Malware Analysis Report

2024-11-16 13:28

Sample ID 240813-3nk8xs1gkh
Target b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564
SHA256 b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564

Threat Level: Known bad

The file b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 23:39

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 23:39

Reported

2024-08-13 23:42

Platform

win7-20240708-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dukyxo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ryhog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dukyxo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Users\Admin\AppData\Local\Temp\ryhog.exe
PID 2516 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Users\Admin\AppData\Local\Temp\ryhog.exe
PID 2516 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Users\Admin\AppData\Local\Temp\ryhog.exe
PID 2516 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Users\Admin\AppData\Local\Temp\ryhog.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe C:\Users\Admin\AppData\Local\Temp\dukyxo.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe C:\Users\Admin\AppData\Local\Temp\dukyxo.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe C:\Users\Admin\AppData\Local\Temp\dukyxo.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe C:\Users\Admin\AppData\Local\Temp\dukyxo.exe
PID 2516 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dukyxo.exe C:\Users\Admin\AppData\Local\Temp\qybec.exe
PID 3048 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dukyxo.exe C:\Users\Admin\AppData\Local\Temp\qybec.exe
PID 3048 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dukyxo.exe C:\Users\Admin\AppData\Local\Temp\qybec.exe
PID 3048 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dukyxo.exe C:\Users\Admin\AppData\Local\Temp\qybec.exe
PID 3048 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dukyxo.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dukyxo.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dukyxo.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dukyxo.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe

"C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe"

C:\Users\Admin\AppData\Local\Temp\ryhog.exe

"C:\Users\Admin\AppData\Local\Temp\ryhog.exe" hi

C:\Users\Admin\AppData\Local\Temp\dukyxo.exe

"C:\Users\Admin\AppData\Local\Temp\dukyxo.exe" OK

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\qybec.exe

"C:\Users\Admin\AppData\Local\Temp\qybec.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2516-0-0x0000000000400000-0x0000000000467000-memory.dmp

\Users\Admin\AppData\Local\Temp\ryhog.exe

MD5 0ee32d8dc146d80a49836770496ff76b
SHA1 f0aa123fbc5f709a7f3193713946ed2ae7678657
SHA256 e1e30e4f7fd18010b8ccc9149e6fcc032f3a38deb74db5edfdbdea8232bed5e4
SHA512 88b06ac427be3282722e122a2c2ab3b1002464c8ad09ac5a09a12bc1b60fa19ad7eb9e02aa69a3b6e31eabd8d52dbe57dec11e5335e56e196519ff3db4e7da5d

memory/2516-6-0x0000000002A80000-0x0000000002AE7000-memory.dmp

memory/1444-14-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 4991d24d0386b324f00e042b34baadfe
SHA1 88c784ed53eb096db07c2039c29c52b162c39e25
SHA256 5cb380a34e0f07c2bee25c36b6dca1ca210445ccaf211b6366c9a504993d70ef
SHA512 91cc59abfc0a209163e7bdd6ae0159f2c221eb97abdff9226be1c87060939911e521857ad2b25607861854902ae36883b6e8896c46ac24b71c94680711e7ecf8

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 a8d7a443f1be5c44bef74a95b672b5be
SHA1 c1050d9c1f98340067f006bd10a602afab764dc4
SHA256 b54c4797d66e938a2e5d879f530f3cff722a2a58e4612bac080523901604b7f5
SHA512 b68fd3871bfb4ec4ff19955c720a04827f1e2bc6aa4cd7f516698cd96d3b0c61335a36f1485c6f921fea9a14a2001d81c85a1cbd994b0a5241e614654f56696a

\Users\Admin\AppData\Local\Temp\dukyxo.exe

MD5 4e63c36aa90bdbf56d1e506209e4bc90
SHA1 861ca429a5388f3b79c6860bdf87b46ea138234e
SHA256 fc38ee6a427079f3826b7541b099f6febe2c18a484d189d88d2b4e683b73c240
SHA512 46138c3bc27cee452c5876f7dcff876fe3b011f709aa388bc25992acbf53bec3cff123d37e62e224a5e166f1805bb081b57be83e30c34ff020809c9eaea1b95c

memory/1444-31-0x0000000000400000-0x0000000000467000-memory.dmp

memory/3048-34-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2516-32-0x0000000000400000-0x0000000000467000-memory.dmp

\Users\Admin\AppData\Local\Temp\qybec.exe

MD5 002f96dcf32bc776c1d6dbd1cfddda25
SHA1 a68a411f0ddce983ddefa1b987bf3ed246708e62
SHA256 689b1cfe4b0c0dc5e2892b87787cceea849866156326a27404da60771b1d117e
SHA512 dec6a633eaee65c6c825fc54dd9d844031f71b617f59174bc95cb93a8dc56d5741ec22a3cdedc2ba5edc599d5dbb4169f3e359019dae7e0ac2e443b92a373f6b

memory/3048-41-0x00000000030F0000-0x0000000003190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 aee26ab7930b0e80abedb391c1843ddd
SHA1 b4e2dc00cec70ad70e6723ff98fe060f3efec3a9
SHA256 4f0434034c209bf34dd11590351730af663cb01b015f9c7d830d5942b7863298
SHA512 5d5f319e72ac444a323bb7837944ad35aeace669592b47ca69082dc814d02aab111b1e5dedcbdbc738d3611960d9591c09b47fe85a3b9a9a3cb2ccfb6b03c8cc

memory/1912-52-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/3048-53-0x0000000000400000-0x0000000000467000-memory.dmp

memory/1912-56-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/1912-57-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/1912-58-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/1912-59-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/1912-60-0x00000000000D0000-0x0000000000170000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 23:39

Reported

2024-08-13 23:42

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vobui.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ifzabi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vobui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifzabi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vobui.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ifzabi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zapob.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Users\Admin\AppData\Local\Temp\vobui.exe
PID 4048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Users\Admin\AppData\Local\Temp\vobui.exe
PID 4048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Users\Admin\AppData\Local\Temp\vobui.exe
PID 4048 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\vobui.exe C:\Users\Admin\AppData\Local\Temp\ifzabi.exe
PID 2756 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\vobui.exe C:\Users\Admin\AppData\Local\Temp\ifzabi.exe
PID 2756 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\vobui.exe C:\Users\Admin\AppData\Local\Temp\ifzabi.exe
PID 3484 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ifzabi.exe C:\Users\Admin\AppData\Local\Temp\zapob.exe
PID 3484 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ifzabi.exe C:\Users\Admin\AppData\Local\Temp\zapob.exe
PID 3484 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ifzabi.exe C:\Users\Admin\AppData\Local\Temp\zapob.exe
PID 3484 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ifzabi.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ifzabi.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ifzabi.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe

"C:\Users\Admin\AppData\Local\Temp\b6e7489abeb6090df3b2e5b577eb12225173899a86e73d5cda954c7d91832564.exe"

C:\Users\Admin\AppData\Local\Temp\vobui.exe

"C:\Users\Admin\AppData\Local\Temp\vobui.exe" hi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\ifzabi.exe

"C:\Users\Admin\AppData\Local\Temp\ifzabi.exe" OK

C:\Users\Admin\AppData\Local\Temp\zapob.exe

"C:\Users\Admin\AppData\Local\Temp\zapob.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4048-0-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vobui.exe

MD5 98631abd049e0d96dd0cd68c0bec5bbe
SHA1 084cdca63c2dfca7147bf989849759ce98d08378
SHA256 a2b6e8e1e32ff316fd9065c7d1983ea9e9e37a4a0d60186843bee09c710b6660
SHA512 3ade4724eb644a062ef7006735dab9b024fd7224d7dc1f1949e270018537d219229e65f8d515ea3966b0a283c7f85bc03d35c82ab7285a34655f4859121cfa24

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b0d44b54b69b2b11d1cb11e20017855e
SHA1 949138da3e683962e5fee2e3aeb8689a15f329af
SHA256 1589b6feb9abe20b9e7efcbc65f0bddfdfb0b01ed35550e79ad2b004c6c0d9a9
SHA512 2769339bbb93b0707741e810c7f71bf71f70ad7b3c9a040e3873ca0e55b033fbfce874d36060dcc7c5d04e50308374d9af349bc7856ccdae3ef63ca8a485b739

memory/2756-9-0x0000000000400000-0x0000000000467000-memory.dmp

memory/4048-16-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 a8d7a443f1be5c44bef74a95b672b5be
SHA1 c1050d9c1f98340067f006bd10a602afab764dc4
SHA256 b54c4797d66e938a2e5d879f530f3cff722a2a58e4612bac080523901604b7f5
SHA512 b68fd3871bfb4ec4ff19955c720a04827f1e2bc6aa4cd7f516698cd96d3b0c61335a36f1485c6f921fea9a14a2001d81c85a1cbd994b0a5241e614654f56696a

C:\Users\Admin\AppData\Local\Temp\ifzabi.exe

MD5 6f65efbd41d5ae8049ee7abfe52a6b6b
SHA1 1a5087ffdee8c9f97c4c2bf49444befe7e8f7337
SHA256 fc3ac136ba3cb5631f048f9f3d1d7656f8e19b21ff015492a9df3dfd00456d3f
SHA512 b6241ccbaaaebd52c59cc645cdb632dc6295d62c5275fe53cffaf92f592aa4caae974239c610e5618317b8bc7fbe74ac80835394cbf4a4ff42e55b0e152f2f47

memory/2756-25-0x0000000000400000-0x0000000000467000-memory.dmp

memory/3484-26-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zapob.exe

MD5 c64112b16fd26ad5ebee584cbe41dc3f
SHA1 d5cbff9d4699b27dbce15715d1fe507ab5faefbe
SHA256 af8e187652e2c0e42e0ff7fa6373e9bc236396659285cac624afc4675cb4e0ad
SHA512 45245ee08859ddebf95b65372faa57adc7bf07ff08f5c8990f9d97630556dbd3c417393b76669a5328aee7af8ce20aa3c6886e1b00f111c164d0289ce1872105

memory/1804-38-0x0000000000A20000-0x0000000000AC0000-memory.dmp

memory/3484-39-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 9d1ce865ac5a4ee8818bdf90db1e4331
SHA1 9f2cf508b22b4ff9a9a6a4b4f56c40e82be17d80
SHA256 938aa119df4f7ad6bfc262d3b4465b46c2b33f9e70175ea90ebc344be982eadc
SHA512 1d8c1a05385613efd665535f6901a1c0c390117f65577b2e0227853e09e63d3a699905331de97da3172da27c1e357f9cf3404e7ab49aa4b74f9f9c5d87b68f7a

memory/1804-42-0x0000000000A20000-0x0000000000AC0000-memory.dmp

memory/1804-43-0x0000000000A20000-0x0000000000AC0000-memory.dmp

memory/1804-44-0x0000000000A20000-0x0000000000AC0000-memory.dmp

memory/1804-45-0x0000000000A20000-0x0000000000AC0000-memory.dmp

memory/1804-46-0x0000000000A20000-0x0000000000AC0000-memory.dmp