Analysis Overview
SHA256
3cde4e6bc6f624bad6c5052ad05aa52b1f24f9caa4b4caa4cb199cb5d53ea50b
Threat Level: Known bad
The file 2bae3621036367862bae56fcf2cdb8f0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 05:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 05:40
Reported
2024-08-13 05:42
Platform
win7-20240705-en
Max time kernel
120s
Max time network
90s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yconm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jolox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bae3621036367862bae56fcf2cdb8f0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yconm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jolox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bae3621036367862bae56fcf2cdb8f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yconm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bae3621036367862bae56fcf2cdb8f0N.exe
"C:\Users\Admin\AppData\Local\Temp\2bae3621036367862bae56fcf2cdb8f0N.exe"
C:\Users\Admin\AppData\Local\Temp\yconm.exe
"C:\Users\Admin\AppData\Local\Temp\yconm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\jolox.exe
"C:\Users\Admin\AppData\Local\Temp\jolox.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11120 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| JP | 133.242.129.155:11120 | tcp |
Files
memory/2136-0-0x0000000000400000-0x000000000048B000-memory.dmp
\Users\Admin\AppData\Local\Temp\yconm.exe
| MD5 | 4c4d41c4ca14b32ae0ee779d440e3346 |
| SHA1 | 2f6188f5963f4205b07c67caa50c62e45b30f112 |
| SHA256 | 693d8943fb4ff4d65e2e06c126abfc2b9321f30450aadc30fa607f0715481c1e |
| SHA512 | c0f4d7d76e9ce839879f720c49f3291deef3a3d49009e3b381727a33d39285a61b404a8b4879246e14affc143e791f9de21c68a13e1d4f100ba70cb7f168f56d |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 488a9264f65a8d2fbf14c6636119ec74 |
| SHA1 | 6c053eb9e56bdd6d4dcd0ddcf7f6303ac88401ae |
| SHA256 | ad5f79c55c968b5b39fb3447e357099a25c978cb00e90b4c1a9a1b6b6c96b8fa |
| SHA512 | 7202083004a27f2ebdc2ed0b7f10e232c600a23c30a5f31b1c285008e93217fa702337627b0339bd008bf3817f339cefedf89981a31c87b0d4cd5de4e6b17e52 |
memory/2952-19-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2136-18-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2136-16-0x00000000025C0000-0x000000000264B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6f18b71333731411093cb296b18f35b0 |
| SHA1 | 3a82cf8b766a1143e6eea8394a1f28c907b67b97 |
| SHA256 | dec817b58fc411218b6f2d632f2289dffcf587e8c745616b19c5cde019d35349 |
| SHA512 | 5ae0d6cf23051af87524f9548a6eaf64e6ce5352d5144f98ba6ab4c4558618a678c49ccdd83968940079d8fe38980441e60a9eda485612a05e2174e6985f1e10 |
memory/2952-22-0x0000000000400000-0x000000000048B000-memory.dmp
\Users\Admin\AppData\Local\Temp\jolox.exe
| MD5 | 09a30b3ae1c177bb13d2c99239efa870 |
| SHA1 | 42ed3daf4a11f3886ecfe41039075be7e468f232 |
| SHA256 | cef586fa44af79d04b58b5092901d81194c1ccd99d99dfd94525c053d4a2a2ad |
| SHA512 | 94841dc5b67e240b34e6eeafe07911f387a6df97d5af77ff0fb5d6268e4cfafc8b300491f12d691c034b3e99362b33b719eac6cbd542d0ec7325331b61377525 |
memory/2952-37-0x0000000002790000-0x000000000284B000-memory.dmp
memory/1656-40-0x0000000000A30000-0x0000000000AEB000-memory.dmp
memory/2952-39-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1656-42-0x0000000000A30000-0x0000000000AEB000-memory.dmp
memory/1656-43-0x0000000000A30000-0x0000000000AEB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 05:40
Reported
2024-08-13 05:42
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2bae3621036367862bae56fcf2cdb8f0N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yrniy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yrniy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\muwyy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bae3621036367862bae56fcf2cdb8f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yrniy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\muwyy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bae3621036367862bae56fcf2cdb8f0N.exe
"C:\Users\Admin\AppData\Local\Temp\2bae3621036367862bae56fcf2cdb8f0N.exe"
C:\Users\Admin\AppData\Local\Temp\yrniy.exe
"C:\Users\Admin\AppData\Local\Temp\yrniy.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\muwyy.exe
"C:\Users\Admin\AppData\Local\Temp\muwyy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| KR | 218.54.31.226:11120 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| JP | 133.242.129.155:11120 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1432-0-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1432-1-0x000000000047E000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yrniy.exe
| MD5 | e0b675af6f2d372bbfb4094e67a4c652 |
| SHA1 | da99a63133ea9770c2c2b72e30d696882c0ce8de |
| SHA256 | 6a7d8ddb7144645614e2bad41f0f0d3d6910b7f0d1f55b49b946fab29ec1b52d |
| SHA512 | cd3f78753e455dfec28d60eaa6e99d73cf511d69287c0ebdc289098f712400a96af654ea338b4b2e9d36f0eb7cd6738a8df40b58ed01b95f049e640dbbb38e34 |
memory/2596-14-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2596-15-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1432-17-0x0000000000400000-0x000000000048B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 488a9264f65a8d2fbf14c6636119ec74 |
| SHA1 | 6c053eb9e56bdd6d4dcd0ddcf7f6303ac88401ae |
| SHA256 | ad5f79c55c968b5b39fb3447e357099a25c978cb00e90b4c1a9a1b6b6c96b8fa |
| SHA512 | 7202083004a27f2ebdc2ed0b7f10e232c600a23c30a5f31b1c285008e93217fa702337627b0339bd008bf3817f339cefedf89981a31c87b0d4cd5de4e6b17e52 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 560e1c9ced8f680295eb804d467e1325 |
| SHA1 | 2f2a9cd8da047612a09cec7c4802449dfc377af6 |
| SHA256 | ad2d77508ea15f1b1e09e7c927d7735c95160cb8d59b1ed46c000461ff0ca4f9 |
| SHA512 | a04f824c550f8de9bfcf8f5b32b7b7e57c83e59c16a23989e9be2036bfd23ccec2f906dc82fdda186e79befa98f64632c308dc1c6a523265e3daddea7140e3ba |
memory/2596-20-0x0000000000400000-0x000000000048B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\muwyy.exe
| MD5 | ccb849f77e3ad4b4e6f8014d6e191dd1 |
| SHA1 | 8eb742704e9263e9436e7cf63086ea1e13b4cac2 |
| SHA256 | 48a7545758d37c9271b7e3b22451f4ffc5d4686abd7045fa8853361caad19e20 |
| SHA512 | 5e14b62a0efc31a0af8fd5bfb1e03ddc11b41d8b2419a3d0262e92089228cdf0a3be7ab8036b7bd70879bcb0f506e3848558e7239aea2b71fc6baf667d874c8e |
memory/2596-39-0x0000000000400000-0x000000000048B000-memory.dmp
memory/4104-38-0x0000000000F90000-0x000000000104B000-memory.dmp
memory/4104-40-0x0000000000EB0000-0x0000000000EB2000-memory.dmp
memory/4104-42-0x0000000000F90000-0x000000000104B000-memory.dmp
memory/4104-43-0x0000000000F90000-0x000000000104B000-memory.dmp
memory/4104-44-0x0000000000EB0000-0x0000000000EB2000-memory.dmp