Analysis Overview
SHA256
03ab57357de3b46523fbb9d061e6d1fe79fbca1158c8de37664da659c90aa088
Threat Level: Known bad
The file a9924cfd3a9eb9696e6a774efab3ca10N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Deletes itself
Loads dropped DLL
Checks computer location settings
ASPack v2.12-2.42
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 14:18
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 14:18
Reported
2024-08-03 14:20
Platform
win7-20240708-en
Max time kernel
119s
Max time network
87s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keowu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zegeb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keowu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zegeb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keowu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe
"C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe"
C:\Users\Admin\AppData\Local\Temp\keowu.exe
"C:\Users\Admin\AppData\Local\Temp\keowu.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\zegeb.exe
"C:\Users\Admin\AppData\Local\Temp\zegeb.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11120 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| JP | 133.242.129.155:11120 | tcp |
Files
memory/2316-0-0x0000000000AB0000-0x0000000000C7E000-memory.dmp
\Users\Admin\AppData\Local\Temp\keowu.exe
| MD5 | 31835a38f2f57f9aba4df315e19b67e8 |
| SHA1 | d3c1e94e22c107b8690b93ee876a1b9a80dbe680 |
| SHA256 | d0900eb4eae0b6fff00effe0d85d5aa55f7944647c8f71ee2ac8451cff73dda9 |
| SHA512 | 8d5d766983c4c152ab67123dca811515693b90b8213c5f6c52efc3bd9ffaaa2293c57533b13d8086aaf8af5f4760da2acc346203adb0e197e4246c3e6141177d |
memory/2844-18-0x0000000000AB0000-0x0000000000C7E000-memory.dmp
memory/2316-17-0x0000000000AB0000-0x0000000000C7E000-memory.dmp
memory/2316-15-0x0000000002BE0000-0x0000000002DAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | f4e8084f3a12fa955e6eab09955e87b3 |
| SHA1 | af17fbea88d60d6959e2e2714651c21f6c4726d9 |
| SHA256 | 1e9e90365f77e3cea2c074d22270608ebe8807b741de3d0f3826e8abe2f095e3 |
| SHA512 | 5e93d47e88daa7af3da27db90c8d674f388535f57a77135b14e0666027c0b39847146769d272be0bcf6660927919119edfb26a410d106da9c3baf3fc10bcc585 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | aafa8acfb7301b760365272a69beee9d |
| SHA1 | 68b6a066c7df82cd9a1f92d8759fb4e5d1147691 |
| SHA256 | 83bb0813826d4edcafeecb6fc09eab8229c2c1fb4fd4253e0e91724db9101c35 |
| SHA512 | ffa384661427652e5e766796ae4966fa4359460e9b83f1dd3530e25c119593739d2aee7aba9fdde66c715f62f6e31caec1d6905ec7ccf8253a25ff34dd6c0973 |
\Users\Admin\AppData\Local\Temp\zegeb.exe
| MD5 | 259e7564efda7167dd5d02f0ff53efb6 |
| SHA1 | 07177dd8592a4f154ec753a16aeffd0d1ca24026 |
| SHA256 | 899b17b10466aa54ef55bb614c1b0eb1e6e6deff94332aac076fb3c33f9c6a9c |
| SHA512 | ae383eff91f651b11aab30bf613ab72c393a72f423734daa6dff413014f6b0f6323cd620b2c525cf169db5d873471a1770b5eb423b0f3e8f5ee4edf92cf90df1 |
memory/2844-26-0x0000000003250000-0x00000000032E3000-memory.dmp
memory/2740-31-0x0000000001350000-0x00000000013E3000-memory.dmp
memory/2740-32-0x0000000001350000-0x00000000013E3000-memory.dmp
memory/2740-30-0x0000000001350000-0x00000000013E3000-memory.dmp
memory/2740-28-0x0000000001350000-0x00000000013E3000-memory.dmp
memory/2844-29-0x0000000000AB0000-0x0000000000C7E000-memory.dmp
memory/2740-34-0x0000000001350000-0x00000000013E3000-memory.dmp
memory/2740-35-0x0000000001350000-0x00000000013E3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 14:18
Reported
2024-08-03 14:20
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vuves.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vuves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kijun.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vuves.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kijun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe
"C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe"
C:\Users\Admin\AppData\Local\Temp\vuves.exe
"C:\Users\Admin\AppData\Local\Temp\vuves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\kijun.exe
"C:\Users\Admin\AppData\Local\Temp\kijun.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11120 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| JP | 133.242.129.155:11120 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/1880-0-0x00000000001A0000-0x000000000036E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vuves.exe
| MD5 | c53127170a56f20a11ad245f6b15ddd4 |
| SHA1 | e4c51c5d35b6d8d6e188e1021d81baaaa98edc3d |
| SHA256 | e86098f4d27529e041e7e08a0c8851749a672569e2489bde3db25bd75a8e5ff8 |
| SHA512 | 3f582cd93a52f27921eeb89a82264c44b2e82b3e9dbd4577682b13f7d835b1d3467e6ef80ba6549bd93f38f024abd68e4474928791d8abf68e19d44435154eca |
memory/3608-12-0x0000000000300000-0x00000000004CE000-memory.dmp
memory/1880-14-0x00000000001A0000-0x000000000036E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | f4e8084f3a12fa955e6eab09955e87b3 |
| SHA1 | af17fbea88d60d6959e2e2714651c21f6c4726d9 |
| SHA256 | 1e9e90365f77e3cea2c074d22270608ebe8807b741de3d0f3826e8abe2f095e3 |
| SHA512 | 5e93d47e88daa7af3da27db90c8d674f388535f57a77135b14e0666027c0b39847146769d272be0bcf6660927919119edfb26a410d106da9c3baf3fc10bcc585 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | cada88b80c1779b8a384e43080ea1118 |
| SHA1 | a32e9b3d80f224f8e67815a3e51502cc6b7040dc |
| SHA256 | 80fc4906ef97fd34800f00fb1bdb8d4288517807e54fdd74d1900ce45ad53c65 |
| SHA512 | d9f388c3b2669a73c65eaad681fbf157b20edfeb064a125b42716752a59129ebb4a6715acb830e2c3bd6de274ba90ecaf5adda4098e6d9f40aa02a7bd22f0869 |
C:\Users\Admin\AppData\Local\Temp\kijun.exe
| MD5 | fdb8acaa851ff97dd36de77173c820aa |
| SHA1 | e69d05075dc6f445e5b078dd25addaa91b6b8262 |
| SHA256 | 2688485ef975c019b008c6b5ec2fd8ec7f3686cf295d704101daf346084b2252 |
| SHA512 | 8d2aa0685888a6f17441aa36644d6f146de680d466b2b9247fa3a0fe2d324adef4af2e6ac1aedbed223f6997a0c83b3b3cb11d4c6507bcf215e9a9e254d7d0c6 |
memory/3608-28-0x0000000000300000-0x00000000004CE000-memory.dmp
memory/3972-29-0x0000000000D00000-0x0000000000D93000-memory.dmp
memory/3972-27-0x0000000000D00000-0x0000000000D93000-memory.dmp
memory/3972-26-0x0000000000D00000-0x0000000000D93000-memory.dmp
memory/3972-25-0x0000000000D00000-0x0000000000D93000-memory.dmp
memory/3972-31-0x0000000000D00000-0x0000000000D93000-memory.dmp
memory/3972-32-0x0000000000D00000-0x0000000000D93000-memory.dmp