Analysis Overview
SHA256
83a594333466429e810afd7730560b18526268947c910b98fa9c9fc18e4c11a4
Threat Level: Known bad
The file 67b258544c4beceb97c8c88eb74682c0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
ASPack v2.12-2.42
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 07:44
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 07:44
Reported
2024-08-05 07:46
Platform
win7-20240704-en
Max time kernel
120s
Max time network
84s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vasoa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\betoz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67b258544c4beceb97c8c88eb74682c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67b258544c4beceb97c8c88eb74682c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vasoa.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\67b258544c4beceb97c8c88eb74682c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vasoa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\betoz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67b258544c4beceb97c8c88eb74682c0N.exe
"C:\Users\Admin\AppData\Local\Temp\67b258544c4beceb97c8c88eb74682c0N.exe"
C:\Users\Admin\AppData\Local\Temp\vasoa.exe
"C:\Users\Admin\AppData\Local\Temp\vasoa.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\betoz.exe
"C:\Users\Admin\AppData\Local\Temp\betoz.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2460-0-0x0000000000400000-0x0000000000871000-memory.dmp
\Users\Admin\AppData\Local\Temp\vasoa.exe
| MD5 | 04dc4bff88cb1e39d6ae5a76cf16895b |
| SHA1 | 431f559c979178fcbeeebcc2caba29d2aaec5ce1 |
| SHA256 | 85c60c07dc9f0d59dbc3af5e25eaa68e7903c1c82b67ea02f22f65b18f560bc1 |
| SHA512 | 838d87827c08e24c9cc1bef6b1eb1b777373c2aa1291faf0e139c4c38d4c0ec8c745ef2f30c908e830fb57a62c5e106e2c6bcbb07555980bb8b85f436796fa0f |
memory/2460-20-0x0000000003140000-0x00000000035B1000-memory.dmp
memory/740-22-0x0000000000400000-0x0000000000871000-memory.dmp
memory/2460-19-0x0000000000400000-0x0000000000871000-memory.dmp
memory/2460-18-0x0000000003140000-0x00000000035B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7ef65915eb287bf86422171081dcb190 |
| SHA1 | 3a7d399627e8b2f9e3bcb75865018ded2b685e28 |
| SHA256 | 60c5ba8211a9b0058c2e2d9a294457b93508cac3debf7733899a2a6b17c1140d |
| SHA512 | e2cdcb231d5afabc8a149cb74ec7701b5e1630200235ed2cbe27bbdf25becfa231807d8ee000328f9859bcb3da31869b91e7b391960dc0b428d6db52d7ea33f0 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d60bc84d072cae1a8b501460795af677 |
| SHA1 | 795dd9eb54a6a35a48a6c23be822c9b8e66e8261 |
| SHA256 | bb6ea885d999ca5a8f3a0fad06f92cedd41ec89d6100e4fc438a4767abf91f0f |
| SHA512 | 83cd7f1cefd44e4087760104c925eccc0d91b67eeacb50435f62a93a7cd95f7765309acac8deac99e0977595f07b4350ee77a85fc3d43a35bfb7ed9620c5224f |
\Users\Admin\AppData\Local\Temp\betoz.exe
| MD5 | 0bf1ba2c9b8b1edd94c4e127a3be9279 |
| SHA1 | 28b69d3e306cb5fc17d773e7804c466d3381fce2 |
| SHA256 | 35abc8587a76e8a921749e08955893fe24e7a94e841fa9582a5f869c035183c7 |
| SHA512 | 15fa6c1adfe9a60b00993660779907373d6a24014b1dacb49fd6b70bfd6224206c3d033d70bcbcd06745f8030fd2fff6af111b83f6a14f63bdaeabc56ef6e28b |
memory/740-29-0x0000000003570000-0x0000000003604000-memory.dmp
memory/2840-34-0x0000000000150000-0x00000000001E4000-memory.dmp
memory/2840-33-0x0000000000150000-0x00000000001E4000-memory.dmp
memory/2840-35-0x0000000000150000-0x00000000001E4000-memory.dmp
memory/2840-32-0x0000000000150000-0x00000000001E4000-memory.dmp
memory/740-36-0x0000000000400000-0x0000000000871000-memory.dmp
memory/2840-38-0x0000000000150000-0x00000000001E4000-memory.dmp
memory/2840-39-0x0000000000150000-0x00000000001E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 07:44
Reported
2024-08-05 07:46
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\67b258544c4beceb97c8c88eb74682c0N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\liget.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\liget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyuns.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\67b258544c4beceb97c8c88eb74682c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\liget.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nyuns.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67b258544c4beceb97c8c88eb74682c0N.exe
"C:\Users\Admin\AppData\Local\Temp\67b258544c4beceb97c8c88eb74682c0N.exe"
C:\Users\Admin\AppData\Local\Temp\liget.exe
"C:\Users\Admin\AppData\Local\Temp\liget.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\nyuns.exe
"C:\Users\Admin\AppData\Local\Temp\nyuns.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4640-0-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\liget.exe
| MD5 | 9e6b42ae31736456f7e1b4d24879afc8 |
| SHA1 | 2215cfb874b9cd503ad1682ba1f013debcb5b8e2 |
| SHA256 | 9f47ae5f35ddd4f5be502ee63ff883ad6b88cad12022288fe175987a57f8408b |
| SHA512 | b4a4074c93145f47f6651fb265ac2e652b1d391db69571a59838fc70a6496e916a02a9e92b273fe4ea5eabd899f8179551cf7c91b66756126e7a5749933d4aa4 |
memory/4828-12-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7ef65915eb287bf86422171081dcb190 |
| SHA1 | 3a7d399627e8b2f9e3bcb75865018ded2b685e28 |
| SHA256 | 60c5ba8211a9b0058c2e2d9a294457b93508cac3debf7733899a2a6b17c1140d |
| SHA512 | e2cdcb231d5afabc8a149cb74ec7701b5e1630200235ed2cbe27bbdf25becfa231807d8ee000328f9859bcb3da31869b91e7b391960dc0b428d6db52d7ea33f0 |
memory/4640-15-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e5c4fdffe94b8af1b1325f33a2f1a6ff |
| SHA1 | 5617fa8353ec96462f3d7a95fa29fba64798c8dc |
| SHA256 | 69ef296395f6e43cb9d272d6c58da45dd618d77fbc305a61b34e27b737f1ae3a |
| SHA512 | 30f8f90a23382835eb17dd0481340f6e71a43d9ba002c8e0bcad4e3b4cf558a35bd9ce3432ab02ee01c1dad938d509adff5c14baec5924f4eca1b2131a28f4a1 |
C:\Users\Admin\AppData\Local\Temp\nyuns.exe
| MD5 | 62fa2bf9ee3db80e23d34663245f41b7 |
| SHA1 | 4572f008895553736707cd089cbe1a5e3e20a8dc |
| SHA256 | cccd1ef81d60d31101dd6985165514c0428e764eea1a1cc206c294fd7c0901e2 |
| SHA512 | ad46108081249964a58b17b59631f26882adcc352d22eb8457a0cc91b70e302373c775b05c94e8897b60c71ac0b7ea185550febe56e0a989780a730a790acd6a |
memory/3780-27-0x00000000001A0000-0x0000000000234000-memory.dmp
memory/3780-28-0x00000000001A0000-0x0000000000234000-memory.dmp
memory/3780-25-0x00000000001A0000-0x0000000000234000-memory.dmp
memory/3780-26-0x00000000001A0000-0x0000000000234000-memory.dmp
memory/4828-29-0x0000000000400000-0x0000000000871000-memory.dmp
memory/3780-31-0x00000000001A0000-0x0000000000234000-memory.dmp
memory/3780-32-0x00000000001A0000-0x0000000000234000-memory.dmp