Analysis Overview
SHA256
6a5c3542e1f68e12b4f135585bb132ce42e1d82f102728f221f651cb0e9bac8e
Threat Level: Known bad
The file bb9108d709a49a0ac3184418b0b2a450N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Executes dropped EXE
UPX packed file
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 16:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 16:43
Reported
2024-08-02 16:46
Platform
win7-20240729-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\teuzr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vyowej.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokus.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\teuzr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\teuzr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vyowej.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\teuzr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vyowej.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tokus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\teuzr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vyowej.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokus.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe
"C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe"
C:\Users\Admin\AppData\Local\Temp\teuzr.exe
"C:\Users\Admin\AppData\Local\Temp\teuzr.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\vyowej.exe
"C:\Users\Admin\AppData\Local\Temp\vyowej.exe" OK
C:\Users\Admin\AppData\Local\Temp\tokus.exe
"C:\Users\Admin\AppData\Local\Temp\tokus.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2308-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2308-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2308-37-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2308-35-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2308-33-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2308-30-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2308-28-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2308-25-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2308-23-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2308-20-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2308-18-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2308-15-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2308-13-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2308-11-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2308-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2308-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2308-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2308-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2308-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2308-41-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\teuzr.exe
| MD5 | 4022c2924531cca46c9d14b56def4b5b |
| SHA1 | 9e66875bff003caaaa95d0cd96a3f96b2f1c8ccd |
| SHA256 | a61723caf40d132c6f309157f6e3b1c9d16791e34ff32bcde5962ae49707a7c8 |
| SHA512 | f80ae9507b2a22631a9399cf5c2ca093fd3bb702da18381b102e2399c7fc12a021fb12739b772656bc6dfa6756604e8d4410acee3b79bfb87973cf7505967364 |
memory/408-61-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 31138cca8cdd75c0cb5b82357b465987 |
| SHA1 | 7a4bd4989a4056c7891b6da44aa19ec9e055b155 |
| SHA256 | c8d084cf1cde1c714cd4edc8fc578a9f7c8bf0c6301c4f8a507d5198950bbdd4 |
| SHA512 | 2dca974bd197d77ef2fdac2a9edf125c5bbdf40efc2f736af18dbba877bc6584c41af9748f6bec13a2aa506ccb8ec971bc16371c30edd7016682eac402f31c15 |
memory/2308-52-0x0000000003FC0000-0x0000000004AAC000-memory.dmp
memory/2308-62-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2308-53-0x0000000003FC0000-0x0000000004AAC000-memory.dmp
memory/2308-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2308-63-0x0000000000526000-0x000000000087A000-memory.dmp
memory/408-89-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/408-103-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55769237c9349ce4a2ae93e2c72335a3 |
| SHA1 | b93400a40645d874d21932cfa251201974ab6942 |
| SHA256 | 7a37934c062a589a70d73009e7ceeb2ee2ea076fc07a6f1f1195b520a66827f2 |
| SHA512 | c60d055788c972ece620d22fa58d27eef47f1c99d43fe11b7b380c43ab3d7fd1e61e7bab419096062678e025b773213321659481dbc2678fab84ee95aeb6599c |
memory/408-87-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/408-84-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/408-82-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/408-105-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/408-113-0x00000000042D0000-0x0000000004DBC000-memory.dmp
memory/408-117-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/408-116-0x00000000042D0000-0x0000000004DBC000-memory.dmp
\Users\Admin\AppData\Local\Temp\tokus.exe
| MD5 | e11199b17a1744bad821df8fc5e633c8 |
| SHA1 | 5a18705fd7b9e881162e44d4141ebb2aca9e9bd4 |
| SHA256 | c7c12a08dfc943ff9d422ed9cbfb4ea2b8f60c87b629168546a87d2f931c54eb |
| SHA512 | ddc9d985f39c8a36506b11b8b95ebd10dadb6d48bad67ec371e4f2ac36b3be49418cfc966d55d22b63ee2a2882fc0dac621cac27a9acfd742c4079c2aa9949de |
memory/2648-162-0x0000000004A10000-0x0000000004BA9000-memory.dmp
memory/1684-164-0x0000000000400000-0x0000000000599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | e6b49eb79580575e0694517f00203669 |
| SHA1 | cd8fc2a65b6853a2223c4f471711179f9fdd6305 |
| SHA256 | 949b7ff93077e3ec526dd5c7eae825f676b32b020e10a72123822515151ce6c9 |
| SHA512 | 2866a31d8344e10a06c48a8b3a1dee9bcf79e1025d93cfa79ed8c81076248788f2d2d2a97d527b133470fe877918fd01775a3b0255b90e5ba9def4b794a25fbf |
memory/2648-173-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/1684-177-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 16:43
Reported
2024-08-02 16:46
Platform
win10v2004-20240802-en
Max time kernel
89s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\okawp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\okawp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mixoej.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\okawp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mixoej.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\okawp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\okawp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mixoej.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mixoej.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe
"C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe"
C:\Users\Admin\AppData\Local\Temp\okawp.exe
"C:\Users\Admin\AppData\Local\Temp\okawp.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\mixoej.exe
"C:\Users\Admin\AppData\Local\Temp\mixoej.exe" OK
C:\Users\Admin\AppData\Local\Temp\coluk.exe
"C:\Users\Admin\AppData\Local\Temp\coluk.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3824-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3824-1-0x0000000000F30000-0x0000000000F31000-memory.dmp
memory/3824-3-0x0000000000F50000-0x0000000000F51000-memory.dmp
memory/3824-2-0x0000000000F40000-0x0000000000F41000-memory.dmp
memory/3824-8-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3824-4-0x00000000010A0000-0x00000000010A1000-memory.dmp
memory/3824-7-0x00000000010D0000-0x00000000010D1000-memory.dmp
memory/3824-11-0x0000000000526000-0x000000000087A000-memory.dmp
memory/3824-6-0x00000000010C0000-0x00000000010C1000-memory.dmp
memory/3824-5-0x00000000010B0000-0x00000000010B1000-memory.dmp
memory/3824-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\okawp.exe
| MD5 | f785bc7d7d3fa8e3065962eec3c4758b |
| SHA1 | a15670da001352155ec43bbb459b3ae8c401b988 |
| SHA256 | 1b11c6b891dc2623e55f6713169dd183b611880509cbd9a539186827e28ff267 |
| SHA512 | ecb97819505bef41c651877b8f1088b46bb16db209e570c3dd383acc6d2776f1b9348c7078cb6f088523278052478eb3355abebada2bcb792a476c884b62875f |
memory/940-24-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3824-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3824-26-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 31138cca8cdd75c0cb5b82357b465987 |
| SHA1 | 7a4bd4989a4056c7891b6da44aa19ec9e055b155 |
| SHA256 | c8d084cf1cde1c714cd4edc8fc578a9f7c8bf0c6301c4f8a507d5198950bbdd4 |
| SHA512 | 2dca974bd197d77ef2fdac2a9edf125c5bbdf40efc2f736af18dbba877bc6584c41af9748f6bec13a2aa506ccb8ec971bc16371c30edd7016682eac402f31c15 |
memory/940-30-0x0000000001070000-0x0000000001071000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 54ac55437bf1d5fa4e6644149c8334e6 |
| SHA1 | b874aaff5484c5d51c879cd1cfb7ea98c5e64a3e |
| SHA256 | c0581edf2bde4a429bad87ab6c041fa41d9ad298ba2aaf6e544a542545ad376a |
| SHA512 | 5ae5c54aefa1bd2b82ff396fbc165c7e4dfd3cdf1b45e2ce2a055abc6bd763b1fb3c5a74e8bedc4b520f50331e76d6a44cbd770e3a234e15398f6fd7b433f93e |
memory/940-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/940-38-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/940-29-0x0000000001060000-0x0000000001061000-memory.dmp
memory/940-28-0x0000000000F70000-0x0000000000F71000-memory.dmp
memory/940-40-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/940-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2616-49-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2616-57-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2616-56-0x00000000011D0000-0x00000000011D1000-memory.dmp
memory/2616-55-0x00000000011C0000-0x00000000011C1000-memory.dmp
memory/2616-54-0x00000000011B0000-0x00000000011B1000-memory.dmp
memory/2616-53-0x00000000011A0000-0x00000000011A1000-memory.dmp
memory/2616-52-0x0000000001170000-0x0000000001171000-memory.dmp
memory/2616-51-0x0000000001050000-0x0000000001051000-memory.dmp
memory/2616-50-0x0000000001040000-0x0000000001041000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coluk.exe
| MD5 | 6d70c9e78c8f43ab8471b5fb7a5dd6a9 |
| SHA1 | 4dfeb1bbd9cc94a1e881c5cc4f318c1405fce249 |
| SHA256 | e4c5562aac8fc9b4f039e5c6623a908fba51a53e00b3df677570e20ba639bb68 |
| SHA512 | 3e1291ba5cc9ad467496df8f50d98e3e7bcfccdf21ff93ef8638c09336a6acfa3a13551bce77e754a316f6724a3225e08b843349b864533dfd4fb156570ed949 |
memory/4044-71-0x0000000000400000-0x0000000000599000-memory.dmp
memory/2616-72-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | d9b9e0e0aac87f739ed720475990eb63 |
| SHA1 | 28b055a745c668caf38608b156221e69ded75b7a |
| SHA256 | 83c48d1da0f7a1937487198304aa344fa619718d222946797a8c22978bc0630f |
| SHA512 | 3ca73d2ee1d4bdc07daf8a8a6bca2623aad2831a51636df6a63b51b97a4b65141feaddce0d011bb0bff703737e8f92c87452025e2768a221793e4999265d4702 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/4044-75-0x0000000000400000-0x0000000000599000-memory.dmp