Analysis Overview
SHA256
0806050f56dfa091871908038662b48b0d2aa6926d14acd97a2d91afccd6de3f
Threat Level: Known bad
The file 75aceb1ee48238c11bb8bd60c884a2c0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
ASPack v2.12-2.42
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 07:09
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 07:09
Reported
2024-08-06 07:11
Platform
win7-20240729-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\povon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yzryg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75aceb1ee48238c11bb8bd60c884a2c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75aceb1ee48238c11bb8bd60c884a2c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\povon.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\povon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yzryg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75aceb1ee48238c11bb8bd60c884a2c0N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75aceb1ee48238c11bb8bd60c884a2c0N.exe
"C:\Users\Admin\AppData\Local\Temp\75aceb1ee48238c11bb8bd60c884a2c0N.exe"
C:\Users\Admin\AppData\Local\Temp\povon.exe
"C:\Users\Admin\AppData\Local\Temp\povon.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\yzryg.exe
"C:\Users\Admin\AppData\Local\Temp\yzryg.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1520-0-0x0000000000400000-0x0000000000871000-memory.dmp
\Users\Admin\AppData\Local\Temp\povon.exe
| MD5 | 5ee56a8422e427f810e5e70c680bd9fd |
| SHA1 | f1c00ead2f8e476135252e9b122d99166095c6e8 |
| SHA256 | d757d898668793b4487cace6f4de72fc56620f8f3de6f391e7714687edc07b93 |
| SHA512 | e7d1dc49f0eb22bf34b14b0b0e26c86fde9c5ff60fe03d64d4e0028994aae19ab6ead3c093e6e557948943da91db182d8040c0de0d31d5bae5d93eb05b033bc4 |
memory/1520-18-0x0000000003840000-0x0000000003CB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 0f0b69ad153f65c0c28fda5a153dd3a8 |
| SHA1 | a937476cde16d610fb0299c2a2e261a0e26f2b24 |
| SHA256 | 5e2123a9b17bf77af9c619e75b3e1caf19d14263ef8c19183cb1dddaeae502d4 |
| SHA512 | d918b901a2ec8be38a0f8d36e262a29258f2af045edb09b153b7f944a00807c7bbba93410862c9a5824eec871e1bbcee906a9a4aa643dec8de0caaebe697c24d |
memory/1520-20-0x0000000000400000-0x0000000000871000-memory.dmp
memory/1520-19-0x0000000003840000-0x0000000003CB1000-memory.dmp
memory/3008-22-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f5dc3525bf98aacc73edeb20603e8145 |
| SHA1 | 4672f5aa4db4c025de984d4edfbbc04f7cd31106 |
| SHA256 | 540835cf143447c69ddd6503402bfd8bc7fb9bab3662402f309f90089fc8f479 |
| SHA512 | 743bc47a3862a34ec148c8a1c9ea00f653bda47e1e9b6c1771009d8415769941e51476140ccce387b855cae9c7013227b6b31c2f97f8971848322238062de59c |
\Users\Admin\AppData\Local\Temp\yzryg.exe
| MD5 | 78a83640139b7ab405a600dc463f0b2e |
| SHA1 | b756413644854246ab8399fcaf265acff4524ee8 |
| SHA256 | 7fc50a65cc716c708ae511b692e94062566131db859e8fc38d5ad718cfe05af3 |
| SHA512 | c4241d50796871d4dbebe10b6dc55709ab1f183348b1a160f09b189abcbdc61f2d21380707af1849d76bf249cdb59844be0652432ff6dd1185ba7ed68f1ebcb2 |
memory/2120-33-0x00000000013D0000-0x0000000001464000-memory.dmp
memory/2120-32-0x00000000013D0000-0x0000000001464000-memory.dmp
memory/2120-35-0x00000000013D0000-0x0000000001464000-memory.dmp
memory/3008-34-0x0000000003600000-0x0000000003694000-memory.dmp
memory/2120-31-0x00000000013D0000-0x0000000001464000-memory.dmp
memory/3008-36-0x0000000000400000-0x0000000000871000-memory.dmp
memory/2120-38-0x00000000013D0000-0x0000000001464000-memory.dmp
memory/2120-39-0x00000000013D0000-0x0000000001464000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 07:09
Reported
2024-08-06 07:11
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\75aceb1ee48238c11bb8bd60c884a2c0N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gijos.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gijos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\riqyf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\riqyf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75aceb1ee48238c11bb8bd60c884a2c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gijos.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75aceb1ee48238c11bb8bd60c884a2c0N.exe
"C:\Users\Admin\AppData\Local\Temp\75aceb1ee48238c11bb8bd60c884a2c0N.exe"
C:\Users\Admin\AppData\Local\Temp\gijos.exe
"C:\Users\Admin\AppData\Local\Temp\gijos.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\riqyf.exe
"C:\Users\Admin\AppData\Local\Temp\riqyf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/3148-0-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gijos.exe
| MD5 | 1a013b889f1c3597bdf968996fb2f3ed |
| SHA1 | 444a845e25b6a1760f9e83aa90d12827ca3983cd |
| SHA256 | be51a9b1ba2b2d85d1d914db1ffbd6669b0bfc5e2edac29a6b8adaa03bca27f3 |
| SHA512 | 3999c8da49377092289dde2fda4f330e67e334da135923a5a0a8c0e972f5ceb9d3870fee544213208d024fb47edec605f197c397b6b82729e1350e6c7390959f |
memory/3148-13-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 0f0b69ad153f65c0c28fda5a153dd3a8 |
| SHA1 | a937476cde16d610fb0299c2a2e261a0e26f2b24 |
| SHA256 | 5e2123a9b17bf77af9c619e75b3e1caf19d14263ef8c19183cb1dddaeae502d4 |
| SHA512 | d918b901a2ec8be38a0f8d36e262a29258f2af045edb09b153b7f944a00807c7bbba93410862c9a5824eec871e1bbcee906a9a4aa643dec8de0caaebe697c24d |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | cd3463bcee8fb99d80b89cd2bce96daa |
| SHA1 | b66376b5f429ee174b2ba82135791b4696fe8e74 |
| SHA256 | 6d2fab13fc40d9e40607eb527a441d8a8a0de193a1d2e9de905874fd90e8e27e |
| SHA512 | 3c18314e56a3ef91020bca324c2a713a5c3da80721bb91d17a9a6712de23b22040d6483ba899021e850dfc9590cf7ab67f7816784897acaed952d0f2c5f6a61c |
C:\Users\Admin\AppData\Local\Temp\riqyf.exe
| MD5 | c8856e0d40620294c27d152575a13c9a |
| SHA1 | 5f8cad227742624e5fcc95206404a48cf5930a86 |
| SHA256 | 2c5b3fa01929a822a27a32ea3448f56928386cef835ae81ea21db76c0b57acf7 |
| SHA512 | d6c7be3fc6bc78ab8f9cae707fef76334f566522ea906bd2c625d838f3f6959a33f2c856d2d24ef9ca3899fe2df1a6d778c1106cb160f2ad65eeadca0005717e |
memory/1560-25-0x0000000000CF0000-0x0000000000D84000-memory.dmp
memory/1560-28-0x0000000000CF0000-0x0000000000D84000-memory.dmp
memory/1212-27-0x0000000000400000-0x0000000000871000-memory.dmp
memory/1560-24-0x0000000000CF0000-0x0000000000D84000-memory.dmp
memory/1560-26-0x0000000000CF0000-0x0000000000D84000-memory.dmp
memory/1560-30-0x0000000000CF0000-0x0000000000D84000-memory.dmp
memory/1560-31-0x0000000000CF0000-0x0000000000D84000-memory.dmp