Analysis Overview
SHA256
ed6ea4d610a46302552d12c74f259d7d5eddfff04f6263241ffdac17d9cf6e91
Threat Level: Known bad
The file 434927414b3d9bb823b1fbd9e6004850N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 05:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 05:34
Reported
2024-08-01 05:36
Platform
win7-20240704-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tuavu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bexipy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ziheq.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tuavu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tuavu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bexipy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tuavu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bexipy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ziheq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe
"C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe"
C:\Users\Admin\AppData\Local\Temp\tuavu.exe
"C:\Users\Admin\AppData\Local\Temp\tuavu.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\bexipy.exe
"C:\Users\Admin\AppData\Local\Temp\bexipy.exe" OK
C:\Users\Admin\AppData\Local\Temp\ziheq.exe
"C:\Users\Admin\AppData\Local\Temp\ziheq.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2068-2-0x0000000000400000-0x0000000000467000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuavu.exe
| MD5 | 8325b9dafc7f2b7beed0170c4081c7d6 |
| SHA1 | 1115bc23f2323a2dff82a31e1348089ce334ee9c |
| SHA256 | 8cf72f1f54b95ef559ba5df852519f5b9f4e46d70a5afd5b44478c9f44576ead |
| SHA512 | e009997efb557da4c75e18aea25738aef18509d3b7d7a0840a89ce1b48b8c2cca0633c2675a6eff787540ffbac9c83b3db0de9d3f45d4c6ae06663845059bcff |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 6e7fbaae10a0e33d5d4de64ebb9ae2d1 |
| SHA1 | f7c0055bf69a6ceeecac7d6923aaf4f6e2127491 |
| SHA256 | 2e68488559194c6252e03d5d6127ec84b4f8d2570182600d7c5f424c8606d688 |
| SHA512 | a4ffbb622de18ce97775bd11c0dbb2c00579d773e139276f88bea4032ba8394dc387d0d4cd2593bc6e938bd83050cd6bd37cd2ae61a22170ea7f5425588db796 |
memory/2068-23-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2072-22-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2068-21-0x0000000002D20000-0x0000000002D87000-memory.dmp
memory/2068-19-0x0000000002D20000-0x0000000002D87000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 07e27cfec7f749c49c203efb0289453e |
| SHA1 | 6bc4a62e95b90911bdd618d5e9883bd9a181acf7 |
| SHA256 | a9b0efdb735752e948dff2c3e532882f0b29fe31d134a99dd49f79d40b25e876 |
| SHA512 | 834b3d8b076834908e51d1546012d9791e7d9c3dcdb969b994a9e12a4d0d2f99837f194a7a345f9d8589b92cbd7406eab2821a94108cc8e89b298fb07162a482 |
\Users\Admin\AppData\Local\Temp\bexipy.exe
| MD5 | d36393e055f616d51bf91f7df8a24eb6 |
| SHA1 | 0487265da00199c814091d306bbb3e1a5a6c3ecc |
| SHA256 | 54227490a7d947b20e186a9325a3509a0c7a85316dc75a658f44be6263f5bf24 |
| SHA512 | d83a70881b90d32cc13c19f772655d5e4e0bfbc681777d65561c25504056f53bd71710825c4dbbf386db157cc45b22785310eee489fe30a869e3521e78de19a1 |
memory/2836-40-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2072-39-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2072-37-0x00000000037B0000-0x0000000003817000-memory.dmp
memory/2072-36-0x00000000037B0000-0x0000000003817000-memory.dmp
memory/2836-41-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f390a382077a9e3dc1c9539c0ca4747e |
| SHA1 | 137ae28093a106fb32d37cd6073c0e911ba45f24 |
| SHA256 | 293fbd6c74e6d0167f4cb80f5594e0dee42de9f21d7ed33a9342674c873a373c |
| SHA512 | 76ef7be0254c710578c639867a1502206313315a779b4e5f2ff69ab96287a9c268b9a7296cc84fdf7641ff5cf2fa593c94829370a27e7f1f933b0dd6fcf72564 |
\Users\Admin\AppData\Local\Temp\ziheq.exe
| MD5 | 1756437b41f115ec113291cdf01fd23d |
| SHA1 | 3962323bc753d69bf51436f12bb14c4f7e322c53 |
| SHA256 | 9897eed9b10531e904dea938f85e091c68ad85b3375d8c1cb268cc3b545e911b |
| SHA512 | c42d0f7f7b51a58075533a458d6fadf1fe965ae94edc2feac76d72455e093f35ff68e8a047a6a4ebde6bb09d34999528377980df45d4026ad6aca6a3407a86c9 |
memory/816-66-0x00000000010D0000-0x0000000001170000-memory.dmp
memory/2836-64-0x0000000000400000-0x0000000000467000-memory.dmp
memory/816-70-0x00000000010D0000-0x0000000001170000-memory.dmp
memory/816-71-0x00000000010D0000-0x0000000001170000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 05:34
Reported
2024-08-01 05:36
Platform
win10v2004-20240730-en
Max time kernel
119s
Max time network
93s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\lykoh.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hoheak.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lykoh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hoheak.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\isloc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hoheak.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\isloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lykoh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe
"C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe"
C:\Users\Admin\AppData\Local\Temp\lykoh.exe
"C:\Users\Admin\AppData\Local\Temp\lykoh.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\hoheak.exe
"C:\Users\Admin\AppData\Local\Temp\hoheak.exe" OK
C:\Users\Admin\AppData\Local\Temp\isloc.exe
"C:\Users\Admin\AppData\Local\Temp\isloc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/1500-0-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lykoh.exe
| MD5 | 7244ee7629369fb165cafbf4ef4edbe5 |
| SHA1 | d2722db572ae31a6581d3f603595d96f8a977d52 |
| SHA256 | c74952217a81e52f33f31d6ed800cb55463ff94fb966444e980585745900f361 |
| SHA512 | a664e75291ead5996c904ab38c5f3f80bfffcbbd3a97657894a230f7eb99bc4c722332973f8f8471a135d9430c8a0a7b801ca40d48eb282df71777d305541541 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 362605c62950071ad394637fc79c3b8d |
| SHA1 | e704c9bc29aec617515e395e2330bc34206e655e |
| SHA256 | 6439f5fb04dcb9bc227e205d48e3f810ca8e8e8580c4070c21f96f5e7c04d0a1 |
| SHA512 | 312c97c4c67b1479c02f4e4f190bab3b2a8bb027462932be818a062e5671a91387d52c7cc95e1e1e17418651288ad642a420761ee8054fccccde472836dd3471 |
memory/1500-16-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 6e7fbaae10a0e33d5d4de64ebb9ae2d1 |
| SHA1 | f7c0055bf69a6ceeecac7d6923aaf4f6e2127491 |
| SHA256 | 2e68488559194c6252e03d5d6127ec84b4f8d2570182600d7c5f424c8606d688 |
| SHA512 | a4ffbb622de18ce97775bd11c0dbb2c00579d773e139276f88bea4032ba8394dc387d0d4cd2593bc6e938bd83050cd6bd37cd2ae61a22170ea7f5425588db796 |
C:\Users\Admin\AppData\Local\Temp\hoheak.exe
| MD5 | 18d0c449a01fbcaad6d74243d2f9c634 |
| SHA1 | ec8ece814903de5ce1190d4beba66989757afc86 |
| SHA256 | ffe6018e61b61ff4b047e0186c7b40ee0e9a87c2039048ff6a67f46797bab423 |
| SHA512 | 191d5b86916d8244e3c061fbbe2c44f3b0b038c4e11f41e671998b2f5c4f4b86ac4e0346faadf0e3a6837690d269d49c2e7d7483e6ad806719340f57a4739a27 |
memory/3560-26-0x0000000000400000-0x0000000000467000-memory.dmp
memory/112-27-0x0000000000400000-0x0000000000467000-memory.dmp
memory/112-28-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\isloc.exe
| MD5 | a7b65f771726af9f21b7f3fe5e058ba1 |
| SHA1 | c71f248a8eea5a6b70ea65d517f2792a9bdddce8 |
| SHA256 | 43a901f766ae996fa2e57f8bbbcd838f9563caa43683357c520504799b28cbba |
| SHA512 | 317e3bae191a023413c0cddebb462f8b1b92c26ba1591e1927425ddc782de211ee54949079b1c280105ef60f50c072e11c62684720f74775659cf505d0b01325 |
memory/2400-47-0x0000000000E50000-0x0000000000EF0000-memory.dmp
memory/112-51-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 189bb0dc35d8fd7d11c1ddba520d5d6b |
| SHA1 | 857f5dcc30fc90ae9c7f6ce6a6d11c76c149298a |
| SHA256 | 144b78d078c7dfcec76f260076a7119763b2fb04c3d759567567fca75e541926 |
| SHA512 | bbe52f4fdb29b569c639fee22e352ef8163d87ca2638c8e661f6037f19f438d174972b9f93c6735c5e285bc8eca26a2cffd82d52abc0d828afbbe6ccf739ae82 |
memory/2400-53-0x0000000000E50000-0x0000000000EF0000-memory.dmp
memory/2400-54-0x0000000000E50000-0x0000000000EF0000-memory.dmp