Analysis Overview
SHA256
83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1
Threat Level: Known bad
The file 83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Checks computer location settings
Deletes itself
Executes dropped EXE
UPX packed file
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-10 23:35
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-10 23:35
Reported
2024-08-10 23:38
Platform
win7-20240705-en
Max time kernel
148s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fyfuu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vojito.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fyfuu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fyfuu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vojito.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vojito.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fyfuu.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywea.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1.exe
"C:\Users\Admin\AppData\Local\Temp\83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1.exe"
C:\Users\Admin\AppData\Local\Temp\fyfuu.exe
"C:\Users\Admin\AppData\Local\Temp\fyfuu.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\vojito.exe
"C:\Users\Admin\AppData\Local\Temp\vojito.exe" OK
C:\Users\Admin\AppData\Local\Temp\vywea.exe
"C:\Users\Admin\AppData\Local\Temp\vywea.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1596-2-0x0000000000400000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fyfuu.exe
| MD5 | 417ed784d7d634654548998e2ca50374 |
| SHA1 | a8670526131301d72103052ac63093749efc2a9e |
| SHA256 | eea3cc53f89cbd01ab04483a2371995179ef7fc2307fdca6b5f1f6f2a3fa55c7 |
| SHA512 | 356beec89e7ee85abe8a20293eb2bc050826fc9cccbb0ec11b42f4b4c552958b5f5b25aa31f6c93ed444eb07b6eef628d92a15834511c0a0f3870ab602931e83 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 56edd54d9af4990f019b6e60f2ad5eb7 |
| SHA1 | cd7cea3f13793ea8074f03475f45d6190275907e |
| SHA256 | b34c86699c3b13e8b875301f93d64b66567d730ab8cdb08c766524955b983610 |
| SHA512 | bf67c76246a2856bbf6cf2664fc50b5912b8dbca38cb0a4da15f184e31264e5eeb26061b40192ca9e6253e96e2a9bb9d61829655921c56e0e16909ed724c4a81 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 47bb2fc87bdf52e693f570d449f58dcd |
| SHA1 | 5b1aef0584d6eb87a7fdc131d9fc3c32b3573a44 |
| SHA256 | 7c53305cee1c6b8dc2195960ae50278d4f58c5c1f49bb5e2dd0fc058bf9b1a0c |
| SHA512 | 413ef028ca1b67f4ac809ca03335f6936d24f2ae87fa363e044a01c103a93ecf854366fc526594db26e5a0eaf9a9cfa2e2ce02af868a7b777d979e88bba92650 |
memory/1596-21-0x0000000000400000-0x0000000000526000-memory.dmp
memory/1596-13-0x0000000002E20000-0x0000000002F46000-memory.dmp
memory/2316-25-0x0000000000400000-0x0000000000526000-memory.dmp
memory/2316-33-0x0000000003770000-0x0000000003896000-memory.dmp
memory/2776-36-0x0000000000400000-0x0000000000526000-memory.dmp
memory/2316-35-0x0000000000400000-0x0000000000526000-memory.dmp
memory/2776-51-0x0000000000400000-0x0000000000526000-memory.dmp
memory/2776-52-0x0000000003EB0000-0x0000000004049000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | e3b3557157ceb47292e14b0b4a39a8d5 |
| SHA1 | 4ae5d617e999b7a2ddc10ee3849f92412f5e4a6d |
| SHA256 | 3835bc5add72791e9f8995928fe1f322327d092c4ce6cb9e1ad02ef66d4a36c1 |
| SHA512 | 196fe481295fe85328473ad34d486f71c3939004c3b114f6b5e3ec1fdb61cba380a00a3a45646c8f12a5c34e85fdcdc57fb705d937411f16cac573ab74588ef3 |
C:\Users\Admin\AppData\Local\Temp\vywea.exe
| MD5 | 92f74d9b002cb12ab91991a88ffae622 |
| SHA1 | 995aca36f7b4d15c2a5760fff8adfe67938c844e |
| SHA256 | 0fc01a7f2fdb6d93d242fdcf4984adc04bfe85c35b8ac0772ee97a90d9464769 |
| SHA512 | 68433f05ec83002ffa5ba5d33026419fff8531d0cb60150fc0f5aec919552f681befb40bc13804d77b40cceb3a3ed8bb57b76f3f9785337cd22196a461840684 |
memory/2472-54-0x0000000000400000-0x0000000000599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/2472-58-0x0000000000400000-0x0000000000599000-memory.dmp
memory/2776-60-0x0000000003EB0000-0x0000000004049000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-10 23:35
Reported
2024-08-10 23:37
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
105s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kyfuj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rakoun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyfuj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rakoun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\goduh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\goduh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyfuj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rakoun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1.exe
"C:\Users\Admin\AppData\Local\Temp\83ea4e985d08999f5cbbca213343bb5e27eeb20f5d340a69dc12aba0c3bc52f1.exe"
C:\Users\Admin\AppData\Local\Temp\kyfuj.exe
"C:\Users\Admin\AppData\Local\Temp\kyfuj.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\rakoun.exe
"C:\Users\Admin\AppData\Local\Temp\rakoun.exe" OK
C:\Users\Admin\AppData\Local\Temp\goduh.exe
"C:\Users\Admin\AppData\Local\Temp\goduh.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4320-0-0x0000000000400000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kyfuj.exe
| MD5 | 1e780dd64572af1756b834aed3c2ba45 |
| SHA1 | 6bb3553d08a7759f840018042525454a1e6231ef |
| SHA256 | 47b29d5711976b89945fd1b1ff42150e1672ec16cdb3038dee992289eba8fd9b |
| SHA512 | 7777de1823a675c416863c6da4905c16464606fa4a62f29f7cbdb319113c8b25f5febf04a47e1fc10540ae7d0b9ffaf16399ac0bc408b1b1c1dc62ffa307227a |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0c80310b6c1cb78a78500fbc64decd70 |
| SHA1 | 616643046d1bf295b5ebf33b0feb8bab5c586f2f |
| SHA256 | 35e2f6fc3855e7c39db6bbc9ee6c277b748c74c211addab91298b546a512f704 |
| SHA512 | e0ba7fb58c21f0654f729b16e7c53d613d908067e7ebf7e584b3e90db2a5397817bb7e0c7023a4d86e6538416fd4d371fc253c84b00c29544552837384fff0d9 |
memory/920-14-0x0000000000400000-0x0000000000526000-memory.dmp
memory/4320-16-0x0000000000400000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 47bb2fc87bdf52e693f570d449f58dcd |
| SHA1 | 5b1aef0584d6eb87a7fdc131d9fc3c32b3573a44 |
| SHA256 | 7c53305cee1c6b8dc2195960ae50278d4f58c5c1f49bb5e2dd0fc058bf9b1a0c |
| SHA512 | 413ef028ca1b67f4ac809ca03335f6936d24f2ae87fa363e044a01c103a93ecf854366fc526594db26e5a0eaf9a9cfa2e2ce02af868a7b777d979e88bba92650 |
memory/1268-25-0x0000000000400000-0x0000000000526000-memory.dmp
memory/920-26-0x0000000000400000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\goduh.exe
| MD5 | 686dde357de0ebc0b8e7cd92f16a91a2 |
| SHA1 | ef15d9e582fdd876aa9739d2512931c1694b182b |
| SHA256 | a2fa299dc6aba4c6ab94e95e4ccac8d79f1dfb667b47e233482fe21c354bf55b |
| SHA512 | d11b6a4d422d00b9c9771b9677c8ae2cee47410229369754a872e1d8e1ef5297cca2c6c199d00da5bda071007a0cc66946e555135f8cae930c07e5ff4b02b1ba |
memory/1640-38-0x0000000000400000-0x0000000000599000-memory.dmp
memory/1268-40-0x0000000000400000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 08f11d0524d114e9f2b0970c2f9e5aba |
| SHA1 | 3a2f5fa5208c0ce5975efc039546cbd164c33688 |
| SHA256 | f78c5f701f03768bfc2308a3631e690b4b07947c75bc4e55ecc7239af12c4a91 |
| SHA512 | ebf60c49c394176b74c2f59cf397ae60bf5b14a3cbe62a09059b18ca42536afbc9531c7b5410f5779602ffa329d7b27589d52d6300bb265c0933b492bb7e280d |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/1640-43-0x0000000000400000-0x0000000000599000-memory.dmp