Analysis Overview
SHA256
fb465eb7828252f6df2b0f8529b1a4b0e8d3c93b1bef9ed7189b79e26cf08745
Threat Level: Known bad
The file 753701a19cbb3f6188c8256f16a9a3b0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
UPX packed file
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 02:33
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 02:33
Reported
2024-08-13 02:35
Platform
win7-20240704-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qiliy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dyylu.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\753701a19cbb3f6188c8256f16a9a3b0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qiliy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dyylu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\753701a19cbb3f6188c8256f16a9a3b0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qiliy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\753701a19cbb3f6188c8256f16a9a3b0N.exe
"C:\Users\Admin\AppData\Local\Temp\753701a19cbb3f6188c8256f16a9a3b0N.exe"
C:\Users\Admin\AppData\Local\Temp\qiliy.exe
"C:\Users\Admin\AppData\Local\Temp\qiliy.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
C:\Users\Admin\AppData\Local\Temp\dyylu.exe
"C:\Users\Admin\AppData\Local\Temp\dyylu.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp |
Files
memory/2288-0-0x0000000000E20000-0x0000000000EC5000-memory.dmp
\Users\Admin\AppData\Local\Temp\qiliy.exe
| MD5 | 380d04206ad15a761b5f6283fc182dc1 |
| SHA1 | c977c9033afbcb1f4890d70424f30fd1dc390798 |
| SHA256 | 60c3323a70beabafea25697de2e8c2540570fff2a80900ca5b294a8ee348f2f9 |
| SHA512 | 3e7d3e1cfc84746c4fd21681e3ba5701d28ce9bf315c5c1a7ac762a161dcb75de458e5a3954bca3e925cb9c5a8ffa335e36ae7fa796f9bae5d429c68842df59b |
memory/2288-8-0x00000000022D0000-0x0000000002375000-memory.dmp
memory/2812-10-0x00000000009C0000-0x0000000000A65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | 873d511139dc53df338b4218156d1ae2 |
| SHA1 | 6d4ae0bc8c4b7bc3cbfaac32d0bfec7d9132e061 |
| SHA256 | c023442a8d8f2dd6fe3cce67e9e6c148538155f6713c8dc2cce23e6c4a265b72 |
| SHA512 | 75d81b920e90d1d6fec7cb97d519ffe50e11eb391070724a9fb717e6c90d08ba5c84ac2fdf2bbcd2681972c94bccf0c1f4a10070262d139e954f1e71d8400e59 |
memory/2288-18-0x0000000000E20000-0x0000000000EC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8204c253c425c6218fa3f3951b5e2682 |
| SHA1 | dfbb100514b9ae2c4299d5285ae93d12f2d1ef6c |
| SHA256 | e6ba41f41c72d30c77eb098853ef52ad626408a11c531fbd8fc6fcb6628cc094 |
| SHA512 | f85eea3f89ecde33c2be4cbb15991c3a78c312b8075f6aac94b6317a85f7b1ab615f0e75d0517d4cb189ae165787637f52caa0ec51c45c3f269321aeb40dbd0d |
memory/2812-21-0x00000000009C0000-0x0000000000A65000-memory.dmp
\Users\Admin\AppData\Local\Temp\dyylu.exe
| MD5 | f338c3e685323e2b324fcd8488e8210e |
| SHA1 | 123e98b76ea817196678d2a2e9393f813e348c6f |
| SHA256 | 078e104c2fd30dc3fd2787ad700c6be8737dbb334c63971de478d04459ddb433 |
| SHA512 | 1dedbb57df27d1bb2d956382f90c9af84e1a876addd376948d9d5d9ec58f53be5dc92d68cf27621484f34625f0eff5ba9c3555c250c6f79e26b17942173b8591 |
memory/2812-26-0x0000000003400000-0x00000000034BA000-memory.dmp
memory/1092-30-0x0000000000E80000-0x0000000000F3A000-memory.dmp
memory/2812-29-0x00000000009C0000-0x0000000000A65000-memory.dmp
memory/1092-31-0x0000000000E80000-0x0000000000F3A000-memory.dmp
memory/1092-32-0x0000000000E80000-0x0000000000F3A000-memory.dmp
memory/1092-33-0x0000000000E80000-0x0000000000F3A000-memory.dmp
memory/1092-34-0x0000000000E80000-0x0000000000F3A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 02:33
Reported
2024-08-13 02:35
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\753701a19cbb3f6188c8256f16a9a3b0N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bugeu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bugeu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zoduc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bugeu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zoduc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\753701a19cbb3f6188c8256f16a9a3b0N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\753701a19cbb3f6188c8256f16a9a3b0N.exe
"C:\Users\Admin\AppData\Local\Temp\753701a19cbb3f6188c8256f16a9a3b0N.exe"
C:\Users\Admin\AppData\Local\Temp\bugeu.exe
"C:\Users\Admin\AppData\Local\Temp\bugeu.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\zoduc.exe
"C:\Users\Admin\AppData\Local\Temp\zoduc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/228-0-0x0000000000190000-0x0000000000235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bugeu.exe
| MD5 | 964f88dd23069a01a452069149895321 |
| SHA1 | d1df4b6b85959ac68cdaac0140b40af2eebb975e |
| SHA256 | 68e41520adf1d1a18a017a9a656058966d44062c38694bb13b08715e14a825f8 |
| SHA512 | 9add65b778559e3006aba3b786f701ff6457efc7edc79aa6d8cf39404678040c1804a642a7ac3bc58a1c1ff68aca3c3330438e5f9c04c7a91676f80e992a19b8 |
memory/3352-13-0x00000000006C0000-0x0000000000765000-memory.dmp
memory/228-14-0x0000000000190000-0x0000000000235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | 873d511139dc53df338b4218156d1ae2 |
| SHA1 | 6d4ae0bc8c4b7bc3cbfaac32d0bfec7d9132e061 |
| SHA256 | c023442a8d8f2dd6fe3cce67e9e6c148538155f6713c8dc2cce23e6c4a265b72 |
| SHA512 | 75d81b920e90d1d6fec7cb97d519ffe50e11eb391070724a9fb717e6c90d08ba5c84ac2fdf2bbcd2681972c94bccf0c1f4a10070262d139e954f1e71d8400e59 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 77c300cbebbbe3f9b8486c671fbdd1ef |
| SHA1 | 327652c98690bb21606239dbd43be0d00bd4d844 |
| SHA256 | 7e6b9302425aa2f6b087ee30c2d7ddd1336aed66367c61ed1ab28542206611c1 |
| SHA512 | 7283ce53348a1ce071b42ac0b019fc33101d6249f4a20e2ab0ec1e5f5cc004a2ae82d134454e8aa409692391eced484d257f99ae241c1978d3c9cbb24e22d724 |
memory/3352-17-0x00000000006C0000-0x0000000000765000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zoduc.exe
| MD5 | 96f972eadebe7148c1f8054239edd53f |
| SHA1 | 4dc282635aca0d9f258020ad1e12d03647ba4adc |
| SHA256 | 7f8d848e358aefda6627bc97f45ee2154baf276b4eafe7e0eb1a00c5c56a72aa |
| SHA512 | f78a9a02a6ecfc5b7c46efc6618ff955c9b8c16227cbb4ef998083bcfa174db5f11ae88ad5bc4446ec1dd98562bcfc323a5d9809bd41c2fd27716483af6163eb |
memory/1280-26-0x00000000004F0000-0x00000000005AA000-memory.dmp
memory/3352-27-0x00000000006C0000-0x0000000000765000-memory.dmp
memory/1280-28-0x00000000004F0000-0x00000000005AA000-memory.dmp
memory/1280-29-0x00000000004F0000-0x00000000005AA000-memory.dmp
memory/1280-30-0x00000000004F0000-0x00000000005AA000-memory.dmp
memory/1280-31-0x00000000004F0000-0x00000000005AA000-memory.dmp