Analysis Overview
SHA256
7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d
Threat Level: Known bad
The file 7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 23:36
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 23:36
Reported
2024-08-02 23:38
Platform
win7-20240705-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efpee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jepat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efpee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efpee.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\efpee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jepat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d.exe
"C:\Users\Admin\AppData\Local\Temp\7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d.exe"
C:\Users\Admin\AppData\Local\Temp\efpee.exe
"C:\Users\Admin\AppData\Local\Temp\efpee.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\jepat.exe
"C:\Users\Admin\AppData\Local\Temp\jepat.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/3016-0-0x0000000000FD0000-0x0000000001032000-memory.dmp
\Users\Admin\AppData\Local\Temp\efpee.exe
| MD5 | fc09c3fbc390f0203baa9dc70529013f |
| SHA1 | ae2a80ae47c56b24aebea35b811a5f48f3a57f37 |
| SHA256 | e7cfd40db6f2d65fc8b13c1838c21d75b3795bdc96d863f58e0d7ddada66dc23 |
| SHA512 | 726c160ce62fa825fdaeb1263bf7808ef948d4360848ac14a10eb2642199fe6986b88aeefffccde768b6e46ebf2202b104fc724adde7543d8599101b0c36597b |
memory/3016-6-0x0000000000C50000-0x0000000000CB2000-memory.dmp
memory/2348-10-0x0000000000F90000-0x0000000000FF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7c8f3e59650c54f4f82068e6f7f75686 |
| SHA1 | 21c92af46af5206cb2bef18cecc8ebbe07d6e55b |
| SHA256 | 238e7ffe1e646f050c9d7fb8acb4dd605c48ec7701422fe58e2785c4d65b5ae5 |
| SHA512 | 1c935beee93323c48023e0cb2050c6922a86549705a0fa4984e7919b83ba8d48ba96eab9844f3658937f3023982466a7c08d34f504e07f8345fcc1f773084e56 |
memory/3016-18-0x0000000000FD0000-0x0000000001032000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 20c53bb24f83b3310d496aa48c4fed8a |
| SHA1 | 57f43b157bd7f8706e541354d5cb14bf17b67486 |
| SHA256 | a472844e505bf27de134b9a67d246a84154509423729b16828d6813b916fc21f |
| SHA512 | cd1d1009296a0bcc3868ef74977bc9a899d1e715ff9765ee03c9f6f61d4d226cfb9e58164de2881144070a87c7c1ed10d2aac2d04560b4287dcf7e4973d5bdf3 |
\Users\Admin\AppData\Local\Temp\jepat.exe
| MD5 | c2c8317abeaaf99f428a48e5d7cb4e75 |
| SHA1 | cd1c86481d2fe4392a35815c1c0fc4e94fe87389 |
| SHA256 | a967aae0a384cff9aa61eb5b59597f5362ddc1af1f30e4b05e9cad660a7a003f |
| SHA512 | eee438e31a5147eacdf6100302962bbe62712f0195df8bfdb6f3d50e700b551f8c4256c86c25deb55f7e2b0a43e6d64bbb055ed5290f210c43adc0920a1670a3 |
memory/2348-30-0x0000000000F90000-0x0000000000FF2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 23:36
Reported
2024-08-02 23:38
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gicyl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gicyl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywfoe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gicyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ywfoe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d.exe
"C:\Users\Admin\AppData\Local\Temp\7e1ccf09a845e970a03225fd762d070d4b4355140b213b868ca570b36d3e615d.exe"
C:\Users\Admin\AppData\Local\Temp\gicyl.exe
"C:\Users\Admin\AppData\Local\Temp\gicyl.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ywfoe.exe
"C:\Users\Admin\AppData\Local\Temp\ywfoe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3320-0-0x0000000000800000-0x0000000000862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gicyl.exe
| MD5 | 8ef9157975e9bb4a5e157e23a6b062c7 |
| SHA1 | 1b0427dd8babf3d605c2fa9766e713820ec30e24 |
| SHA256 | 3ee88e269f70f0dad9ef779e46abec149d484cf06fc462f4a85fbaca91e42daf |
| SHA512 | fcacc4261d119d7039b80be3c05f27c7c9eabd65245e47aaaa0a47cb4f9298fd138edccaf542d992c0fc8e3b6537cea224391c3207ebf597ee152fdc52df68f5 |
memory/3808-12-0x0000000000DB0000-0x0000000000E12000-memory.dmp
memory/3320-14-0x0000000000800000-0x0000000000862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7c8f3e59650c54f4f82068e6f7f75686 |
| SHA1 | 21c92af46af5206cb2bef18cecc8ebbe07d6e55b |
| SHA256 | 238e7ffe1e646f050c9d7fb8acb4dd605c48ec7701422fe58e2785c4d65b5ae5 |
| SHA512 | 1c935beee93323c48023e0cb2050c6922a86549705a0fa4984e7919b83ba8d48ba96eab9844f3658937f3023982466a7c08d34f504e07f8345fcc1f773084e56 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 781012f31d4338a271276af8301c0f4e |
| SHA1 | defd440e1a3bf3908891de78d48637fbe27d3f53 |
| SHA256 | e907306c890b045661c0617a4dec20accf6e63bc8bb0490eb5d39baaf183f966 |
| SHA512 | ae013491684b96a92847d2076f49c87315f16d7fe4d568c1fe56d4b2176d3650e8b7a8f91ed92e51d37b93fba0b1a5565a63ddc65b6ed877a6ef5350bc7bb9a4 |
C:\Users\Admin\AppData\Local\Temp\ywfoe.exe
| MD5 | da7e7f2aba1c75d5075e720972fa36e7 |
| SHA1 | 45bdfcf199a735099e7662539a60691b11320e5e |
| SHA256 | e80ab67270bb82803edf37bde299178d0f96ba49cce3d152e27b1547c74f710b |
| SHA512 | 615c9d0702a1db79d678c1701ddc6efb9913875ef2e9d13fcde911ba5c90b47224d189aafec13c6c0b5461e95f63a1f37bc087b4fa661a655b6aa17b53ba265c |
memory/3808-25-0x0000000000DB0000-0x0000000000E12000-memory.dmp