Analysis Overview
SHA256
b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564
Threat Level: Known bad
The file b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 23:39
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 23:39
Reported
2024-08-13 23:42
Platform
win7-20240708-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ryhog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dukyxo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qybec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ryhog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ryhog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dukyxo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ryhog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dukyxo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qybec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe
"C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe"
C:\Users\Admin\AppData\Local\Temp\ryhog.exe
"C:\Users\Admin\AppData\Local\Temp\ryhog.exe" hi
C:\Users\Admin\AppData\Local\Temp\dukyxo.exe
"C:\Users\Admin\AppData\Local\Temp\dukyxo.exe" OK
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\qybec.exe
"C:\Users\Admin\AppData\Local\Temp\qybec.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2516-0-0x0000000000400000-0x0000000000467000-memory.dmp
\Users\Admin\AppData\Local\Temp\ryhog.exe
| MD5 | 0ee32d8dc146d80a49836770496ff76b |
| SHA1 | f0aa123fbc5f709a7f3193713946ed2ae7678657 |
| SHA256 | e1e30e4f7fd18010b8ccc9149e6fcc032f3a38deb74db5edfdbdea8232bed5e4 |
| SHA512 | 88b06ac427be3282722e122a2c2ab3b1002464c8ad09ac5a09a12bc1b60fa19ad7eb9e02aa69a3b6e31eabd8d52dbe57dec11e5335e56e196519ff3db4e7da5d |
memory/2516-6-0x0000000002A80000-0x0000000002AE7000-memory.dmp
memory/1444-14-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4991d24d0386b324f00e042b34baadfe |
| SHA1 | 88c784ed53eb096db07c2039c29c52b162c39e25 |
| SHA256 | 5cb380a34e0f07c2bee25c36b6dca1ca210445ccaf211b6366c9a504993d70ef |
| SHA512 | 91cc59abfc0a209163e7bdd6ae0159f2c221eb97abdff9226be1c87060939911e521857ad2b25607861854902ae36883b6e8896c46ac24b71c94680711e7ecf8 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | a8d7a443f1be5c44bef74a95b672b5be |
| SHA1 | c1050d9c1f98340067f006bd10a602afab764dc4 |
| SHA256 | b54c4797d66e938a2e5d879f530f3cff722a2a58e4612bac080523901604b7f5 |
| SHA512 | b68fd3871bfb4ec4ff19955c720a04827f1e2bc6aa4cd7f516698cd96d3b0c61335a36f1485c6f921fea9a14a2001d81c85a1cbd994b0a5241e614654f56696a |
\Users\Admin\AppData\Local\Temp\dukyxo.exe
| MD5 | 4e63c36aa90bdbf56d1e506209e4bc90 |
| SHA1 | 861ca429a5388f3b79c6860bdf87b46ea138234e |
| SHA256 | fc38ee6a427079f3826b7541b099f6febe2c18a484d189d88d2b4e683b73c240 |
| SHA512 | 46138c3bc27cee452c5876f7dcff876fe3b011f709aa388bc25992acbf53bec3cff123d37e62e224a5e166f1805bb081b57be83e30c34ff020809c9eaea1b95c |
memory/1444-31-0x0000000000400000-0x0000000000467000-memory.dmp
memory/3048-34-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2516-32-0x0000000000400000-0x0000000000467000-memory.dmp
\Users\Admin\AppData\Local\Temp\qybec.exe
| MD5 | 002f96dcf32bc776c1d6dbd1cfddda25 |
| SHA1 | a68a411f0ddce983ddefa1b987bf3ed246708e62 |
| SHA256 | 689b1cfe4b0c0dc5e2892b87787cceea849866156326a27404da60771b1d117e |
| SHA512 | dec6a633eaee65c6c825fc54dd9d844031f71b617f59174bc95cb93a8dc56d5741ec22a3cdedc2ba5edc599d5dbb4169f3e359019dae7e0ac2e443b92a373f6b |
memory/3048-41-0x00000000030F0000-0x0000000003190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | aee26ab7930b0e80abedb391c1843ddd |
| SHA1 | b4e2dc00cec70ad70e6723ff98fe060f3efec3a9 |
| SHA256 | 4f0434034c209bf34dd11590351730af663cb01b015f9c7d830d5942b7863298 |
| SHA512 | 5d5f319e72ac444a323bb7837944ad35aeace669592b47ca69082dc814d02aab111b1e5dedcbdbc738d3611960d9591c09b47fe85a3b9a9a3cb2ccfb6b03c8cc |
memory/1912-52-0x00000000000D0000-0x0000000000170000-memory.dmp
memory/3048-53-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1912-56-0x00000000000D0000-0x0000000000170000-memory.dmp
memory/1912-57-0x00000000000D0000-0x0000000000170000-memory.dmp
memory/1912-58-0x00000000000D0000-0x0000000000170000-memory.dmp
memory/1912-59-0x00000000000D0000-0x0000000000170000-memory.dmp
memory/1912-60-0x00000000000D0000-0x0000000000170000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 23:39
Reported
2024-08-13 23:42
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vobui.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ifzabi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vobui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ifzabi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zapob.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vobui.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ifzabi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zapob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe
"C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe"
C:\Users\Admin\AppData\Local\Temp\vobui.exe
"C:\Users\Admin\AppData\Local\Temp\vobui.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ifzabi.exe
"C:\Users\Admin\AppData\Local\Temp\ifzabi.exe" OK
C:\Users\Admin\AppData\Local\Temp\zapob.exe
"C:\Users\Admin\AppData\Local\Temp\zapob.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4048-0-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vobui.exe
| MD5 | 98631abd049e0d96dd0cd68c0bec5bbe |
| SHA1 | 084cdca63c2dfca7147bf989849759ce98d08378 |
| SHA256 | a2b6e8e1e32ff316fd9065c7d1983ea9e9e37a4a0d60186843bee09c710b6660 |
| SHA512 | 3ade4724eb644a062ef7006735dab9b024fd7224d7dc1f1949e270018537d219229e65f8d515ea3966b0a283c7f85bc03d35c82ab7285a34655f4859121cfa24 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b0d44b54b69b2b11d1cb11e20017855e |
| SHA1 | 949138da3e683962e5fee2e3aeb8689a15f329af |
| SHA256 | 1589b6feb9abe20b9e7efcbc65f0bddfdfb0b01ed35550e79ad2b004c6c0d9a9 |
| SHA512 | 2769339bbb93b0707741e810c7f71bf71f70ad7b3c9a040e3873ca0e55b033fbfce874d36060dcc7c5d04e50308374d9af349bc7856ccdae3ef63ca8a485b739 |
memory/2756-9-0x0000000000400000-0x0000000000467000-memory.dmp
memory/4048-16-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | a8d7a443f1be5c44bef74a95b672b5be |
| SHA1 | c1050d9c1f98340067f006bd10a602afab764dc4 |
| SHA256 | b54c4797d66e938a2e5d879f530f3cff722a2a58e4612bac080523901604b7f5 |
| SHA512 | b68fd3871bfb4ec4ff19955c720a04827f1e2bc6aa4cd7f516698cd96d3b0c61335a36f1485c6f921fea9a14a2001d81c85a1cbd994b0a5241e614654f56696a |
C:\Users\Admin\AppData\Local\Temp\ifzabi.exe
| MD5 | 6f65efbd41d5ae8049ee7abfe52a6b6b |
| SHA1 | 1a5087ffdee8c9f97c4c2bf49444befe7e8f7337 |
| SHA256 | fc3ac136ba3cb5631f048f9f3d1d7656f8e19b21ff015492a9df3dfd00456d3f |
| SHA512 | b6241ccbaaaebd52c59cc645cdb632dc6295d62c5275fe53cffaf92f592aa4caae974239c610e5618317b8bc7fbe74ac80835394cbf4a4ff42e55b0e152f2f47 |
memory/2756-25-0x0000000000400000-0x0000000000467000-memory.dmp
memory/3484-26-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zapob.exe
| MD5 | c64112b16fd26ad5ebee584cbe41dc3f |
| SHA1 | d5cbff9d4699b27dbce15715d1fe507ab5faefbe |
| SHA256 | af8e187652e2c0e42e0ff7fa6373e9bc236396659285cac624afc4675cb4e0ad |
| SHA512 | 45245ee08859ddebf95b65372faa57adc7bf07ff08f5c8990f9d97630556dbd3c417393b76669a5328aee7af8ce20aa3c6886e1b00f111c164d0289ce1872105 |
memory/1804-38-0x0000000000A20000-0x0000000000AC0000-memory.dmp
memory/3484-39-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 9d1ce865ac5a4ee8818bdf90db1e4331 |
| SHA1 | 9f2cf508b22b4ff9a9a6a4b4f56c40e82be17d80 |
| SHA256 | 938aa119df4f7ad6bfc262d3b4465b46c2b33f9e70175ea90ebc344be982eadc |
| SHA512 | 1d8c1a05385613efd665535f6901a1c0c390117f65577b2e0227853e09e63d3a699905331de97da3172da27c1e357f9cf3404e7ab49aa4b74f9f9c5d87b68f7a |
memory/1804-42-0x0000000000A20000-0x0000000000AC0000-memory.dmp
memory/1804-43-0x0000000000A20000-0x0000000000AC0000-memory.dmp
memory/1804-44-0x0000000000A20000-0x0000000000AC0000-memory.dmp
memory/1804-45-0x0000000000A20000-0x0000000000AC0000-memory.dmp
memory/1804-46-0x0000000000A20000-0x0000000000AC0000-memory.dmp