Analysis Overview
SHA256
7f67b06c4ab09813db303e52db5dd334eafca0eedae7500204975f3196d2ea60
Threat Level: Known bad
The file 826fe92e739c902f85a324941e90c9d0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 09:05
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 09:05
Reported
2024-08-02 09:07
Platform
win7-20240705-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hulur.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anivx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\826fe92e739c902f85a324941e90c9d0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hulur.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\anivx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\826fe92e739c902f85a324941e90c9d0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hulur.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\826fe92e739c902f85a324941e90c9d0N.exe
"C:\Users\Admin\AppData\Local\Temp\826fe92e739c902f85a324941e90c9d0N.exe"
C:\Users\Admin\AppData\Local\Temp\hulur.exe
"C:\Users\Admin\AppData\Local\Temp\hulur.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\anivx.exe
"C:\Users\Admin\AppData\Local\Temp\anivx.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2688-0-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2688-19-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hulur.exe
| MD5 | cb4008206ab2c4886b5c1e4c9916dfcd |
| SHA1 | 2f5a5a4eae361a693d28575079588b6f2b65f12d |
| SHA256 | ed47c99e3685616daa1d65ba30555e7c0904b8f6591a3c8d962a19a462244941 |
| SHA512 | 5f20470b18dc009f1e795e21da3c556bd0ef039820569663e298bf3905eee4bd220521873c4fd2c75e2dbfa8b68226c74d1cb312286f08a99080a018fa49f330 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | e5149cd88ab45a5ba0853b06c4836ecb |
| SHA1 | 29062814258810a35dc1d754dffe247688b0702e |
| SHA256 | a1808478b07309c71b2354e46da59bf480e50f1401762ad78ad5a0eacdb9a2a1 |
| SHA512 | 4fb3397e70b2e5121d9f02873b771ce2b4135bde4e84d0fe4585bb6ccdb4b79c6572ff929589325dd7a14e15e92a836c098978757864dac954740cc2a41a8b1b |
memory/2928-18-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2688-16-0x0000000002570000-0x0000000002600000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | cb3822a2dce5c96b77c0d59b98dc2f93 |
| SHA1 | 7f7ea5b93f6b6db3fda20352f952d2595e1add8b |
| SHA256 | 38d2f1436133c601e09b74528bfcf19ef6eea7be443d9b18083f6f6b300eb9d2 |
| SHA512 | 0617cc7e3a2583ea5d64f6cdd56f1ec7c7b68ea725b15e2a37159855e46822c26344e4a8c11572c54cd12c87af5b16feead9735488701a8ff550954e0716db1f |
memory/2928-22-0x0000000000400000-0x0000000000490000-memory.dmp
\Users\Admin\AppData\Local\Temp\anivx.exe
| MD5 | 6b9179ec9cb4fcbe42c8974af1a6cd98 |
| SHA1 | 3312dde7bed79fbbdc6c657fcc798637917d32d8 |
| SHA256 | 97fc7ac32fc3c732b785eb197d1b8314e547b1cd81a31939b2206b4bcb4e9ed9 |
| SHA512 | 2aeb9b470963d358fa9a8c065ec993249b4780846dac1f45ddb4288cde615b0e8eadae176c19f58f4e3ad1d4e4e0c4577b8191e236781fc9858d2b0284dd913e |
memory/2632-40-0x00000000001C0000-0x0000000000276000-memory.dmp
memory/2928-39-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2928-37-0x0000000003BC0000-0x0000000003C76000-memory.dmp
memory/2632-42-0x00000000001C0000-0x0000000000276000-memory.dmp
memory/2632-43-0x00000000001C0000-0x0000000000276000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 09:05
Reported
2024-08-02 09:07
Platform
win10v2004-20240730-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nozij.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\826fe92e739c902f85a324941e90c9d0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nozij.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wupon.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wupon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\826fe92e739c902f85a324941e90c9d0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nozij.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\826fe92e739c902f85a324941e90c9d0N.exe
"C:\Users\Admin\AppData\Local\Temp\826fe92e739c902f85a324941e90c9d0N.exe"
C:\Users\Admin\AppData\Local\Temp\nozij.exe
"C:\Users\Admin\AppData\Local\Temp\nozij.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\wupon.exe
"C:\Users\Admin\AppData\Local\Temp\wupon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2308-0-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nozij.exe
| MD5 | ca8f33d3efa6ee781fbe9d9ba038e85e |
| SHA1 | 8d89514c14ae3e327786ad365cdededcf3e2d1a0 |
| SHA256 | b2be8f462a04e07c24d05f321e144d7fd1c60a9953fcd05a3ef99e33babf1adb |
| SHA512 | a614b3b72d29d08819981feb489afff89ddcc2e14e6c91b9843a49d657078b06cd80b0a2a3e0249a3bfc3636f32871eb9ec47e9a8a3de18ca82812ca6bea3e9e |
memory/4968-13-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2308-15-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | e5149cd88ab45a5ba0853b06c4836ecb |
| SHA1 | 29062814258810a35dc1d754dffe247688b0702e |
| SHA256 | a1808478b07309c71b2354e46da59bf480e50f1401762ad78ad5a0eacdb9a2a1 |
| SHA512 | 4fb3397e70b2e5121d9f02873b771ce2b4135bde4e84d0fe4585bb6ccdb4b79c6572ff929589325dd7a14e15e92a836c098978757864dac954740cc2a41a8b1b |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 27201e4e1978ee33e5f36209758fe5a8 |
| SHA1 | 27ebfeb7276341672f34eece285433143de42325 |
| SHA256 | 63f3eed127fc1580f3aa1dad39f6ce0e10aadd5e4616166d77e10f1282b037c4 |
| SHA512 | e62f38ad90bfd8d3249d2a5c6365dc3482e27d6d95cdeb57ad82b11eac1bb7373f6b9bebeaa11414ff5fc918b0bf63c7d0e649f15340a1e61f22a2e1c593169c |
memory/4968-18-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wupon.exe
| MD5 | d7a0b9e179cd047f0c92c1506bf89f13 |
| SHA1 | 7716f0d95e465d33dd956827459f77e47f06a3ad |
| SHA256 | 4f853ddf9f61abc51fab36095d4bf9abdebb6ff69644068f35afd7c554da63f6 |
| SHA512 | b9e9ecc529f9310d6d218755f475e9be3d5a5955693518b79db48f661f896a214d6294bde7b2b8267c90871a35129a863d4b89224e1773f81e113ec13a4a1022 |
memory/3912-35-0x0000000000E20000-0x0000000000ED6000-memory.dmp
memory/4968-37-0x0000000000400000-0x0000000000490000-memory.dmp
memory/3912-38-0x0000000000750000-0x0000000000751000-memory.dmp
memory/3912-40-0x0000000000E20000-0x0000000000ED6000-memory.dmp
memory/3912-41-0x0000000000E20000-0x0000000000ED6000-memory.dmp