Analysis Overview
SHA256
456c0704aa62d7190badc3716cdbdf8174874deeaa48a29f4cc954ff0c96677f
Threat Level: Known bad
The file 14a6f83b336fbc8b254543349cea5f30N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
ASPack v2.12-2.42
Checks computer location settings
Deletes itself
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 07:01
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 07:01
Reported
2024-08-13 07:03
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
102s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sirub.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sirub.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\saceo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sirub.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\saceo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe
"C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe"
C:\Users\Admin\AppData\Local\Temp\sirub.exe
"C:\Users\Admin\AppData\Local\Temp\sirub.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\saceo.exe
"C:\Users\Admin\AppData\Local\Temp\saceo.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/1536-0-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sirub.exe
| MD5 | 54861a6e2cdab9a5b2cc1b7ae688c248 |
| SHA1 | 813c7a087a721cfa0ce4b6c41cf448a19ce06849 |
| SHA256 | 9c51d5a91a7acd34fcadb94823f70fa080d99a0535cea66c750b845a434ca3f9 |
| SHA512 | a50303d6b4494d9e07cb4a8b1fe49ac25556b5c3d30b47a6402e80ac2869405b9f3eef271091692bd9312f8dd321d4a68ecbb00a4c34eede116845415c9b0de5 |
memory/1536-13-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | f1b753fe3ad15a1ae399c1777c46084f |
| SHA1 | 596539fe428acb2bacbf8e6b0e2847cdda422404 |
| SHA256 | e82653e9f647fe2b0fc7519f2dba359df2a25f623dbc1f0c5b1ed891b998875d |
| SHA512 | cd78c315d10e7d23977736cf6006f0d2a141b5febf66478c44be1db7ee1cb66be17c3318342234ce296264119f3e80259ac906e7914b8cfadad986800088dfba |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 885b9d96550e8fd9851081c32fa3da1b |
| SHA1 | 8e86cfc8757f5c5188e287d9b8eeceab4662cac2 |
| SHA256 | 37d1816f5b142fe3c994dec04e020a437ed80489e3a1a8a14de9b3400f4da575 |
| SHA512 | fc85a9fec53ee129e6b773753951293e1f91b116749507643efe88df43bac10a5b345c596f82628ae462ec2702bdf146d22764b86822367cfa55bf3967007db2 |
C:\Users\Admin\AppData\Local\Temp\saceo.exe
| MD5 | 5979bb194cd58f555bbb0495d8853e80 |
| SHA1 | 69da707be4c812c6eddc461a4b58a7938688f83e |
| SHA256 | cdbddad5914ddbdac67846579bf53137fd61af422807f5cf4f407310c35fbee9 |
| SHA512 | 22ed6d0314b47d4861527c01486bb842b6f56322f05dd4d8ba6310f4b497c6852cc788ce7980a8eef5b064a852d6449579c86adcdf3c22ea5ad9c559d8813df2 |
memory/5104-23-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4288-24-0x0000000000C70000-0x0000000000D04000-memory.dmp
memory/4288-28-0x0000000000C70000-0x0000000000D04000-memory.dmp
memory/4288-27-0x0000000000C70000-0x0000000000D04000-memory.dmp
memory/4288-26-0x0000000000C70000-0x0000000000D04000-memory.dmp
memory/4288-30-0x0000000000C70000-0x0000000000D04000-memory.dmp
memory/4288-31-0x0000000000C70000-0x0000000000D04000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 07:01
Reported
2024-08-13 07:03
Platform
win7-20240729-en
Max time kernel
120s
Max time network
77s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ciost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zeguz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ciost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ciost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zeguz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe
"C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe"
C:\Users\Admin\AppData\Local\Temp\ciost.exe
"C:\Users\Admin\AppData\Local\Temp\ciost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\zeguz.exe
"C:\Users\Admin\AppData\Local\Temp\zeguz.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2716-0-0x0000000000400000-0x0000000000465000-memory.dmp
\Users\Admin\AppData\Local\Temp\ciost.exe
| MD5 | 6e67a0a269c5879bdbce8799211213bc |
| SHA1 | 7b98a8aab23eae3896bcebb3671db25adcc16e73 |
| SHA256 | db1ff98205b2c026f80dcecf6a652771ab830578416c4453cbd14488b9f21821 |
| SHA512 | 17c075b7f67f6334dec4cbecd788dac2522b884cb0ac799b28c19710bdae5fd344fe17263ad7f4986718daa9365a7ca59cae81e29429c454fb933a3a67468423 |
memory/2716-12-0x00000000024A0000-0x0000000002505000-memory.dmp
memory/2716-11-0x00000000024A0000-0x0000000002505000-memory.dmp
memory/2640-14-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | f1b753fe3ad15a1ae399c1777c46084f |
| SHA1 | 596539fe428acb2bacbf8e6b0e2847cdda422404 |
| SHA256 | e82653e9f647fe2b0fc7519f2dba359df2a25f623dbc1f0c5b1ed891b998875d |
| SHA512 | cd78c315d10e7d23977736cf6006f0d2a141b5febf66478c44be1db7ee1cb66be17c3318342234ce296264119f3e80259ac906e7914b8cfadad986800088dfba |
memory/2716-22-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 11a867df8d83e32947642091c41196fd |
| SHA1 | 77fde987152e326c649b1138297e17691b98c415 |
| SHA256 | a3fb9376ddd7cd6c8fe5505eb3e27afe0bbe28a35ee1d3e7cf07ee644941661f |
| SHA512 | b1549c41cb15edcd30e477a88401ef1dea66d693a20728e47d2107b09f473d7cdcedf1165918b66cd7e50ef35d9bfa370b3a896e4d8ad7ce26032fed10358044 |
C:\Users\Admin\AppData\Local\Temp\zeguz.exe
| MD5 | 5ebf44f1f44448fd06ed94a7ca8128ed |
| SHA1 | c5ad46677ef1e28746c373f879fb3b2a78cb1380 |
| SHA256 | 704900679a2f1b7999c62c703bf1c35d9d8a3237e14d422e4c8b6fcecb341121 |
| SHA512 | d4dd6f9941834b4e55ec57b1551cbccb5fcbb22d9106c10db4cb9ba69ce80ba4be36f1632bdd21059d716ff1d784b1304164f1632e8f21f0dfb16e0dc50527bc |
memory/2640-32-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2640-30-0x0000000003300000-0x0000000003394000-memory.dmp
memory/1984-33-0x0000000000E20000-0x0000000000EB4000-memory.dmp
memory/1984-34-0x0000000000E20000-0x0000000000EB4000-memory.dmp
memory/1984-36-0x0000000000E20000-0x0000000000EB4000-memory.dmp
memory/1984-35-0x0000000000E20000-0x0000000000EB4000-memory.dmp
memory/1984-39-0x0000000000E20000-0x0000000000EB4000-memory.dmp
memory/1984-40-0x0000000000E20000-0x0000000000EB4000-memory.dmp