Analysis Overview
SHA256
7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20
Threat Level: Known bad
The file 7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-08 23:04
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-08 23:04
Reported
2024-08-08 23:06
Platform
win7-20240708-en
Max time kernel
149s
Max time network
117s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kylev.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\apnay.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kylev.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kylev.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\apnay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20.exe
"C:\Users\Admin\AppData\Local\Temp\7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20.exe"
C:\Users\Admin\AppData\Local\Temp\kylev.exe
"C:\Users\Admin\AppData\Local\Temp\kylev.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\apnay.exe
"C:\Users\Admin\AppData\Local\Temp\apnay.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2372-0-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1e1684d490e322e46574121846e3329f |
| SHA1 | 4b7c1d989aa2e0b17ad9215c3b2677104c4a5212 |
| SHA256 | 3b25084f920bc287987c9693ed31eeff7c60e9cb12e7160c022554ac5ef75f78 |
| SHA512 | c1a18a07161aeed5429d46d51dfc247acc9296e87c5d440fd20588f8a156ea4d26bdecb8b05babfdb01212e85fa45f7b89050b72890050e57ce4099798a005fc |
C:\Users\Admin\AppData\Local\Temp\kylev.exe
| MD5 | b9cdf048057fa3a5b3eef2df15c8a454 |
| SHA1 | 341a22a11b3f9faa16bbf78c48dab513657aa1db |
| SHA256 | 45c694a85927f86819cea224d0ca5953cb1a3a25af1534031cc3fbae07e7a833 |
| SHA512 | c0835c5d205f8ce97a58d9a42c358f5ea631eddc214195fcc007d0541a6b0213bf4b6ce1395ccf02253122536e9e9cadac34c474f08596a395cbc3452913656a |
memory/2372-16-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2652-18-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2372-17-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 521821e61b73ae0143da4cca32dff135 |
| SHA1 | 9ced13db7af3a85e64c0fdf0be9918ece3aa4632 |
| SHA256 | cc826d234c9c7de9df89a21f48f4b47ef6c798e1f09f71fd8258d2bc4f20da4d |
| SHA512 | 44b4ce13d184ca3d4c3a85d418c10dd3205e6c074309ac0c6e039c077449ba256931c57e1662ac0a1186b11507bdf8d2db397e7eaa86f615fe6b1557d7426097 |
memory/2652-21-0x0000000000400000-0x00000000004B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\apnay.exe
| MD5 | 0ab02937e0586718f158f06bda6d72e3 |
| SHA1 | f24bb6920448e8b7b60c7996ce6daa6ced8a188c |
| SHA256 | 867fe2a83b5eb48a81443fdd3a3d173e9dcf868629134f07df63ec6ab6221a5d |
| SHA512 | 05fa6b12c59e410107a6f76390c4ef46c697842138237db6d46729e36aa4f64e07ac4b6a7d8a7b6779ee0aac53a8b5dcc360e97412e0e70c2aa7ba821750763f |
memory/2428-30-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2652-29-0x0000000003420000-0x00000000034B4000-memory.dmp
memory/2652-28-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2428-32-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2428-33-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2428-34-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2428-35-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2428-36-0x0000000000400000-0x0000000000494000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-08 23:04
Reported
2024-08-08 23:06
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\boten.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\boten.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\veloc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\boten.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\veloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20.exe
"C:\Users\Admin\AppData\Local\Temp\7cb3703b24aa27b37953f40f9775ef172cd309a90034cdc908564c57b47c3d20.exe"
C:\Users\Admin\AppData\Local\Temp\boten.exe
"C:\Users\Admin\AppData\Local\Temp\boten.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\veloc.exe
"C:\Users\Admin\AppData\Local\Temp\veloc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4960-0-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\boten.exe
| MD5 | a01fbd52bbf8897a7d22daed0c9f3981 |
| SHA1 | cc353c9078fbaffd60e4333035938705ff65642f |
| SHA256 | c016b2b2d5b11fe68a3c4bebc11cfd81a8dc76c92a6e2e6c4dde13eb1044b9d8 |
| SHA512 | 44e38618e111f869194080bff47f2ed31ba36053dcd3c32ac3fa83d0d9d42df9262ef9f547dd9c722f9efa84381367568962254d16be4e94846a6fe8adda8039 |
memory/4880-10-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/4960-14-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1e1684d490e322e46574121846e3329f |
| SHA1 | 4b7c1d989aa2e0b17ad9215c3b2677104c4a5212 |
| SHA256 | 3b25084f920bc287987c9693ed31eeff7c60e9cb12e7160c022554ac5ef75f78 |
| SHA512 | c1a18a07161aeed5429d46d51dfc247acc9296e87c5d440fd20588f8a156ea4d26bdecb8b05babfdb01212e85fa45f7b89050b72890050e57ce4099798a005fc |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b5f11e8b93dd9fb0f00a0e5aac2ad4f4 |
| SHA1 | 94d8f447f374043053457a0a2bb19195c9112268 |
| SHA256 | 247fb1e938b6661c9423f59496c8a1d77a42c3ede40f872d68c529bc79998136 |
| SHA512 | b22db85f490f7025cc441887e74cea66ea46d1500889cae758362845d4eee44cea522756c8c459ff2b0bf771efd31e0ae72106afcd208a1fde373dc7d23200b2 |
memory/4880-17-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\veloc.exe
| MD5 | f40306db49ef048f9060812a78587e97 |
| SHA1 | c0e03b1c88a41f2d89c0e8066fe99d9b9b1036dc |
| SHA256 | 182ebfb687f8182487b376c6c8b2c0d17706533a77ed5d5b729bb788837e06ed |
| SHA512 | ed5547e82699e1b37f79c356f8a7c8b8fb6e92fd72fd7caf4fbc0b25365f6f28f7fb4f64c5f92f0179554df911692b4ce1bbc57d728619213df901dc366174ec |
memory/4880-26-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/4044-28-0x00000000001D0000-0x00000000001D2000-memory.dmp
memory/4044-27-0x0000000000400000-0x0000000000494000-memory.dmp
memory/4044-30-0x0000000000400000-0x0000000000494000-memory.dmp
memory/4044-31-0x0000000000400000-0x0000000000494000-memory.dmp
memory/4044-32-0x0000000000400000-0x0000000000494000-memory.dmp
memory/4044-33-0x0000000000400000-0x0000000000494000-memory.dmp
memory/4044-34-0x0000000000400000-0x0000000000494000-memory.dmp