Analysis Overview
SHA256
aa7c2eb9b169f65bd19c5ab338e6d7d363508693f0799549278102cc5d810f4b
Threat Level: Known bad
The file d238deae281f52410d2d9d3afff9a640N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Checks computer location settings
ASPack v2.12-2.42
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 17:20
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 17:20
Reported
2024-08-06 17:22
Platform
win7-20240708-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quhof.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wonor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d238deae281f52410d2d9d3afff9a640N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d238deae281f52410d2d9d3afff9a640N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quhof.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quhof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wonor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d238deae281f52410d2d9d3afff9a640N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d238deae281f52410d2d9d3afff9a640N.exe
"C:\Users\Admin\AppData\Local\Temp\d238deae281f52410d2d9d3afff9a640N.exe"
C:\Users\Admin\AppData\Local\Temp\quhof.exe
"C:\Users\Admin\AppData\Local\Temp\quhof.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\wonor.exe
"C:\Users\Admin\AppData\Local\Temp\wonor.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2296-0-0x0000000000400000-0x0000000000871000-memory.dmp
\Users\Admin\AppData\Local\Temp\quhof.exe
| MD5 | 25479bffd225b63648161e9bdb988b6d |
| SHA1 | 3908eecc00f73deb153127b331ecfa8253ba65c4 |
| SHA256 | 9083712c81bf527280d7754849b668810c409d9fe6d575b389e4ec5f7acb9434 |
| SHA512 | 41d8a607377ad41f4b3907afebcb7bce59e8a2b2138c3ec9ef5b53e8aa36a3c6eb0f0735ad43bbc10e79cc102266e51e238ef10f09bbd57361dd25610bf736dd |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 87fe60f5551929f841751e1d4bdf55a5 |
| SHA1 | 78f165d580157c421a62c94708e2f00dce6ef39b |
| SHA256 | 92dbc167576d56ed3b2f8948aa5f27e6cb51131b5583273df2b089f05b17ec42 |
| SHA512 | 00f9d587f5c2dc3a57a83781cfdba8275c33efa4856f04a83c175bb2e87324996f45eebde0d49360f06c0bacddc52f36524932a43c17bbe9a86de2db330e06d7 |
memory/2296-19-0x0000000003800000-0x0000000003C71000-memory.dmp
memory/2024-20-0x0000000000400000-0x0000000000871000-memory.dmp
memory/2296-21-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 78e15b96c00aa07e1add11521a2b2b5b |
| SHA1 | 3f6a8e375ea1597a8f34b1231a33f558763f7339 |
| SHA256 | 6b7f28de31ea8fc50e8649c0bec65b45119215ed3ab92bd0bea45fc9927a298d |
| SHA512 | 46fb63312354a40ec7c2ca4bd13dee26c1147f1ae83641bd73a241ee4f3213fb10ffa352d55ef8ae8c8969d3d899af5dd90d2990ecde29f34ddfffc6205175d0 |
\Users\Admin\AppData\Local\Temp\wonor.exe
| MD5 | e51a5bf36cac7dc975438fe43f967fcb |
| SHA1 | b082cd4eb171ebf0dac654e8b1ba9f26f65fcf46 |
| SHA256 | 5f00c797b3b3bddc09ff2289b3abca3bf65a01805dd164f0d0a5da532a56633c |
| SHA512 | f775035b6f2d0286d2d5a410bafe6b39c66ab0357552af8c99fedde11de9d6b2866c22ef4423e83ea5caecbaa0de9b6f01872cb9d3b484a81581cf3f0d226e53 |
memory/2024-29-0x0000000000400000-0x0000000000871000-memory.dmp
memory/2424-31-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/2424-32-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/2424-33-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/2424-34-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/2424-36-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/2424-37-0x0000000000A40000-0x0000000000AD4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 17:20
Reported
2024-08-06 17:22
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
116s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\icvow.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d238deae281f52410d2d9d3afff9a640N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\icvow.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hefuk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hefuk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d238deae281f52410d2d9d3afff9a640N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\icvow.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d238deae281f52410d2d9d3afff9a640N.exe
"C:\Users\Admin\AppData\Local\Temp\d238deae281f52410d2d9d3afff9a640N.exe"
C:\Users\Admin\AppData\Local\Temp\icvow.exe
"C:\Users\Admin\AppData\Local\Temp\icvow.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\hefuk.exe
"C:\Users\Admin\AppData\Local\Temp\hefuk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.58.20.217.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4788-0-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\icvow.exe
| MD5 | cabc366334d99e110437ecdf9e90063d |
| SHA1 | 37fc698f3fdd597d1bc94a27867bca4c827df3fe |
| SHA256 | e350d181607851e4872993a84cda7e277eb0e7bbedf9b5f69d8a03b4afc128d7 |
| SHA512 | 0184ddd4233e91c829eb6d38d53bf31759891f430cd283c0d51227d88c2cd05adf2b5c994a10687b360d6c437f493f72c676bb38d96ccb2234420e093663c09d |
memory/2160-13-0x0000000000400000-0x0000000000871000-memory.dmp
memory/4788-14-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 87fe60f5551929f841751e1d4bdf55a5 |
| SHA1 | 78f165d580157c421a62c94708e2f00dce6ef39b |
| SHA256 | 92dbc167576d56ed3b2f8948aa5f27e6cb51131b5583273df2b089f05b17ec42 |
| SHA512 | 00f9d587f5c2dc3a57a83781cfdba8275c33efa4856f04a83c175bb2e87324996f45eebde0d49360f06c0bacddc52f36524932a43c17bbe9a86de2db330e06d7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 5f115bb2d9713308b4beb557656df294 |
| SHA1 | 5dd362c689efeeab59f488f419848d6bde365307 |
| SHA256 | a3ca2a0add8520217d0198c6a3ae0dc836843b9a0f4268df321919320a6f2d14 |
| SHA512 | f23557b6ae65350887eb346c2ba8cbfde6cedf093dc9d82eba35c6318cff0ae934c2d9b0242c47a34aef88032565e507eaffb3efa8871ba3fbbae06c99ebcc18 |
C:\Users\Admin\AppData\Local\Temp\hefuk.exe
| MD5 | ba613aaac789072d80fd8cfc5da45021 |
| SHA1 | 5c631a5eb7c1a171f39191d0b35b93f10799ff18 |
| SHA256 | 2e0958a80d80843dc2fb996279249135683c2497641f8978a3a0542336e0b395 |
| SHA512 | 4240d80459dd76da9d7e0d544d176fd2331507a138849399750e2a115fd3fa6fd586efcdff2c19d9d05358c7aa03c58dc2a4e9fa644d0b22cabcc4d260298277 |
memory/2160-28-0x0000000000400000-0x0000000000871000-memory.dmp
memory/4512-27-0x0000000000550000-0x00000000005E4000-memory.dmp
memory/4512-26-0x0000000000550000-0x00000000005E4000-memory.dmp
memory/4512-25-0x0000000000550000-0x00000000005E4000-memory.dmp
memory/4512-29-0x0000000000550000-0x00000000005E4000-memory.dmp
memory/4512-31-0x0000000000550000-0x00000000005E4000-memory.dmp
memory/4512-32-0x0000000000550000-0x00000000005E4000-memory.dmp