Analysis Overview
SHA256
4593b6e970619e209c1f3be7e800abf01f2929fa55b18466808d74bcae2953cb
Threat Level: Known bad
The file e97dbd38267aa1673465097fd7c44950N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 09:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 09:44
Reported
2024-08-04 09:46
Platform
win7-20240704-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gyozf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pasuf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e97dbd38267aa1673465097fd7c44950N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gyozf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pasuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e97dbd38267aa1673465097fd7c44950N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gyozf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e97dbd38267aa1673465097fd7c44950N.exe
"C:\Users\Admin\AppData\Local\Temp\e97dbd38267aa1673465097fd7c44950N.exe"
C:\Users\Admin\AppData\Local\Temp\gyozf.exe
"C:\Users\Admin\AppData\Local\Temp\gyozf.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\pasuf.exe
"C:\Users\Admin\AppData\Local\Temp\pasuf.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2388-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2388-0-0x0000000000B50000-0x0000000000BD1000-memory.dmp
\Users\Admin\AppData\Local\Temp\gyozf.exe
| MD5 | 632a90c8aeee4642b83fda54f8823611 |
| SHA1 | 852345560ca5ad2849bc60261d8c2f9d2f711d24 |
| SHA256 | cdcd2d2afed80116f1fe81caf2bde660fc5e172d6678b84d2f4e7bf0009891f8 |
| SHA512 | 921938e72c2dfd3656f19e5a1278798767954e206b795f1bd5f8992da79b5c8fa336a96284bbfc16efbbb099e6be4c525f44f68be849736b32d35a94cfc8d047 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 752166cc90face0f9ee0aa9350967e57 |
| SHA1 | 4ffb4d7c4917f4d1fa4f59d82596b13a08f58568 |
| SHA256 | 1983a5e5233af5253ac84c61f81fec353769bc66e6913d99d7ac60e98fb0bdb2 |
| SHA512 | 578ef7918a74c33866f615d923c522418ebfa34a5ef063f1010c69e51b7548b6c7a4aadeca160b1baf4e8e9dd69259a8beee7ec4c67e4cb42460c8dca7dedace |
memory/2388-17-0x00000000009A0000-0x0000000000A21000-memory.dmp
memory/2580-21-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2580-20-0x0000000000920000-0x00000000009A1000-memory.dmp
memory/2388-19-0x0000000000B50000-0x0000000000BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4a3cc0488fa37954011ec14278c96d15 |
| SHA1 | 644bfec79809b11dc6e672a9365925034141f808 |
| SHA256 | 3970d8fc33f60eba7c0477f6ce62ac083ad97d22aa64941fffbc1106a08fba10 |
| SHA512 | 9b0d6c641e73c1c412c991196aafad808dca1eb2786cec061a1ef11d53961103382c0613bfcd02e9c5fcf0bddbe4fb3242222e2198d62c016b76d9482a1e603c |
memory/2580-24-0x0000000000920000-0x00000000009A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\pasuf.exe
| MD5 | fe2348cc098fc9ca5fa4de537796a566 |
| SHA1 | def23524929da4307b277b824178799ee2dfbc9d |
| SHA256 | 8e0277884b834620e642da6e38e0bb8c79e15ad962090c5188a8ebcdf1f130f3 |
| SHA512 | 41f2579eb26c44ebd0fd5e04556c733156cff8656f93fa584ddaeb6c166de81a20136b72f9d1534aba67b9c51d9589062e1c3a1ccda4419b31350686ee45e247 |
memory/2580-38-0x0000000003400000-0x0000000003499000-memory.dmp
memory/2580-41-0x0000000000920000-0x00000000009A1000-memory.dmp
memory/2880-45-0x0000000000020000-0x00000000000B9000-memory.dmp
memory/2880-42-0x0000000000020000-0x00000000000B9000-memory.dmp
memory/2880-47-0x0000000000020000-0x00000000000B9000-memory.dmp
memory/2880-48-0x0000000000020000-0x00000000000B9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 09:44
Reported
2024-08-04 09:46
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e97dbd38267aa1673465097fd7c44950N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\teduf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\teduf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\munyr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e97dbd38267aa1673465097fd7c44950N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\teduf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\munyr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e97dbd38267aa1673465097fd7c44950N.exe
"C:\Users\Admin\AppData\Local\Temp\e97dbd38267aa1673465097fd7c44950N.exe"
C:\Users\Admin\AppData\Local\Temp\teduf.exe
"C:\Users\Admin\AppData\Local\Temp\teduf.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\munyr.exe
"C:\Users\Admin\AppData\Local\Temp\munyr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/376-0-0x00000000009E0000-0x0000000000A61000-memory.dmp
memory/376-1-0x0000000000820000-0x0000000000821000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\teduf.exe
| MD5 | cadc8f50c0d77e9203436bcaa49cb062 |
| SHA1 | 97c707f2ffb1d773f84adae6983af0c55c5ce644 |
| SHA256 | d79a0ebba60810cf00f601cdf9a46e4bb571a290c1f3b423c81ea684052d3103 |
| SHA512 | 76625201705cebad2a0b1fc6f3dccf829febb595ed5ae77d7c89dcf4cb2c651522278e081053bef75c7fc76a2b1b74b0dd9ea0372e26b5db78f9b2b08552e022 |
memory/816-15-0x0000000000810000-0x0000000000811000-memory.dmp
memory/816-14-0x0000000000830000-0x00000000008B1000-memory.dmp
memory/376-17-0x00000000009E0000-0x0000000000A61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 752166cc90face0f9ee0aa9350967e57 |
| SHA1 | 4ffb4d7c4917f4d1fa4f59d82596b13a08f58568 |
| SHA256 | 1983a5e5233af5253ac84c61f81fec353769bc66e6913d99d7ac60e98fb0bdb2 |
| SHA512 | 578ef7918a74c33866f615d923c522418ebfa34a5ef063f1010c69e51b7548b6c7a4aadeca160b1baf4e8e9dd69259a8beee7ec4c67e4cb42460c8dca7dedace |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f102389544f6df60c2705f509a7baaa0 |
| SHA1 | 104311bc3b04f8a0cad951b177da9a56bac9a1e9 |
| SHA256 | 64040383f62e35f9818504ab608442069d2c478b30523445f1bb940b563a8a15 |
| SHA512 | 185e4eafbab6ccdad6f0d3cad40f2839dff659699f04c337f7871c6fb4a13c8a726b32b786a69eacf22875bcd4da973dabb8982987e106a02d4ab44a9a2400e9 |
memory/816-20-0x0000000000830000-0x00000000008B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\munyr.exe
| MD5 | dae35f80362fe605b3f3b00e3da7a42d |
| SHA1 | e7759aeec13019993e3c7ce6ac4d2d6724fd31db |
| SHA256 | 321e5fbc3a1fe0033779758d335f8814a5e4834feef3a3d62192b1b08059de9f |
| SHA512 | 32dfdfe0ec4e9c0bffa218a04228afc503a28620e0882ae4f286eb7e09b57f7e8920ffedb7caa2fa91ea15ad8dfc838cd739a11a524c8c7a725b94f7ecaef8da |
memory/816-38-0x0000000000830000-0x00000000008B1000-memory.dmp
memory/1324-40-0x0000000000FA0000-0x0000000000FA2000-memory.dmp
memory/1324-39-0x0000000000E40000-0x0000000000ED9000-memory.dmp
memory/1324-41-0x0000000000E40000-0x0000000000ED9000-memory.dmp
memory/1324-45-0x0000000000E40000-0x0000000000ED9000-memory.dmp
memory/1324-46-0x0000000000E40000-0x0000000000ED9000-memory.dmp
memory/1324-47-0x0000000000FA0000-0x0000000000FA2000-memory.dmp