bc9099be1a1ef6bc2088e6d6198bb8ac9a4485183a44 |
| SHA512 | bab66a84315a60797fc25fb285018c349029093ec6b3dfa2cc40d59da0a80aaf1b9238d7b9a8c300c092e6332d9ece0ecf5949e014e1dc6c9bf526d209f79340 |
C:\Users\Admin\AppData\Local\Temp\jeodg.exe
| MD5 | 56b903e172f97a394c22b8c3f9156b9f |
| SHA1 | 96fae3f831b72ce6f857a277c5895dac59910846 |
| SHA256 | ad07c912b907722f30858919ec43633b072ba11df6607d367d0c62afad541bf0 |
| SHA512 | c16126465e34c1cc27525fc09c28dae07fa2229ef2495437cc519d1da80ca0e4505a936a132029bb22602539d1d8bbddc84232de7c3c33bfdcb6eba398ee0b48 |