Analysis Overview
SHA256
0f86ec37ce793d7040d48bafc0ae705dbe3c6b2647f3a7cc4755b24356433e71
Threat Level: Known bad
The file f43e0f2ca51002a44daef5415cec2d20N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
ASPack v2.12-2.42
Deletes itself
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 16:43
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 16:43
Reported
2024-08-04 16:45
Platform
win7-20240705-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nemuc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fyvot.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nemuc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nemuc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fyvot.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe
"C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe"
C:\Users\Admin\AppData\Local\Temp\nemuc.exe
"C:\Users\Admin\AppData\Local\Temp\nemuc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\fyvot.exe
"C:\Users\Admin\AppData\Local\Temp\fyvot.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2872-0-0x0000000000400000-0x0000000000465000-memory.dmp
\Users\Admin\AppData\Local\Temp\nemuc.exe
| MD5 | f82ccca9b36069ca0ef85d8b96fb6be9 |
| SHA1 | 44997371a4b59a585f4f6983a65a4978ca211a61 |
| SHA256 | ccf91418d870f791b53e35b0a225d2e9dd513eaa94692c2367646889a9d28756 |
| SHA512 | 8639a1ac5c2afaf039dd5375ced46d269e28985f40a0034a7163e0100272c42d5f1768c137cc23b63f6c7de6bd5c6199c6726ede51cd77765a5feb103f381e78 |
memory/2624-21-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2872-20-0x0000000002450000-0x00000000024B5000-memory.dmp
memory/2872-19-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7b219b2c8d77e7e92245de9125f53c92 |
| SHA1 | 5199a73c6ec88ae7c27c6823b18f508c7faf5ec0 |
| SHA256 | e39d9d4e81abc046868debf89f81446a7243cfe6c00a4f87fc867d94cb85c451 |
| SHA512 | ed23ed80b4ab513340d727465ba1e9493b20b232430aa6b7095682eaaae187d27dd246b575f8defe8e2843b8471f5220d80addafb6d0ffa9216fcad06af05d08 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7fff969b6933374f793e3cd191a35bb7 |
| SHA1 | ea36c9d6dd4e48fd3c0b96398f83bb5b1a9a8efa |
| SHA256 | cb439bf92842080e78235482bfdc42f4581ebace30a5031bdf01e2ce58ecfe9d |
| SHA512 | fa0a0fe7b1dcf4bcb62a09eebe7cc5b1c16653cda81e9bc85a7d4f953e2420bb85f58dfc02507fc9df582f8b771fdf952241ddc22316c3eb2f9d43b2cdd90d47 |
\Users\Admin\AppData\Local\Temp\fyvot.exe
| MD5 | 446c77ded493d440b0549ad881793c40 |
| SHA1 | f79cd00e2b38cd3b89570c75a563c7a8af531dbf |
| SHA256 | b25d90f4a104817e5b19b8077b201f3776685a6423954127799e05b39979fbb8 |
| SHA512 | 9b3e3764002d6d382b52a087600c903efae0302b8f7aa8d189c6034fd75538d32a32c0673f3700d363b56c7c0921e226d84e205127ff8d3f0a604f6bcf39319a |
memory/1964-34-0x0000000000960000-0x00000000009F4000-memory.dmp
memory/1964-33-0x0000000000960000-0x00000000009F4000-memory.dmp
memory/1964-32-0x0000000000960000-0x00000000009F4000-memory.dmp
memory/1964-31-0x0000000000960000-0x00000000009F4000-memory.dmp
memory/2624-30-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1964-36-0x0000000000960000-0x00000000009F4000-memory.dmp
memory/1964-37-0x0000000000960000-0x00000000009F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 16:43
Reported
2024-08-04 16:45
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
100s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fotef.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fotef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\goepf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\goepf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fotef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe
"C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe"
C:\Users\Admin\AppData\Local\Temp\fotef.exe
"C:\Users\Admin\AppData\Local\Temp\fotef.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\goepf.exe
"C:\Users\Admin\AppData\Local\Temp\goepf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.58.20.217.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/3648-0-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fotef.exe
| MD5 | 266ce12975d37282e16448aaca43fee0 |
| SHA1 | f4e3a0d4ddcd1639ddfc727e43bf1b95a038ebe5 |
| SHA256 | ff0d25ff837de684c5f3241e8ca7ad16069998c67170387286b9780494f05d85 |
| SHA512 | 848a4e9dddef931a889ec32f713c5aa3886530ebaeae5fd810fc50443ebf598711fbffd4b1b27f1847b4350f03ba8d93d878515844733279be6cf074d2cde6dc |
memory/3648-13-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7b219b2c8d77e7e92245de9125f53c92 |
| SHA1 | 5199a73c6ec88ae7c27c6823b18f508c7faf5ec0 |
| SHA256 | e39d9d4e81abc046868debf89f81446a7243cfe6c00a4f87fc867d94cb85c451 |
| SHA512 | ed23ed80b4ab513340d727465ba1e9493b20b232430aa6b7095682eaaae187d27dd246b575f8defe8e2843b8471f5220d80addafb6d0ffa9216fcad06af05d08 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 57d7f32defd150eefd361f49f71c87c8 |
| SHA1 | 4933bb19a2c3690d3c669ee3af82e116a93c231e |
| SHA256 | a746a834e5eb73c8ea04859990378bb9866009bc007856dcbbd3ec7c828a1244 |
| SHA512 | ee2f76a0295d7b7cfe5a7841d60d5346c45a142fe0ae35634c9c6d4d957779d140cda3927d4d1101e9f2cdfcf2247a48dbac962025fd514b2c1ab11a9dc887a2 |
C:\Users\Admin\AppData\Local\Temp\goepf.exe
| MD5 | abb2be1bf5b0a5c3474f000e9c727f77 |
| SHA1 | b17e079433f282fd41a5af4c50919481e1203fcd |
| SHA256 | 41a0d07a46f216abfa6fe39db6c8f664f3444e39dbc37980593e0786cc810dec |
| SHA512 | 0dcd9b0c5c196cd5ef9344312452d5c70f280b9b6f95688ddcc1976aa8e775d5d4fb0be204792eef85337962801f5bc4092ad1758e0b1559e6e5634c3fd85867 |
memory/1120-23-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3392-27-0x0000000000F10000-0x0000000000FA4000-memory.dmp
memory/3392-28-0x0000000000F10000-0x0000000000FA4000-memory.dmp
memory/3392-26-0x0000000000F10000-0x0000000000FA4000-memory.dmp
memory/3392-25-0x0000000000F10000-0x0000000000FA4000-memory.dmp
memory/3392-30-0x0000000000F10000-0x0000000000FA4000-memory.dmp
memory/3392-31-0x0000000000F10000-0x0000000000FA4000-memory.dmp