Analysis Overview
SHA256
c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139
Threat Level: Known bad
The file c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139 was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 04:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 04:38
Reported
2024-08-02 04:41
Platform
win7-20240708-en
Max time kernel
149s
Max time network
76s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\opcia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\reykha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jebuy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\opcia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\opcia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\reykha.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jebuy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\opcia.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\reykha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
"C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe"
C:\Users\Admin\AppData\Local\Temp\opcia.exe
"C:\Users\Admin\AppData\Local\Temp\opcia.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\reykha.exe
"C:\Users\Admin\AppData\Local\Temp\reykha.exe" OK
C:\Users\Admin\AppData\Local\Temp\jebuy.exe
"C:\Users\Admin\AppData\Local\Temp\jebuy.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2908-2-0x0000000000400000-0x0000000000467000-memory.dmp
\Users\Admin\AppData\Local\Temp\opcia.exe
| MD5 | 85fe47812543713dc9321e526b592ba0 |
| SHA1 | 4181180fac6e4c054b53d560d45df4865c8d013d |
| SHA256 | bbfcbcff938084e6f4813dfaa35a984ff07c1a0b204e66ff5a2b6af3acbee091 |
| SHA512 | 3989a5700cf03241e4cd26fff265011e6d33c038506904ff2ab662d0d36a42732a5cc57ab1b867cfcaec06a55caceede41594e1b02de5ea8a881e93acf3c77bc |
memory/2408-21-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2908-20-0x0000000001E50000-0x0000000001EB7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | e3c07938cd77830b2a184a14c8d88008 |
| SHA1 | 66de4e4665ae56fa8015c73f5be3703c763dae71 |
| SHA256 | 9e9d2ed9ea8bb286a1d10c62270c70181c5dcd452b432700dceed777c8b8ad02 |
| SHA512 | 8a001ab8b6d75e58bd80c0d1e357794f4c77e4959a47ed69d22273d17e6f7b100677cfb76d327cf10314016fe3784c529afcb57e54e205d455354ea8098539a1 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | fd51923ff03982fea59c0b92c5b2b8a0 |
| SHA1 | 707ea30afb7e286a063ea56d11e646586cbaec4f |
| SHA256 | 16f41a3b4158405e30645727910fa70a9ccff8a41c650b34251840713e89043e |
| SHA512 | c7d1cd85b348391a42907cf02d424417c05e7bf78dcc78206d077cdbd1a0db96a2a58fca31e1355064304f1bf693640057b8531f70c1bc92ac10fe3f1f93d0cb |
memory/2908-25-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\reykha.exe
| MD5 | 591fe8982359c9f3e1ad74c7227c9485 |
| SHA1 | b6f2ce98d23445d31e7680f9e94f161b295f4a05 |
| SHA256 | 2b195f51a9694c983ed84630e7a97fcdfa42dfe7663e126ee245d7f102e0f747 |
| SHA512 | 8e0562bd057d636f28bc92a9db61b3ca04d72faddc7f33153b6acbb10b61c488b7d1583f401dc019356d03c1de7081881b69f02cc0138bfd830cf1072878bebd |
memory/2408-35-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2812-36-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2812-38-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2812-62-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1376-63-0x0000000000040000-0x00000000000E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jebuy.exe
| MD5 | 2ba483e56a39258f4f4716aa366a6284 |
| SHA1 | cd6680ca3072d634bf82d384b53c2cb560e19f4d |
| SHA256 | 0b0c298f571019d483663d346d666b5edb98c3f7c95dda441e0fa376b956cf26 |
| SHA512 | ef11edde6e3cd42e20a6ae4487c2f0d16f2092f9c9826e90a3376ee49f1eda74e37ff5b1f534b8b2f3d66de011c0fe843c7965f43074f4331921320ddd7e31c0 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 59634d3cd855bc1252a647bd2217bcc2 |
| SHA1 | dde545ef9ec7525430a01a2b2c5d81b7339cfb9c |
| SHA256 | e8969a313b5cea1db86140ac4fcdbeb88ecb4d406dd8207a6842b757ceb189ed |
| SHA512 | e4ca394d5a36007f0398d1fc6a110a93937fc50c59ce66b7d7ce3c126391c8a22f8e692a22abefedc2d2b65652547203adb2ecc9f47eec6dc61cf35f5ad7059e |
memory/1376-67-0x0000000000040000-0x00000000000E0000-memory.dmp
memory/1376-68-0x0000000000040000-0x00000000000E0000-memory.dmp
memory/1376-69-0x0000000000040000-0x00000000000E0000-memory.dmp
memory/1376-70-0x0000000000040000-0x00000000000E0000-memory.dmp
memory/1376-71-0x0000000000040000-0x00000000000E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 04:38
Reported
2024-08-02 04:41
Platform
win10v2004-20240730-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\voimz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xouwwo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voimz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xouwwo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kofea.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\voimz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xouwwo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kofea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
"C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe"
C:\Users\Admin\AppData\Local\Temp\voimz.exe
"C:\Users\Admin\AppData\Local\Temp\voimz.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\xouwwo.exe
"C:\Users\Admin\AppData\Local\Temp\xouwwo.exe" OK
C:\Users\Admin\AppData\Local\Temp\kofea.exe
"C:\Users\Admin\AppData\Local\Temp\kofea.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3408-0-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\voimz.exe
| MD5 | 70b82f3103f49860468c07fd372450e9 |
| SHA1 | b577e912c02344ac627359f959795ed0dd0dd75a |
| SHA256 | 04f96d1d3040f8e3cda310ade83384b518aa1fe23088ac90da68fca28ae14836 |
| SHA512 | 003f7c0260935b0cd4f0cd7580830f6aef7517434817c878d985c78a4ad298c86cf105b77afec5eca8bf4a377a6a35d51a03e79c7f7be53c16db8cf31cec5178 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | cc1a5e8a57326e8d947988010b5d0550 |
| SHA1 | 4961e852bfead364b73e2aea5918dded939dac08 |
| SHA256 | 1a19cb361d35d15462a02be5abad7a1839bf996b6c8a49417613b98f6dd07360 |
| SHA512 | 700a5ae7732b0485806423f6efa06a3e23d40140f61dcac149eb1114f603179f8952321dc8eedf21eb492e71a08396c6e693089a64dd4dbcd138b0d5a9c2c1e1 |
memory/3408-14-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | e3c07938cd77830b2a184a14c8d88008 |
| SHA1 | 66de4e4665ae56fa8015c73f5be3703c763dae71 |
| SHA256 | 9e9d2ed9ea8bb286a1d10c62270c70181c5dcd452b432700dceed777c8b8ad02 |
| SHA512 | 8a001ab8b6d75e58bd80c0d1e357794f4c77e4959a47ed69d22273d17e6f7b100677cfb76d327cf10314016fe3784c529afcb57e54e205d455354ea8098539a1 |
C:\Users\Admin\AppData\Local\Temp\xouwwo.exe
| MD5 | f52a82dd49d3752f5c06ff06331d0096 |
| SHA1 | 20225fb43f81f023f89af67c93ea9c62f0546c08 |
| SHA256 | 2aef1636838e5baaadda09dcfabe2da7a4d5a36f4d8421fc68ad9a34a946f3b1 |
| SHA512 | 87238536d5090cc54a1101b7ff7b9f5224f782e3ffd78fb1785fffb524297ced89563723776ae72882bb2a5976092e16a52d6a15da9f571be11d09bed6d8ecc8 |
memory/2188-24-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2816-25-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2816-26-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kofea.exe
| MD5 | df042bb1cc8f91583f847470078dab69 |
| SHA1 | 755c9c60b2a7de7e45174836ebdb064b2144ef0e |
| SHA256 | 60c9044ccb16b29def2ae2eabc94652bfa62eb3e57ffdf97555e5fd125765111 |
| SHA512 | 176b33d4226ee43533f46c81c34e5c4f576476a5ad87dda2773ae229c4eaa2db228367f5ecdce304a83c6da5345c1f3c9edf10f301cda58b84bdeb0e675b547d |
memory/3968-45-0x0000000000700000-0x00000000007A0000-memory.dmp
memory/2816-48-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 76eb2aa4d2a6385921f790518b720f10 |
| SHA1 | 76d06ce6774c0833e475a1ce97ba80a0b9ab2f5e |
| SHA256 | 0a7ccbac853afb6e7ed0a44a39cfd103ef8af4cb3cd5547bd6b8dcbf2f8d3295 |
| SHA512 | 1cb59436657bcc72b037028317a2f8c639a651827b685943d6fa597ebd43136bf34cd82b705c87da133de75029508793a186e1f436f147afddd2cda62897532e |
memory/3968-51-0x0000000000700000-0x00000000007A0000-memory.dmp
memory/3968-52-0x0000000000700000-0x00000000007A0000-memory.dmp
memory/3968-53-0x0000000000700000-0x00000000007A0000-memory.dmp
memory/3968-54-0x0000000000700000-0x00000000007A0000-memory.dmp
memory/3968-55-0x0000000000700000-0x00000000007A0000-memory.dmp