Analysis Overview
SHA256
fd63c2da89f16a4a2db0a86f79472a72ffd4330458d12201fa0571dc94a1f28f
Threat Level: Known bad
The file 78743c3f85b3485ec2a49a07529bc760N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 12:35
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 12:35
Reported
2024-08-01 12:37
Platform
win7-20240708-en
Max time kernel
16s
Max time network
16s
Command Line
Signatures
Urelas
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fuevj.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1640 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | C:\Users\Admin\AppData\Local\Temp\fuevj.exe |
| PID 1640 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | C:\Users\Admin\AppData\Local\Temp\fuevj.exe |
| PID 1640 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | C:\Users\Admin\AppData\Local\Temp\fuevj.exe |
| PID 1640 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | C:\Users\Admin\AppData\Local\Temp\fuevj.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe
"C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe"
C:\Users\Admin\AppData\Local\Temp\fuevj.exe
"C:\Users\Admin\AppData\Local\Temp\fuevj.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\fuevj.exe
| MD5 | ebfdecdb79e55cf7850ae1e46487ef06 |
| SHA1 | 8da71d52c9497f7d3c7019753e64965edcf72715 |
| SHA256 | a32b773d819f91a580bba13a6d7149dfef61b78da427a51429357aa1bb9bf9ff |
| SHA512 | 297b5c966cc2387c615d833120b314e8f08f501863411ba4d66cd0c9e0400b9dea436252d66e64782d99aeb2e7ccee5072acbe3e079d5912e17d7720a6d93d00 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4576b45dbc7263392889a9f595148277 |
| SHA1 | b0f22ac4707bafb43a7bccdb5ce31c5a5a8b6b63 |
| SHA256 | 8924c7694f4f23a6b9a97ce46fddc6f1b98a8c12d9c7c2a4bd86291153523b0f |
| SHA512 | f520fb45beb4e6d82f8348056f26c9cc72b2af62ac4ef4cf12dc1060c9d9d97d80c66d2459a7454e3033b9dfe1ce5eeee7624f21c3255d429a29db35d55b8c38 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 12:35
Reported
2024-08-01 12:37
Platform
win10v2004-20240730-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uxumh.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uxumh.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4528 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | C:\Users\Admin\AppData\Local\Temp\uxumh.exe |
| PID 4528 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | C:\Users\Admin\AppData\Local\Temp\uxumh.exe |
| PID 4528 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe | C:\Users\Admin\AppData\Local\Temp\uxumh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe
"C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe"
C:\Users\Admin\AppData\Local\Temp\uxumh.exe
"C:\Users\Admin\AppData\Local\Temp\uxumh.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\uxumh.exe
| MD5 | 67fe85901cbfe05bf6852001fb2ce761 |
| SHA1 | 0c353b3c4d080359d521c53597e5883fdad8e95f |
| SHA256 | 4c226733d8f3a5743200e61ffc91bdd7b785a04041669c30c097d9ef67cf8ee4 |
| SHA512 | e05d89149fc7a89ab861fbb4ff43c96391279324e092bfd46dc1fa4ef8f4cb12ef8b7a24c04168b44e6cc42edaab41fa56a7bf11c1b2c13d141b1b006c65483d |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8007db22973fa49184ba65ae2350178b |
| SHA1 | 170d310e840a1c7c11db01c5c84a9604e4c22301 |
| SHA256 | c09c90f054686d30cc3aba3b62300cfd5b46e389809d938255ea186f79acdeb0 |
| SHA512 | 775ac014c069a69d225e679e50684bbc32d757c4c068e07d32a5f62b25f2ec93daf98b1e84afea7117c28c92915836845c8f77faa197409391757da061277db6 |