Analysis Overview
SHA256
931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840
Threat Level: Known bad
The file 931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
ASPack v2.12-2.42
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Deletes itself
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-10 00:06
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-10 00:06
Reported
2024-08-10 00:09
Platform
win7-20240708-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toecc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\poajt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toecc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\toecc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\poajt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840.exe
"C:\Users\Admin\AppData\Local\Temp\931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840.exe"
C:\Users\Admin\AppData\Local\Temp\toecc.exe
"C:\Users\Admin\AppData\Local\Temp\toecc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\poajt.exe
"C:\Users\Admin\AppData\Local\Temp\poajt.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1712-0-0x0000000000400000-0x0000000000871000-memory.dmp
\Users\Admin\AppData\Local\Temp\toecc.exe
| MD5 | 64eeeb830b9b0d6039874556fc5cbf44 |
| SHA1 | 33296c8f4be0a4962443e20883129ea35a6a774f |
| SHA256 | 47e5e7367f6d7d705cfac34e75565552edba1095ed9bed08b6e73ab31d9e8075 |
| SHA512 | 33b9c6e326d0b53541e2cf4326669fe6ee962becba58a1c69922f413d7e01826f9c0ef2aee687c02ab5f74785e9a36fe44dd9b9c811eaa8e906b7c1335edad77 |
memory/1712-18-0x0000000003880000-0x0000000003CF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | ff38876eeeb0ccfc2b9590cb3098c7ea |
| SHA1 | 849b7e1e4500817d9b9a0e8fdca90cb9def209e0 |
| SHA256 | e4288625cb4db890ae8b3a50035b2843dd0646d0816f170931860802fe9d7f81 |
| SHA512 | 088db908c9b8544539767bb20d9a9d92221c46688d05b2d47f22251653bb2e9eb0329867c458637363b2233a81b5f56ba048f80cfd641de11eda227a80f53d2c |
memory/2040-21-0x0000000000400000-0x0000000000871000-memory.dmp
memory/1712-20-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | bf3b3db62f63e77c1f9f0e9fc9d8605c |
| SHA1 | d4f41545ba323f64ecf2d329e948f0bb7837641c |
| SHA256 | 92a6b0c902b3e3f33f1f76993a6ac4dc903fdf23136fecea9cf9381b757c4693 |
| SHA512 | 555a99afadda049b5157b89652f65bfebb6a4e1531f5e1a315c16a12fab484fc6da4c4108266d01d96419b365da61cec0e2609791ae94a10bfdd5e0ee2353d95 |
\Users\Admin\AppData\Local\Temp\poajt.exe
| MD5 | 942ba70230d5d7dd26181b205748f120 |
| SHA1 | 2f6ac078d07b7d7f2f481a044ef73caed6c2a2f2 |
| SHA256 | f588c3e3d7dfbd9cd02ad67498c6ead8c6ed946b6bc7cc0f502122b21a4c531a |
| SHA512 | b4dee9d6f0ce28cec25130b34f98f799b7121a2cc286d2501256eadf59355214633812b96fde2fa6ff358ee92ca7c43393cdb804923e354c1a26ee9d8e6b0389 |
memory/3032-34-0x0000000000BF0000-0x0000000000C84000-memory.dmp
memory/3032-32-0x0000000000BF0000-0x0000000000C84000-memory.dmp
memory/3032-31-0x0000000000BF0000-0x0000000000C84000-memory.dmp
memory/2040-29-0x0000000000400000-0x0000000000871000-memory.dmp
memory/3032-33-0x0000000000BF0000-0x0000000000C84000-memory.dmp
memory/3032-36-0x0000000000BF0000-0x0000000000C84000-memory.dmp
memory/3032-37-0x0000000000BF0000-0x0000000000C84000-memory.dmp
memory/3032-38-0x0000000000BF0000-0x0000000000C84000-memory.dmp
memory/3032-39-0x0000000000BF0000-0x0000000000C84000-memory.dmp
memory/3032-40-0x0000000000BF0000-0x0000000000C84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-10 00:06
Reported
2024-08-10 00:09
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\siufg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\siufg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\azses.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\siufg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\azses.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840.exe
"C:\Users\Admin\AppData\Local\Temp\931c9f7961eb295aecfbe372b16b585a9b16e9dbd45321def2c320224995f840.exe"
C:\Users\Admin\AppData\Local\Temp\siufg.exe
"C:\Users\Admin\AppData\Local\Temp\siufg.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\azses.exe
"C:\Users\Admin\AppData\Local\Temp\azses.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4752-0-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\siufg.exe
| MD5 | 147c8c97b2ecde795817eaf9da11fa09 |
| SHA1 | a2debbab4635af185ca0f4f15c50561e66b8cbd4 |
| SHA256 | 69ed8c2093c51f65f42433a21b529834f3e3b1fe23d0c165055086d87b3150d1 |
| SHA512 | c0c008465360f471eaabd9c2b4de4fad97be1a6271e9c4af1b1fe2e950a57d81700f2b1fe55d415f06fd618bc2e5fc29a650d098bc04cbb8773940a4e88af231 |
memory/4464-13-0x0000000000400000-0x0000000000871000-memory.dmp
memory/4752-14-0x0000000000400000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | ff38876eeeb0ccfc2b9590cb3098c7ea |
| SHA1 | 849b7e1e4500817d9b9a0e8fdca90cb9def209e0 |
| SHA256 | e4288625cb4db890ae8b3a50035b2843dd0646d0816f170931860802fe9d7f81 |
| SHA512 | 088db908c9b8544539767bb20d9a9d92221c46688d05b2d47f22251653bb2e9eb0329867c458637363b2233a81b5f56ba048f80cfd641de11eda227a80f53d2c |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8cd38c08ac1bdbc453ddb2fbdd7fec0d |
| SHA1 | b669b683e02b333a34dd4660118ac2582f636f83 |
| SHA256 | 0a2b54ff4e50cc703c687178b792c62926e1c502420f8f024b6b1c7f30ee4e04 |
| SHA512 | 12cf439384afa68ec7f1ce6af62412c3b10daf06bf2a52dc85b79afdd7f832fa892c8e6c3e2e7caaeae06e72cb73fbec21f6239bd4dc3d92a1d392406207c39d |
C:\Users\Admin\AppData\Local\Temp\azses.exe
| MD5 | 3bd04d4150ed7fe1781761d0a719f697 |
| SHA1 | 8e18f2f5bcc6022950c2f1b5701bd0798f67539c |
| SHA256 | 14e70175ac76a670881526a9dc9d491440eed5b283e7e20abb249df5e01d61fb |
| SHA512 | 3e2dfbafad65faea5a874a3e7390487fcd29bb25094b5e2c30ec9848953ab7453827417f2d5f9ca2191e7d94f0a120bd82e1349d0efc85ea1c78ecace276e259 |
memory/3804-25-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/3804-28-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/3804-27-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/3804-26-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/4464-29-0x0000000000400000-0x0000000000871000-memory.dmp
memory/3804-31-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/3804-32-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/3804-33-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/3804-34-0x0000000000A40000-0x0000000000AD4000-memory.dmp
memory/3804-35-0x0000000000A40000-0x0000000000AD4000-memory.dmp