Analysis Overview
SHA256
d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a
Threat Level: Known bad
The file d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Deletes itself
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-10 02:58
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-10 02:58
Reported
2024-08-10 03:00
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
102s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fyycji.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\toavd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toavd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fyycji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyijz.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fyycji.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyijz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\toavd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a.exe
"C:\Users\Admin\AppData\Local\Temp\d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a.exe"
C:\Users\Admin\AppData\Local\Temp\toavd.exe
"C:\Users\Admin\AppData\Local\Temp\toavd.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\fyycji.exe
"C:\Users\Admin\AppData\Local\Temp\fyycji.exe" OK
C:\Users\Admin\AppData\Local\Temp\kyijz.exe
"C:\Users\Admin\AppData\Local\Temp\kyijz.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/376-0-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toavd.exe
| MD5 | d1e2a4bde456d742135bfb818d2bc231 |
| SHA1 | de11ab3f88274d0a8d32a293809e24f2685cb99e |
| SHA256 | b7647415366e4bdc349e2e16c60f45da245a2da856e6fe912d5d2fd14fe94381 |
| SHA512 | c5b71aa917644bec1ea97a6d93b4cd86d8103d4c9ca145ae6ea136eaa07979cdfda9f295eee01c43bf0e72365d32b0cbbdbfe475235b2567585c93d8526f123b |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8f20adcd088252f8a4601fc5235fcbb3 |
| SHA1 | f9b83f6380c19c038beba1e380f88e8f8e611bae |
| SHA256 | 115b7c4dea73837972ad4b532cc218b319fa14bd88e11a58fe5b48e7cfc1867c |
| SHA512 | 7e1824a8eafcba0b03d00ce59aa3a75793ed27caa425eb947b25bb0f02e864dd9babbe1799192ec01ff20dca025074970b711f3f8f71cd62b3c72230d809a952 |
memory/376-15-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1844-11-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 569e0cc6090f980026d6dad7d1a3fbbd |
| SHA1 | 99dc5a172b0a1b69cc7ff7351337aecf53e08db8 |
| SHA256 | 9c43fb34e4d85ae52460bf478cac3717f26b53fedb99b39ccab9f6429a7cf13b |
| SHA512 | e7817d61415f1e7c0a19d7cf4b1d99411be97918933c54d62e097f65cbac7b7ad452aa54df267bafc06c35980f9e64349840c94439b77e900e93d9e025926aec |
C:\Users\Admin\AppData\Local\Temp\fyycji.exe
| MD5 | e65e1b1a2b9541922d57efad159803a2 |
| SHA1 | f8bd5a2be928337b8cdf1d36a41b4135ca2b61cc |
| SHA256 | cec60a086ba9d7dee89ba61e05d5bf50c14e9ee7073c40115f69499570d8f80a |
| SHA512 | 8c29e188c86fe991af337cb8a2c0d23c43af8ec48fcd9f44eadfe53fd9702a80f7981324e626d911b45cd8c5c67aec5e8b3c58765db512252f823a09bd99d944 |
memory/3048-25-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1844-26-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kyijz.exe
| MD5 | f1442560e8b4a78ebaed61114ecbd928 |
| SHA1 | 68a0d9bb0324160f5de9fb674f5b574e707455fa |
| SHA256 | d969e881cd1aa6f2001e3170a9f4879bdecddbf052fbd1377a00bade3a6968b1 |
| SHA512 | 529546a9db5b4e715c46c0b683e83a14866336c73a0bc41d0eb3c1da39ba3b64ebd3c95b392d7cbde9be6c88f52e1568277928c18f0c188fd7ac77950f2b99af |
memory/4380-37-0x0000000000010000-0x00000000000B0000-memory.dmp
memory/3048-39-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 1114185ce313273f782c3074e78652e6 |
| SHA1 | 7c543576139eafe2cc05ceb158cec19a77e1e0ea |
| SHA256 | eab26891cee40248dbde3f4dd55ae27635b4924e126a9b5b1375a51fbfc7c272 |
| SHA512 | a7968ff964b79f2e54f9a94f7d283871ca894bf859c63fb3a0cd563442316b352c8e250624f9757e5dc1475ee2a4cc9b0b7b36e5c31989c11aea9afff59e1bc9 |
memory/4380-42-0x0000000000010000-0x00000000000B0000-memory.dmp
memory/4380-43-0x0000000000010000-0x00000000000B0000-memory.dmp
memory/4380-44-0x0000000000010000-0x00000000000B0000-memory.dmp
memory/4380-45-0x0000000000010000-0x00000000000B0000-memory.dmp
memory/4380-46-0x0000000000010000-0x00000000000B0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-10 02:58
Reported
2024-08-10 03:00
Platform
win7-20240705-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\laboc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duwoto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gybos.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\laboc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\laboc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duwoto.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\duwoto.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gybos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\laboc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a.exe
"C:\Users\Admin\AppData\Local\Temp\d036998aa2c1d2a6d6a7347de170a705559fa44bb01d0421a2b820a3e369b58a.exe"
C:\Users\Admin\AppData\Local\Temp\laboc.exe
"C:\Users\Admin\AppData\Local\Temp\laboc.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\duwoto.exe
"C:\Users\Admin\AppData\Local\Temp\duwoto.exe" OK
C:\Users\Admin\AppData\Local\Temp\gybos.exe
"C:\Users\Admin\AppData\Local\Temp\gybos.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2864-2-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\laboc.exe
| MD5 | 98a599b878dc1161f64f95f3701a2f57 |
| SHA1 | ebf0525bcec68d71408fe6fde00b73e4df4a9e2e |
| SHA256 | 0ed824ba0efefd07b81762a7c393b16da7badeb0395d4d287d7df0f86ef6fdac |
| SHA512 | 0fcf0f098c99d9e088304baedeee53109bcde8fa1ab1f4f9ec630a9307546463146d528248231950fe773dbd846f75144809b72c5d33b15fbb15d32a1ff6fa7a |
memory/2560-20-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | fbf3b88857ac3ecb4f2c5ad2789e1f97 |
| SHA1 | 924f912ba290d363addcb24f88e025de27789b81 |
| SHA256 | bf1f6f57101d33b9340ed2df82b8d58edcae1e28c5cea8ff172bd5ae9589526e |
| SHA512 | 8653b129dc79d460f431022aed44a3c215ce760ba75e5335d2b62292e44f3c9b952ce663bcc1fc56c19d3ee2f6be79acb724ca46f4a766c0673d1856d3405484 |
memory/2864-18-0x00000000024F0000-0x0000000002557000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 569e0cc6090f980026d6dad7d1a3fbbd |
| SHA1 | 99dc5a172b0a1b69cc7ff7351337aecf53e08db8 |
| SHA256 | 9c43fb34e4d85ae52460bf478cac3717f26b53fedb99b39ccab9f6429a7cf13b |
| SHA512 | e7817d61415f1e7c0a19d7cf4b1d99411be97918933c54d62e097f65cbac7b7ad452aa54df267bafc06c35980f9e64349840c94439b77e900e93d9e025926aec |
memory/2864-22-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2560-33-0x0000000000400000-0x0000000000467000-memory.dmp
memory/3012-34-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\duwoto.exe
| MD5 | ea16f2b0893574d523668b7dd537d2b6 |
| SHA1 | f3c3e087b8a7bb4abcd6e4ed82b8b76f5ff3e1f0 |
| SHA256 | 941489f5d565bc720165a38afd7750e0c1d993758e33403ad2db0dc4d777bb50 |
| SHA512 | c8a656c49805bd53f21b2848933ce5c466bae53d9d3954a27b90c0fa30c38750cd320a0b0805500759b88a04f539cd6e7ff12a298779342646df501948a9fb75 |
memory/3012-51-0x0000000000400000-0x0000000000467000-memory.dmp
memory/944-52-0x0000000000910000-0x00000000009B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 129baa01ba256d201e9860090c3d0e08 |
| SHA1 | cbd1c7fe86d8247594a6cc2eadfffddf476cd6c5 |
| SHA256 | a91feb86b223c985ed094975fb9b8567651ac03e51636ae8fd8cf68affc39126 |
| SHA512 | 937400dbb21655574cbff23d9608e6c77e0825d39a38cda34d26fbf87bfff6525c1150c6313e8c3ce3f80c51f22f4263b950ecc149af0930cefbafbc08bf6d85 |
C:\Users\Admin\AppData\Local\Temp\gybos.exe
| MD5 | 0529af9534e131356f752bb56b8e4a64 |
| SHA1 | 1fe12b3dc0c5b872a20296042b8ba6a2cd11e3f7 |
| SHA256 | 363a2c257873283b93cc6cb4f1d4ea7a0bbaa6ed211b1e0bf8e9057f31b69c61 |
| SHA512 | 3db67a60e5e4103556b0150041dff3d662c54af9c1d2f865dcadfe0791b16c5052ccb3f4dab7e2e5b7c518a4fce5bb0d641d565bc08c7fddfb914053e3de4a46 |
memory/3012-42-0x0000000003080000-0x0000000003120000-memory.dmp
memory/944-56-0x0000000000910000-0x00000000009B0000-memory.dmp
memory/944-57-0x0000000000910000-0x00000000009B0000-memory.dmp
memory/944-58-0x0000000000910000-0x00000000009B0000-memory.dmp
memory/944-59-0x0000000000910000-0x00000000009B0000-memory.dmp
memory/944-60-0x0000000000910000-0x00000000009B0000-memory.dmp