Analysis Overview
SHA256
06c1a6fb3c7d6a93ed81bf46768e1184aed2b859a75e0a13f9cd67d5e48324bb
Threat Level: Known bad
The file d896db759d42faa76b50b3cfe0ddda60N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Deletes itself
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 22:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 22:20
Reported
2024-08-03 22:22
Platform
win7-20240729-en
Max time kernel
116s
Max time network
96s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\apmit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dybijy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\humov.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\apmit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\apmit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dybijy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\humov.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\apmit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dybijy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\apmit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dybijy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\humov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\humov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\humov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\humov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\humov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\humov.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe
"C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe"
C:\Users\Admin\AppData\Local\Temp\apmit.exe
"C:\Users\Admin\AppData\Local\Temp\apmit.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\dybijy.exe
"C:\Users\Admin\AppData\Local\Temp\dybijy.exe" OK
C:\Users\Admin\AppData\Local\Temp\humov.exe
"C:\Users\Admin\AppData\Local\Temp\humov.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/3048-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3048-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/3048-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/3048-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/3048-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/3048-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/3048-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/3048-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3048-37-0x0000000000526000-0x000000000087A000-memory.dmp
memory/3048-35-0x0000000000290000-0x0000000000291000-memory.dmp
memory/3048-33-0x0000000000290000-0x0000000000291000-memory.dmp
memory/3048-30-0x0000000000280000-0x0000000000281000-memory.dmp
memory/3048-28-0x0000000000280000-0x0000000000281000-memory.dmp
memory/3048-25-0x0000000000270000-0x0000000000271000-memory.dmp
memory/3048-23-0x0000000000270000-0x0000000000271000-memory.dmp
memory/3048-20-0x0000000000260000-0x0000000000261000-memory.dmp
memory/3048-18-0x0000000000260000-0x0000000000261000-memory.dmp
memory/3048-15-0x0000000000250000-0x0000000000251000-memory.dmp
memory/3048-13-0x0000000000250000-0x0000000000251000-memory.dmp
memory/3048-12-0x0000000000250000-0x0000000000251000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\apmit.exe
| MD5 | 1265c2d1eb71a9f2ed56bc93119b3f0c |
| SHA1 | 792cb831a293d199965cedef5fcde5c6c90bbe33 |
| SHA256 | 78c734d3ba612c0583669c150a314af65a0ea69c1335b8a72d8da10167bc34a3 |
| SHA512 | ca5c8d4a1eceaed2cd1ed57cf895878c59e4023302cd353615a7c06f84dee5aa58d3ee27fba85d0c75020f6451d19df65d65fc1df500bd73edbac59bda640adb |
memory/3048-59-0x0000000003F40000-0x0000000004A2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | d03b3bb6afd5cff8db08058bcb9f7b12 |
| SHA1 | 9ae3f12cadc0d47de590df0e751344ddf892f787 |
| SHA256 | 556c4b9de8ff78f7370eecf81fe84f679e3fa445478ffd48a223a565fb1b6db5 |
| SHA512 | 4e8a3e6375e86c8e6c3af6ff2517926feaa517ac9694e75a7458f531f06198a715e2503ba6e9320e298a2ce10f1bf8121e6351616dad1cc808e03e22f3ce28ae |
memory/3048-42-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3048-60-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3048-61-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 57de9813158e27de31e6b74a29777559 |
| SHA1 | 2f60679225a3930cc6c8beb5eb5305a59905b759 |
| SHA256 | 6db7697667cd3b682fd9c0d9d1fbc72ad06d5fd0d80da3ab53f7d0ffc8197d76 |
| SHA512 | 7688dc4c631261e32f13988604b282568bc4e5281d263400bbe1d65f0f35993e7f9f7902704443fe8a79f390bd1a6c6fe35e00b04c7136fdc7b17fa8d875e2a6 |
memory/2896-111-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2896-109-0x00000000045F0000-0x00000000050DC000-memory.dmp
\Users\Admin\AppData\Local\Temp\humov.exe
| MD5 | eb441a27a5c2eada4ffe0abba20e0011 |
| SHA1 | 75d079e99b1b739c9c27241e06f2d1b2bb3080ec |
| SHA256 | 446c03aa5110f157d7d1feaf6fd6160e0d554cb6fb0c38da6f0755199afa4f31 |
| SHA512 | fda9a35b7d78a2ab178487474ac85feb7e0c41e40e8d5e5d3f6cc353d2e21878f560e8ea832b9f759d0c1645be03d15e4be8cda4e8920409a57280ade05902d2 |
memory/2268-154-0x0000000004600000-0x0000000004799000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | cab12cfacfb8e3839045ae25a622cec0 |
| SHA1 | e7185e79f0fe9d4baea26bf77d805d25fd94da53 |
| SHA256 | d5d9e717bc0a790497ea4cd9a3bb1dcd59b80ffeaeef9d88685b15a5d93fb564 |
| SHA512 | 57c314afe6ab0817699962302cf4e205e550991a4e90050219354f083093bc77524669c8febfe2e645978d6d39c709b1cbd44a6072ecc91230ef3b249b1e52e4 |
memory/2268-166-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1912-167-0x0000000000400000-0x0000000000599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/1912-172-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 22:20
Reported
2024-08-03 22:22
Platform
win10v2004-20240802-en
Max time kernel
118s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qoimm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tytuup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qoimm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tytuup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cehil.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qoimm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tytuup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cehil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe
"C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe"
C:\Users\Admin\AppData\Local\Temp\qoimm.exe
"C:\Users\Admin\AppData\Local\Temp\qoimm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\tytuup.exe
"C:\Users\Admin\AppData\Local\Temp\tytuup.exe" OK
C:\Users\Admin\AppData\Local\Temp\cehil.exe
"C:\Users\Admin\AppData\Local\Temp\cehil.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4552-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4552-4-0x0000000001090000-0x0000000001091000-memory.dmp
memory/4552-9-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4552-7-0x0000000002C80000-0x0000000002C81000-memory.dmp
memory/4552-6-0x00000000010D0000-0x00000000010D1000-memory.dmp
memory/4552-8-0x0000000002C90000-0x0000000002C91000-memory.dmp
memory/4552-5-0x00000000010C0000-0x00000000010C1000-memory.dmp
memory/4552-3-0x0000000000526000-0x000000000087A000-memory.dmp
memory/4552-2-0x0000000001080000-0x0000000001081000-memory.dmp
memory/4552-1-0x0000000000F10000-0x0000000000F11000-memory.dmp
memory/4552-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qoimm.exe
| MD5 | 506c2702dc1ac11e937a2f4d7f37cdf4 |
| SHA1 | c8007884da282d5cab84f76bd48b6ecf460d127a |
| SHA256 | 841e3f64423b6facf1f93c25ab5733946d64db97b65a6b0de396ab1409fa6e9e |
| SHA512 | 38f16e239bcf05deb8a1aa854d2c47551d5c25267850714c16cde20fae2cc06642c0c14f871c258b0c1ee6f95a394acaf473d5c2f95615fe1b6bc169f0b0c16f |
memory/4076-24-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4552-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4552-26-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | d03b3bb6afd5cff8db08058bcb9f7b12 |
| SHA1 | 9ae3f12cadc0d47de590df0e751344ddf892f787 |
| SHA256 | 556c4b9de8ff78f7370eecf81fe84f679e3fa445478ffd48a223a565fb1b6db5 |
| SHA512 | 4e8a3e6375e86c8e6c3af6ff2517926feaa517ac9694e75a7458f531f06198a715e2503ba6e9320e298a2ce10f1bf8121e6351616dad1cc808e03e22f3ce28ae |
memory/4076-38-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4076-34-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/4076-33-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/4076-39-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4076-32-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/4076-31-0x0000000002B50000-0x0000000002B51000-memory.dmp
memory/4076-30-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/4076-29-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/4076-28-0x00000000010D0000-0x00000000010D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d2d605486f31f3c0b15d8a0246f3268c |
| SHA1 | d9f41e8aa1562cccc38aa217afd8510feb5d5dfe |
| SHA256 | 5a86136245c89561ca4696bffed149c523a34a4f5771e829537941d6b2fec89c |
| SHA512 | c3fc741cb650d77a0e3b862caedc197a68d5089fb07891bd566bbed8202c4002a42445341e8a91effb415936fe65e9953f091f2dd1fe57ef71dbd5412240fcc0 |
memory/4076-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3884-51-0x0000000001030000-0x0000000001031000-memory.dmp
memory/3884-50-0x0000000001020000-0x0000000001021000-memory.dmp
memory/3884-54-0x00000000010D0000-0x00000000010D1000-memory.dmp
memory/3884-53-0x00000000010C0000-0x00000000010C1000-memory.dmp
memory/3884-56-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3884-55-0x00000000010E0000-0x00000000010E1000-memory.dmp
memory/3884-52-0x00000000010B0000-0x00000000010B1000-memory.dmp
memory/3884-49-0x0000000001010000-0x0000000001011000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cehil.exe
| MD5 | 92c99fcaeaed30d0710bacf32b944c44 |
| SHA1 | c053db27e0aa5405eefd06777e413d81155cbbf2 |
| SHA256 | ea4652b881931aeacffb5b0f1cb47c5641ba612c975955b7d4a417fc3f80107a |
| SHA512 | 7cf7fcad3cc863172402c2dd0dc22903b735bd75bd6266b8025b245d18a568bb40609e1442817baa7d92b23261219857866be02e62de6b12ad5984c2d812737a |
memory/4900-70-0x0000000000400000-0x0000000000599000-memory.dmp
memory/3884-71-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0c7f6a541413da07522c44e54b36957d |
| SHA1 | 0b123c6ec500ca81d420282ec44af7bbf60e51db |
| SHA256 | 4301d6047521bb1fda702ea17353d468862ab250756faca1db0c3236e8343584 |
| SHA512 | a7da0f6c81b3bb04ecf3aeadf1c2b2aeae14c856ffcba9a790a965167349d06c83e160cd45b81e4e13ee98c40deb0bd0377ba89c683717432cd796092d9dd1c9 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/4900-74-0x0000000000400000-0x0000000000599000-memory.dmp
memory/4900-75-0x0000000000400000-0x0000000000599000-memory.dmp