Analysis Overview
SHA256
bd6338278e91a2f1c3ee4857c69899640d897a120ae9764759fc9ad2c8b9b78d
Threat Level: Known bad
The file 808c54e52e59237255aff6d34511a760N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 08:19
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 08:19
Reported
2024-08-06 08:21
Platform
win7-20240708-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\herix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qysyi.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\808c54e52e59237255aff6d34511a760N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\herix.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\808c54e52e59237255aff6d34511a760N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\herix.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qysyi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\808c54e52e59237255aff6d34511a760N.exe
"C:\Users\Admin\AppData\Local\Temp\808c54e52e59237255aff6d34511a760N.exe"
C:\Users\Admin\AppData\Local\Temp\herix.exe
"C:\Users\Admin\AppData\Local\Temp\herix.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\qysyi.exe
"C:\Users\Admin\AppData\Local\Temp\qysyi.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2076-0-0x0000000000400000-0x00000000004B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\herix.exe
| MD5 | 799161409952a7edfce338875f96fa3f |
| SHA1 | 9c6f6933e06e3a97e6301fe17fa9f85434e3bfdc |
| SHA256 | 59ceac4f257288c9859f0e22834c892fc87204740149e295bb64a4beaf996dbe |
| SHA512 | 5261374e7b7391dfb6f9cde1c001e7c22d3b1ccac67e7a182aa3b0275b923dad287fbd7227b98742ffa45f8c4964d0d826622c51e24c285ef402ad10f0bc6a10 |
memory/2076-8-0x0000000002550000-0x0000000002606000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b04098617867c9bef45e960e20db46be |
| SHA1 | 60c9312e22d0d96a506eb0b5dde890bc7118f04a |
| SHA256 | 99c9f776d3efb8b852b3c6648bbb53dc6e0b5d40d0fb81630d24f893cef57a81 |
| SHA512 | 342737c82e83b704a4319fc08b77eb4b91061e14da674a6ed16d46d8164841161bf40dd83820210dc10209ae0ce6d98e3712874f8af434e452c58d39bc19d9c1 |
memory/2280-17-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2076-18-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 93ad622e3c8281d2cd15678d95385357 |
| SHA1 | ad629324e78aa1f267721b0514fbad36bd81071c |
| SHA256 | daf4b7ee404caf409f06ef55ea3dae0bb1be3b3ba08a3e5fda9b24478254a9ae |
| SHA512 | 6b437bb3c3876ebb93b7e0cd51f7d253bc2271bc5ab95122bd10187252c4cb947775184e628ddfd9948640c0c61e4cec2f26b832c186f096bf9d03e44e90707b |
memory/2280-21-0x0000000000400000-0x00000000004B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\qysyi.exe
| MD5 | 56056d70240329c4d50afd3b093ad0c5 |
| SHA1 | 335f1a427cb6cc98a83afc74e6f7b4884a39946c |
| SHA256 | 95436c0daa86e28558980428e5a4b5d288c4b235ed64867756ed392d76b53279 |
| SHA512 | cd7cf23d27b800f50fe3656b9c74e7af8e2de083f409d2cf42fdeea35e9296aebf70d6b46d01303ed475b7e7c9a99f92a8010a15ea2e946ea7023116ecde17fb |
memory/1048-29-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2280-28-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/1048-31-0x0000000000400000-0x0000000000494000-memory.dmp
memory/1048-32-0x0000000000400000-0x0000000000494000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 08:19
Reported
2024-08-06 08:21
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
102s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\808c54e52e59237255aff6d34511a760N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qobuv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qobuv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rusum.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\808c54e52e59237255aff6d34511a760N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qobuv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rusum.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\808c54e52e59237255aff6d34511a760N.exe
"C:\Users\Admin\AppData\Local\Temp\808c54e52e59237255aff6d34511a760N.exe"
C:\Users\Admin\AppData\Local\Temp\qobuv.exe
"C:\Users\Admin\AppData\Local\Temp\qobuv.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\rusum.exe
"C:\Users\Admin\AppData\Local\Temp\rusum.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/696-0-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qobuv.exe
| MD5 | c245b3e9514fdbd11352c9b4dcb968de |
| SHA1 | 8798d2e78d43a3a4b79c57deef5d78e359edf7a8 |
| SHA256 | d73aebb4cce9e4cc89affd6b531eaedb90a9cdbdc68379bbaba2992fd9bf320e |
| SHA512 | 4c9a1cae5bc746a8bb70ccdb434de26be490b3c43a58bdcdd6e420a8a56ba0c077f26020e6da7a9ab5823f9f9d62721eba1039da6b6639ce578318b5ff3fb5a9 |
memory/3232-11-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/696-14-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b04098617867c9bef45e960e20db46be |
| SHA1 | 60c9312e22d0d96a506eb0b5dde890bc7118f04a |
| SHA256 | 99c9f776d3efb8b852b3c6648bbb53dc6e0b5d40d0fb81630d24f893cef57a81 |
| SHA512 | 342737c82e83b704a4319fc08b77eb4b91061e14da674a6ed16d46d8164841161bf40dd83820210dc10209ae0ce6d98e3712874f8af434e452c58d39bc19d9c1 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1f8d7c4bfb95580df2e0c19daab9f99d |
| SHA1 | b277bd8580b404e19ac5888fae386627529d604a |
| SHA256 | a2b7ff16e62c2fce6e18215af485cb6061f98640b202d8635ef29249c505cea8 |
| SHA512 | dd28543ba767459517f140c00b04a7d40c0d4c275c5a30a5b563e9e2db1c9c357c01567d3bb27f23026e4d386bef29507f4c322e5c9f5d0cb817147294d857a4 |
memory/3232-17-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rusum.exe
| MD5 | 664fa9b8a801fdca79f78e5cb73a2f14 |
| SHA1 | a8ae4e67a862d165d2ce3a55a00cae30773f1353 |
| SHA256 | 07129a2feba13cb8ec96be5eda062d4e509848d4219065d9e976298fc8dc79a8 |
| SHA512 | 967d2839dabada2b9cb2a4609bd30ca2f12421926532a669128b054c64d300338b3f726cc0bfc76b2c3b0a4817feaecea81b52e75d7e86591c3da683d390144b |
memory/3232-26-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/1992-28-0x00000000001D0000-0x00000000001D2000-memory.dmp
memory/1992-27-0x0000000000400000-0x0000000000494000-memory.dmp
memory/1992-30-0x0000000000400000-0x0000000000494000-memory.dmp
memory/1992-31-0x0000000000400000-0x0000000000494000-memory.dmp