Analysis Overview
SHA256
a2d3dbacab153c0f62f86289c949a2bdf0c9c68256e7ce76ab3ada81f40b3faf
Threat Level: Known bad
The file d0a44111a6966215015cfb913dd716e0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 19:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 19:19
Reported
2024-08-03 19:21
Platform
win7-20240708-en
Max time kernel
120s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zameb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fawyi.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zameb.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zameb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fawyi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe
"C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe"
C:\Users\Admin\AppData\Local\Temp\zameb.exe
"C:\Users\Admin\AppData\Local\Temp\zameb.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\fawyi.exe
"C:\Users\Admin\AppData\Local\Temp\fawyi.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1788-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1788-0-0x0000000000EA0000-0x0000000000F21000-memory.dmp
\Users\Admin\AppData\Local\Temp\zameb.exe
| MD5 | 04fffa7bfac31a628d40902873b2f661 |
| SHA1 | f70f0e2c59057457919b634204787393613ab205 |
| SHA256 | 97f872b0a436eb78fe9be71b193b011f4b4d289bf4c49261d830adbc0525ccb5 |
| SHA512 | cb178bb2e0bb2078a0794beaae55a782bfe6f5fa7deb45330b5f9c1e047428d3e849397eddaec3a3d3e794da1743861f17279d927495e92bb512477db3a923c5 |
memory/1788-9-0x0000000000A70000-0x0000000000AF1000-memory.dmp
memory/744-12-0x0000000000020000-0x0000000000021000-memory.dmp
memory/744-11-0x0000000000E10000-0x0000000000E91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | eca4c93ecea564202a6c3cab11575c12 |
| SHA1 | 430419ef7682d30383e62df6cf25047795a4e739 |
| SHA256 | ac51a2498af6de0d7d50f62ab502e45504f791c39cf0d8ea08c20de26a84eefd |
| SHA512 | 9cc164d843da21b3644b1f9432bb04c1a08e6221710c7927c64d9aac20df9dd8027ed05c2824bb88448a444517167d410c6ea6e79b42c9e8c4ec558d6467163a |
memory/1788-21-0x0000000000EA0000-0x0000000000F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8b31812100f2ccdcede050129b807e39 |
| SHA1 | acd58755f53d86c948574aa2eb0e7f6414813669 |
| SHA256 | c753a5c1f4ad895a72242f01a7a0beecda8e18823d48041bc7fda848d682c5ec |
| SHA512 | d2ffc7780e86e6686af8ec1e75944ccf387140e16dcef29ff82ce25a20c0e280337d2c7dc9792a5a5ee308552d5637e46b1a51b7fa9b5e05ce8bf9100fa02c83 |
memory/744-24-0x0000000000E10000-0x0000000000E91000-memory.dmp
\Users\Admin\AppData\Local\Temp\fawyi.exe
| MD5 | 79e00560453d4770d3fb03fce390f622 |
| SHA1 | c66c3706eddc6a9f709deb2b6cc826bc7dadf7d9 |
| SHA256 | 7038b15dde28be5073ed97fb6bb5f730e44811114382125f2355752c79d9adbb |
| SHA512 | 547f6ec6faff02379707f7417ae0a5bfe8feb5db5d4205b9277fb52cba6c116f2558602fca046a7956c9764e5316505c79fbfd37b8ddfad34916e3af4304a48e |
memory/2924-44-0x00000000003A0000-0x0000000000439000-memory.dmp
memory/2924-41-0x00000000003A0000-0x0000000000439000-memory.dmp
memory/744-40-0x0000000000E10000-0x0000000000E91000-memory.dmp
memory/2924-46-0x00000000003A0000-0x0000000000439000-memory.dmp
memory/2924-47-0x00000000003A0000-0x0000000000439000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 19:19
Reported
2024-08-03 19:21
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bueph.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bueph.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vezur.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bueph.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vezur.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe
"C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe"
C:\Users\Admin\AppData\Local\Temp\bueph.exe
"C:\Users\Admin\AppData\Local\Temp\bueph.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\vezur.exe
"C:\Users\Admin\AppData\Local\Temp\vezur.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/3728-0-0x00000000001F0000-0x0000000000271000-memory.dmp
memory/3728-1-0x0000000000360000-0x0000000000361000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bueph.exe
| MD5 | 79321b1b1ce1a11ce372b1620a2a24ff |
| SHA1 | 45964486084f98d3b8e16109d4b06d2845ec0bdd |
| SHA256 | 4343197bcea883f2f6f6294e5069dc394d81e44df893b65574ccb583ef64a291 |
| SHA512 | 2e3c9c31043b4de9388d7f9d55be9b6d747a7ecc28f253c6abdec99590952d59f16f68e83e9073d128088ae6b08611bc68d18a687eab33fa3cf6589121bd0a91 |
memory/1108-14-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
memory/1108-13-0x0000000000050000-0x00000000000D1000-memory.dmp
memory/3728-17-0x00000000001F0000-0x0000000000271000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | eca4c93ecea564202a6c3cab11575c12 |
| SHA1 | 430419ef7682d30383e62df6cf25047795a4e739 |
| SHA256 | ac51a2498af6de0d7d50f62ab502e45504f791c39cf0d8ea08c20de26a84eefd |
| SHA512 | 9cc164d843da21b3644b1f9432bb04c1a08e6221710c7927c64d9aac20df9dd8027ed05c2824bb88448a444517167d410c6ea6e79b42c9e8c4ec558d6467163a |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6f1cb819b31f46e9fbe3bdd1b8d3883e |
| SHA1 | 8a39880a2993ee974daedad76ed6aac2359564d7 |
| SHA256 | dbcf439a245f99469ddff13172273d19e0fd673722082ee16db811b90ccc919a |
| SHA512 | 4c861700f613ffb6ec47b7f72d89275ccfbdabbb1eca1a7049de026eb3164b3ab858c1d2ed5a0f39910d8cefefd04a0167f0a6bdd07f7dfe3954540a9d2d21e5 |
memory/1108-20-0x0000000000050000-0x00000000000D1000-memory.dmp
memory/1108-22-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vezur.exe
| MD5 | eea26b439b161954d01a4a4a981979cf |
| SHA1 | 1ed8d7740903adb4a5cd99e7ca64590658580b97 |
| SHA256 | dfd320c4207077a4c53c14cfd105c85aa3b510f321a3978b477ca1bf034f5b95 |
| SHA512 | a6bbc0ade2626dac10ba73d18993d4107dcc5d9ca07fd97741be346bd5f93143dd945643cc8033925eaccd7bc30d2bbb99d25dc17d3964c7c8c08901e59f68d8 |
memory/2932-44-0x00000000007B0000-0x00000000007B2000-memory.dmp
memory/2932-43-0x00000000000E0000-0x0000000000179000-memory.dmp
memory/2932-40-0x00000000000E0000-0x0000000000179000-memory.dmp
memory/1108-39-0x0000000000050000-0x00000000000D1000-memory.dmp
memory/2932-46-0x00000000000E0000-0x0000000000179000-memory.dmp
memory/2932-47-0x00000000000E0000-0x0000000000179000-memory.dmp