Analysis Overview
SHA256
ac06d639d30aec9bb6305373ffb6fa125a89d1db2d259b587489119676a434bc
Threat Level: Known bad
The file e4147b5901fcbc63624d36700ca59330N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Deletes itself
ASPack v2.12-2.42
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 06:16
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 06:16
Reported
2024-08-04 06:18
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\usmim.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\joivdu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\usmim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\joivdu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ryiwo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\usmim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\joivdu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ryiwo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe
"C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe"
C:\Users\Admin\AppData\Local\Temp\usmim.exe
"C:\Users\Admin\AppData\Local\Temp\usmim.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\joivdu.exe
"C:\Users\Admin\AppData\Local\Temp\joivdu.exe" OK
C:\Users\Admin\AppData\Local\Temp\ryiwo.exe
"C:\Users\Admin\AppData\Local\Temp\ryiwo.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/1160-0-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\usmim.exe
| MD5 | ab14edb09a240e1d33dd69094c9ca0ba |
| SHA1 | a3cba383754cfc2a92ca9436621276b1831bbc32 |
| SHA256 | 5eb1fa75240ad31b83fb2a43de5029676ab1529c1c568a7d129cb761c79a28ca |
| SHA512 | 242944a440d38b212bd4d0169d00d82116b83e63151218233a2968dc7ad720c82cdad16cc5239f4f6087f22f174243e60f252c07c0bb5537975e16da170afca2 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 50c8d0497c2db650e39e6929951ef040 |
| SHA1 | 6463c2360d376bb7c8cdaa6cbdbe968dc916c3a3 |
| SHA256 | 42ae5ebe31a8ccdd891e294e3f338d24368de0bd99dd3640fdc4f1ccf8f4334a |
| SHA512 | defb2b8c047282e3ba47cf057bc7746bf87df87b5cca4fa7eee45739482cee34dee1c8eaafb4d1cb18cfb5bdca3e44d376d1905b2be6bf1fd2c2addadfeed174 |
memory/3104-14-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1160-15-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 67319676c0c43cefcf1c88a4720b07b6 |
| SHA1 | d4b4b65683e3221a9ee3025c5ad013eea0d7f407 |
| SHA256 | f0d650e4d09d5a7cedd6f4df43f927d45f6e6d9abafc60aeb7eb691a1e2ea59a |
| SHA512 | dd449def574efd2a9194fdb7ff8573ad1e01245fcfeeb89ef32a7419bea741ad1fc7c73cfda2559a4af0bc1a8680cb139e51f6219e53a571dc55c74e4a462f2e |
memory/3104-25-0x0000000000400000-0x0000000000458000-memory.dmp
memory/704-26-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ryiwo.exe
| MD5 | 02cb10d89178ce6b8f635c4c4f0e671d |
| SHA1 | 8d15bd42833d4d50b0b0e70773f5b2bfcc1549b1 |
| SHA256 | 9b68519a9e1d446ea200c88d0ab59574d93efc8166613b11385bda40ba2229bd |
| SHA512 | 0721f61b9cfea41262af059afda7bdf14f8bd3fad68d77af4e8bd8d06c5044ec393d9637aa244da5d86f6960cd4ec1553ed82535aeaa29f78d7f36e17b3f7045 |
memory/2828-42-0x0000000000C10000-0x0000000000C9C000-memory.dmp
memory/2828-40-0x0000000000C10000-0x0000000000C9C000-memory.dmp
memory/704-43-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2828-39-0x0000000000C10000-0x0000000000C9C000-memory.dmp
memory/2828-38-0x0000000000C10000-0x0000000000C9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 2e418a94ccf9833624cd7e1af27838ab |
| SHA1 | 22cfb28411bd95481aa567b05d1d009b1e90d81d |
| SHA256 | dd8cf16728f51b5ed80ba729153ed9a2e124e2ca8f62a8b403f8f694ff9fed28 |
| SHA512 | 1857e8578653c8852c7a26eb92f92221278042336a1e580704384b9b1a851994e6aa4c73cca154e7a4850e53d88d7e874bc69dd50a4e6d9043bb08260dd87b43 |
memory/2828-45-0x0000000000C10000-0x0000000000C9C000-memory.dmp
memory/2828-46-0x0000000000C10000-0x0000000000C9C000-memory.dmp
memory/2828-47-0x0000000000C10000-0x0000000000C9C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 06:16
Reported
2024-08-04 06:18
Platform
win7-20240729-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qofut.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sosuuj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huron.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qofut.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qofut.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sosuuj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qofut.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sosuuj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huron.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe
"C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe"
C:\Users\Admin\AppData\Local\Temp\qofut.exe
"C:\Users\Admin\AppData\Local\Temp\qofut.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\sosuuj.exe
"C:\Users\Admin\AppData\Local\Temp\sosuuj.exe" OK
C:\Users\Admin\AppData\Local\Temp\huron.exe
"C:\Users\Admin\AppData\Local\Temp\huron.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2600-37-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2868-36-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sosuuj.exe
| MD5 | e1bb8abef3ac231d28b2487dee6988e6 |
| SHA1 | 2169bf91bac49e5b427702436730f639e4866463 |
| SHA256 | a6b22ff91106600eb2cc63ec74bf257810a2b089ba6358bb24bfb57915e725d0 |
| SHA512 | 92fb888bab3b1c342ca490090c25dbc745f08ff64826732ae02f23cdfc55505e435d5821dfd90b097a316d20da6dfa9774c072ad9dadbe18eed2acefcd65aa63 |
memory/2868-34-0x0000000003330000-0x0000000003388000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 67319676c0c43cefcf1c88a4720b07b6 |
| SHA1 | d4b4b65683e3221a9ee3025c5ad013eea0d7f407 |
| SHA256 | f0d650e4d09d5a7cedd6f4df43f927d45f6e6d9abafc60aeb7eb691a1e2ea59a |
| SHA512 | dd449def574efd2a9194fdb7ff8573ad1e01245fcfeeb89ef32a7419bea741ad1fc7c73cfda2559a4af0bc1a8680cb139e51f6219e53a571dc55c74e4a462f2e |
memory/2268-18-0x0000000002450000-0x00000000024A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | c796ba1d6146c80626e9d3d1b0bfbbf0 |
| SHA1 | b45d14498499b7220514043058720bb95d6b9bb4 |
| SHA256 | 0fdf48e4f4b6b686a8ffc3e4672efc362bb042f99ba0a0e3ca86e3ed41de791a |
| SHA512 | c10e35483905e75bdb07bffbe1f463a59ca337174a09f4deaacab04181eaf88e5af08d8a6a12d13c043149406b4bb79040379f8c0808748cca30e4f4275152c0 |
memory/2268-22-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2868-21-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2268-20-0x0000000002450000-0x00000000024A8000-memory.dmp
memory/2268-0-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2600-38-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2076-59-0x0000000000A20000-0x0000000000AAC000-memory.dmp
memory/2076-58-0x0000000000A20000-0x0000000000AAC000-memory.dmp
memory/2076-57-0x0000000000A20000-0x0000000000AAC000-memory.dmp
memory/2076-56-0x0000000000A20000-0x0000000000AAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huron.exe
| MD5 | 1f675291b5f45d32e04d686519566665 |
| SHA1 | 280660b161aca27d199569f04619e111d464c29f |
| SHA256 | cfb331188f635dbe0c7cc61579c777735c83ee3c7e421fc05b06e244676628a9 |
| SHA512 | b9e25b2fdd899c15c73bd1ddb146cd19c50807c56e7a9aadb9c29bfa52ffd91eee3b5e36bbdf3c468d5a35d31ba694f8965a72834bfc27e8aba7bac01ca41343 |
memory/2600-54-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | ad8cc94b1355fc153c8e5ea6499c93fa |
| SHA1 | 6a2371c9ad9f687adf81fb8a9a1b31a4a2c187a7 |
| SHA256 | abd7e3ed44d62b43e29f914106e16f3245e202dc84b761f8b35c5b39df3aa6ff |
| SHA512 | 5536c14dd6c7cfb3ab6ab22962d07b6dda43f0005d866ea6d69fed88bad98a8e679bc6e8ffc8ef70f40fc5871646397f677f85dd5f1e382819fd63405be2df3d |
memory/2600-45-0x00000000020B0000-0x000000000213C000-memory.dmp
memory/2076-62-0x0000000000A20000-0x0000000000AAC000-memory.dmp
memory/2076-63-0x0000000000A20000-0x0000000000AAC000-memory.dmp
memory/2076-64-0x0000000000A20000-0x0000000000AAC000-memory.dmp