Malware Analysis Report

2024-11-16 13:27

Sample ID 240802-e9m3ms1dja
Target c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139
SHA256 c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139

Threat Level: Known bad

The file c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 04:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 04:38

Reported

2024-08-02 04:41

Platform

win7-20240708-en

Max time kernel

149s

Max time network

76s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\opcia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reykha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\opcia.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\reykha.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jebuy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Users\Admin\AppData\Local\Temp\opcia.exe
PID 2908 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Users\Admin\AppData\Local\Temp\opcia.exe
PID 2908 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Users\Admin\AppData\Local\Temp\opcia.exe
PID 2908 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Users\Admin\AppData\Local\Temp\opcia.exe
PID 2908 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\opcia.exe C:\Users\Admin\AppData\Local\Temp\reykha.exe
PID 2408 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\opcia.exe C:\Users\Admin\AppData\Local\Temp\reykha.exe
PID 2408 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\opcia.exe C:\Users\Admin\AppData\Local\Temp\reykha.exe
PID 2408 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\opcia.exe C:\Users\Admin\AppData\Local\Temp\reykha.exe
PID 2812 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\reykha.exe C:\Users\Admin\AppData\Local\Temp\jebuy.exe
PID 2812 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\reykha.exe C:\Users\Admin\AppData\Local\Temp\jebuy.exe
PID 2812 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\reykha.exe C:\Users\Admin\AppData\Local\Temp\jebuy.exe
PID 2812 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\reykha.exe C:\Users\Admin\AppData\Local\Temp\jebuy.exe
PID 2812 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\reykha.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\reykha.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\reykha.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\reykha.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe

"C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe"

C:\Users\Admin\AppData\Local\Temp\opcia.exe

"C:\Users\Admin\AppData\Local\Temp\opcia.exe" hi

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\reykha.exe

"C:\Users\Admin\AppData\Local\Temp\reykha.exe" OK

C:\Users\Admin\AppData\Local\Temp\jebuy.exe

"C:\Users\Admin\AppData\Local\Temp\jebuy.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2908-2-0x0000000000400000-0x0000000000467000-memory.dmp

\Users\Admin\AppData\Local\Temp\opcia.exe

MD5 85fe47812543713dc9321e526b592ba0
SHA1 4181180fac6e4c054b53d560d45df4865c8d013d
SHA256 bbfcbcff938084e6f4813dfaa35a984ff07c1a0b204e66ff5a2b6af3acbee091
SHA512 3989a5700cf03241e4cd26fff265011e6d33c038506904ff2ab662d0d36a42732a5cc57ab1b867cfcaec06a55caceede41594e1b02de5ea8a881e93acf3c77bc

memory/2408-21-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2908-20-0x0000000001E50000-0x0000000001EB7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 e3c07938cd77830b2a184a14c8d88008
SHA1 66de4e4665ae56fa8015c73f5be3703c763dae71
SHA256 9e9d2ed9ea8bb286a1d10c62270c70181c5dcd452b432700dceed777c8b8ad02
SHA512 8a001ab8b6d75e58bd80c0d1e357794f4c77e4959a47ed69d22273d17e6f7b100677cfb76d327cf10314016fe3784c529afcb57e54e205d455354ea8098539a1

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 fd51923ff03982fea59c0b92c5b2b8a0
SHA1 707ea30afb7e286a063ea56d11e646586cbaec4f
SHA256 16f41a3b4158405e30645727910fa70a9ccff8a41c650b34251840713e89043e
SHA512 c7d1cd85b348391a42907cf02d424417c05e7bf78dcc78206d077cdbd1a0db96a2a58fca31e1355064304f1bf693640057b8531f70c1bc92ac10fe3f1f93d0cb

memory/2908-25-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\reykha.exe

MD5 591fe8982359c9f3e1ad74c7227c9485
SHA1 b6f2ce98d23445d31e7680f9e94f161b295f4a05
SHA256 2b195f51a9694c983ed84630e7a97fcdfa42dfe7663e126ee245d7f102e0f747
SHA512 8e0562bd057d636f28bc92a9db61b3ca04d72faddc7f33153b6acbb10b61c488b7d1583f401dc019356d03c1de7081881b69f02cc0138bfd830cf1072878bebd

memory/2408-35-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2812-36-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2812-38-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2812-62-0x0000000000400000-0x0000000000467000-memory.dmp

memory/1376-63-0x0000000000040000-0x00000000000E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jebuy.exe

MD5 2ba483e56a39258f4f4716aa366a6284
SHA1 cd6680ca3072d634bf82d384b53c2cb560e19f4d
SHA256 0b0c298f571019d483663d346d666b5edb98c3f7c95dda441e0fa376b956cf26
SHA512 ef11edde6e3cd42e20a6ae4487c2f0d16f2092f9c9826e90a3376ee49f1eda74e37ff5b1f534b8b2f3d66de011c0fe843c7965f43074f4331921320ddd7e31c0

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 59634d3cd855bc1252a647bd2217bcc2
SHA1 dde545ef9ec7525430a01a2b2c5d81b7339cfb9c
SHA256 e8969a313b5cea1db86140ac4fcdbeb88ecb4d406dd8207a6842b757ceb189ed
SHA512 e4ca394d5a36007f0398d1fc6a110a93937fc50c59ce66b7d7ce3c126391c8a22f8e692a22abefedc2d2b65652547203adb2ecc9f47eec6dc61cf35f5ad7059e

memory/1376-67-0x0000000000040000-0x00000000000E0000-memory.dmp

memory/1376-68-0x0000000000040000-0x00000000000E0000-memory.dmp

memory/1376-69-0x0000000000040000-0x00000000000E0000-memory.dmp

memory/1376-70-0x0000000000040000-0x00000000000E0000-memory.dmp

memory/1376-71-0x0000000000040000-0x00000000000E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-02 04:38

Reported

2024-08-02 04:41

Platform

win10v2004-20240730-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\voimz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xouwwo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\voimz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xouwwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\voimz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xouwwo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kofea.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Users\Admin\AppData\Local\Temp\voimz.exe
PID 3408 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Users\Admin\AppData\Local\Temp\voimz.exe
PID 3408 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Users\Admin\AppData\Local\Temp\voimz.exe
PID 3408 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\voimz.exe C:\Users\Admin\AppData\Local\Temp\xouwwo.exe
PID 2188 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\voimz.exe C:\Users\Admin\AppData\Local\Temp\xouwwo.exe
PID 2188 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\voimz.exe C:\Users\Admin\AppData\Local\Temp\xouwwo.exe
PID 2816 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\xouwwo.exe C:\Users\Admin\AppData\Local\Temp\kofea.exe
PID 2816 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\xouwwo.exe C:\Users\Admin\AppData\Local\Temp\kofea.exe
PID 2816 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\xouwwo.exe C:\Users\Admin\AppData\Local\Temp\kofea.exe
PID 2816 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\xouwwo.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\xouwwo.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\xouwwo.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe

"C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe"

C:\Users\Admin\AppData\Local\Temp\voimz.exe

"C:\Users\Admin\AppData\Local\Temp\voimz.exe" hi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\xouwwo.exe

"C:\Users\Admin\AppData\Local\Temp\xouwwo.exe" OK

C:\Users\Admin\AppData\Local\Temp\kofea.exe

"C:\Users\Admin\AppData\Local\Temp\kofea.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3408-0-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\voimz.exe

MD5 70b82f3103f49860468c07fd372450e9
SHA1 b577e912c02344ac627359f959795ed0dd0dd75a
SHA256 04f96d1d3040f8e3cda310ade83384b518aa1fe23088ac90da68fca28ae14836
SHA512 003f7c0260935b0cd4f0cd7580830f6aef7517434817c878d985c78a4ad298c86cf105b77afec5eca8bf4a377a6a35d51a03e79c7f7be53c16db8cf31cec5178

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 cc1a5e8a57326e8d947988010b5d0550
SHA1 4961e852bfead364b73e2aea5918dded939dac08
SHA256 1a19cb361d35d15462a02be5abad7a1839bf996b6c8a49417613b98f6dd07360
SHA512 700a5ae7732b0485806423f6efa06a3e23d40140f61dcac149eb1114f603179f8952321dc8eedf21eb492e71a08396c6e693089a64dd4dbcd138b0d5a9c2c1e1

memory/3408-14-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 e3c07938cd77830b2a184a14c8d88008
SHA1 66de4e4665ae56fa8015c73f5be3703c763dae71
SHA256 9e9d2ed9ea8bb286a1d10c62270c70181c5dcd452b432700dceed777c8b8ad02
SHA512 8a001ab8b6d75e58bd80c0d1e357794f4c77e4959a47ed69d22273d17e6f7b100677cfb76d327cf10314016fe3784c529afcb57e54e205d455354ea8098539a1

C:\Users\Admin\AppData\Local\Temp\xouwwo.exe

MD5 f52a82dd49d3752f5c06ff06331d0096
SHA1 20225fb43f81f023f89af67c93ea9c62f0546c08
SHA256 2aef1636838e5baaadda09dcfabe2da7a4d5a36f4d8421fc68ad9a34a946f3b1
SHA512 87238536d5090cc54a1101b7ff7b9f5224f782e3ffd78fb1785fffb524297ced89563723776ae72882bb2a5976092e16a52d6a15da9f571be11d09bed6d8ecc8

memory/2188-24-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2816-25-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2816-26-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kofea.exe

MD5 df042bb1cc8f91583f847470078dab69
SHA1 755c9c60b2a7de7e45174836ebdb064b2144ef0e
SHA256 60c9044ccb16b29def2ae2eabc94652bfa62eb3e57ffdf97555e5fd125765111
SHA512 176b33d4226ee43533f46c81c34e5c4f576476a5ad87dda2773ae229c4eaa2db228367f5ecdce304a83c6da5345c1f3c9edf10f301cda58b84bdeb0e675b547d

memory/3968-45-0x0000000000700000-0x00000000007A0000-memory.dmp

memory/2816-48-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 76eb2aa4d2a6385921f790518b720f10
SHA1 76d06ce6774c0833e475a1ce97ba80a0b9ab2f5e
SHA256 0a7ccbac853afb6e7ed0a44a39cfd103ef8af4cb3cd5547bd6b8dcbf2f8d3295
SHA512 1cb59436657bcc72b037028317a2f8c639a651827b685943d6fa597ebd43136bf34cd82b705c87da133de75029508793a186e1f436f147afddd2cda62897532e

memory/3968-51-0x0000000000700000-0x00000000007A0000-memory.dmp

memory/3968-52-0x0000000000700000-0x00000000007A0000-memory.dmp

memory/3968-53-0x0000000000700000-0x00000000007A0000-memory.dmp

memory/3968-54-0x0000000000700000-0x00000000007A0000-memory.dmp

memory/3968-55-0x0000000000700000-0x00000000007A0000-memory.dmp