Analysis Overview
SHA256
bcec7a36a14ff550ead594d87bbe7f0caad97aca8a2ddefca58a9c02e44df72d
Threat Level: Known bad
The file 7a84c226ad554f7688b9a5dbd673b2c0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Loads dropped DLL
ASPack v2.12-2.42
Deletes itself
Checks computer location settings
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 15:35
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 15:35
Reported
2024-08-13 15:37
Platform
win7-20240704-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nuwie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bopoo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a84c226ad554f7688b9a5dbd673b2c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a84c226ad554f7688b9a5dbd673b2c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nuwie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nuwie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bopoo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7a84c226ad554f7688b9a5dbd673b2c0N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a84c226ad554f7688b9a5dbd673b2c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7a84c226ad554f7688b9a5dbd673b2c0N.exe"
C:\Users\Admin\AppData\Local\Temp\nuwie.exe
"C:\Users\Admin\AppData\Local\Temp\nuwie.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\bopoo.exe
"C:\Users\Admin\AppData\Local\Temp\bopoo.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2796-0-0x0000000000400000-0x0000000000465000-memory.dmp
\Users\Admin\AppData\Local\Temp\nuwie.exe
| MD5 | b4875e000da4aca929e27840513c3164 |
| SHA1 | 1e51d76e97ec61e704274263b7c84fafc0e89b74 |
| SHA256 | f857509c50c7484090995caa928ecfafaa977963e9606ef27d7c0634ddfc3ff1 |
| SHA512 | 8aab72c9bfe074bc9f50a60eb3da0300558e552bb2ef9e06626e40a0b17d5ad03e9df60d19afbd3054c2d21a28d6cf5b478f043311cde883eea5a165deb95732 |
memory/2796-12-0x0000000002510000-0x0000000002575000-memory.dmp
memory/2796-6-0x0000000002510000-0x0000000002575000-memory.dmp
memory/2684-15-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 932804d1a52ecb9d90e05b4aad57b6d7 |
| SHA1 | 2299279ffd89b7b6b59222b83c2499322cd8122d |
| SHA256 | 1cb218270f73ce4fd4b1506c9ccdea0ea53f4aee22790eb2854561fded747ced |
| SHA512 | 6069fabeaff93b68257c86df8e84bd5eb74aba38d439539b3c2fcee373fe036071f9e594279dcfe6cd407d8215a937d14530231af2af8efe02845eb70eb2c5e6 |
memory/2796-22-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | fee9b00e32d9f7c899eb4969553c86fe |
| SHA1 | 2a30eb60884b2fd1cacc04236e3a39402b6aaea4 |
| SHA256 | 974f637e877f710b21437dd27a8a27599cb126f00b5b9f2596346bd5c7fe31ee |
| SHA512 | 6647eb236a65118db8a21af64552c87d973014d4d81c8f9b17e2b73132ac559999f767024864861fed959c99c7280529b14c5418dcf1db90102745ca22903a5b |
\Users\Admin\AppData\Local\Temp\bopoo.exe
| MD5 | 1f07b87934d7a7d3804761e134b7e53a |
| SHA1 | 07872e5a5b0438797c2d6e794178c82f8e337921 |
| SHA256 | f04e831d4fd33a7b95e9fa678dd00dae2d442e76e4ce54a91cc3c2a4cebfd634 |
| SHA512 | 01e7aeebdbf6ce915efd7bcab89c92de368639b00fbab94fa55ff42e3591eb926a3ccb8197b235fafe62f44ef9458f8d35232bfc93999e4d3c8d532abf39e81a |
memory/2684-30-0x0000000003D60000-0x0000000003DF4000-memory.dmp
memory/2684-31-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1732-33-0x0000000001100000-0x0000000001194000-memory.dmp
memory/1732-35-0x0000000001100000-0x0000000001194000-memory.dmp
memory/1732-36-0x0000000001100000-0x0000000001194000-memory.dmp
memory/1732-34-0x0000000001100000-0x0000000001194000-memory.dmp
memory/1732-38-0x0000000001100000-0x0000000001194000-memory.dmp
memory/1732-39-0x0000000001100000-0x0000000001194000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 15:35
Reported
2024-08-13 15:37
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
101s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ezypc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7a84c226ad554f7688b9a5dbd673b2c0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezypc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\udapn.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ezypc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\udapn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7a84c226ad554f7688b9a5dbd673b2c0N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a84c226ad554f7688b9a5dbd673b2c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7a84c226ad554f7688b9a5dbd673b2c0N.exe"
C:\Users\Admin\AppData\Local\Temp\ezypc.exe
"C:\Users\Admin\AppData\Local\Temp\ezypc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\udapn.exe
"C:\Users\Admin\AppData\Local\Temp\udapn.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/4888-0-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ezypc.exe
| MD5 | 1f9eee4c9f6ce9f077f1142f20c51416 |
| SHA1 | 9e09488f5b91ff9342849cd832fab349973cd83d |
| SHA256 | b5f2528b934369638c25427eca7d5d2b609096aa3ca7825a7b474560656ce52a |
| SHA512 | 27c76a29c915615ca222af8a8ea30fbd9cbefa54a9b6b1b2708c9c37b2bb181984c9c289b725adfc15808682e984d151de39bd45593eb16ee79458fdfa07be1d |
memory/384-12-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4888-14-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 932804d1a52ecb9d90e05b4aad57b6d7 |
| SHA1 | 2299279ffd89b7b6b59222b83c2499322cd8122d |
| SHA256 | 1cb218270f73ce4fd4b1506c9ccdea0ea53f4aee22790eb2854561fded747ced |
| SHA512 | 6069fabeaff93b68257c86df8e84bd5eb74aba38d439539b3c2fcee373fe036071f9e594279dcfe6cd407d8215a937d14530231af2af8efe02845eb70eb2c5e6 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1ad3378716bb9060b6e0b2dafebf6045 |
| SHA1 | 404f45522e7d994ac86c9f75bf6aa9449fd92d42 |
| SHA256 | ccc9cfd63640e8094945ac8d11aa3ba6b60fa9a1c96ed6bbe01eacd90d186bfc |
| SHA512 | 5d0c197d95b457c357c17e7c16dc819a95bf159afd30861ea8cfc9a019a79bf1ca15439d5d89a8a6a63a044040659de66a7b72d52a8f9f7578d88770ec2c929d |
C:\Users\Admin\AppData\Local\Temp\udapn.exe
| MD5 | fc50d63194e67d9ab71617aeba32caaa |
| SHA1 | 0ea724c88f0f8c57ea65f3357e45c0189aee947d |
| SHA256 | 66ba10015f1b79770c37f92ec8614af24c5cf7904eb8a760892c05c1f9158191 |
| SHA512 | 5205fc09049e3aeab2abef194bc8e802d53aa558747a27f783f8c4cd2d73db639b5ca8bf9ea942d9505ab96b0727a480aeaaa10b874d4cc8d49740de5f4b9547 |
memory/384-25-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2676-24-0x0000000000380000-0x0000000000414000-memory.dmp
memory/2676-29-0x0000000000380000-0x0000000000414000-memory.dmp
memory/2676-28-0x0000000000380000-0x0000000000414000-memory.dmp
memory/2676-27-0x0000000000380000-0x0000000000414000-memory.dmp
memory/2676-31-0x0000000000380000-0x0000000000414000-memory.dmp
memory/2676-32-0x0000000000380000-0x0000000000414000-memory.dmp