Analysis Overview
SHA256
db369ea307634c1a7260bb47a42329ee8376138fd02f818aed86a2b6c651a022
Threat Level: Known bad
The file 2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 23:05
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 23:05
Reported
2024-10-07 23:15
Platform
win7-20240903-en
Max time kernel
150s
Max time network
74s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11300 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 112.223.217.101:11300 | tcp |
Files
memory/1656-0-0x0000000001320000-0x0000000001803000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | 000d2b1cf3fab58bbf40ee1924912157 |
| SHA1 | 32929a141d564caf2a9a259f55d2c339e615e310 |
| SHA256 | cb9dac547745cba126c935f8338edd971469b52044c0f214aeda33c6ecc2248c |
| SHA512 | 4aa086ad7517dd417258faa08f9a52396fabf4e4c0dde46326b5690c1a9c2393671ad58a0699b7cee7c440fa63b9ef7f291edc2a3da017cf38556fb7bf26a009 |
memory/1656-16-0x0000000001320000-0x0000000001803000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | b61614d6bf18e51a52ffac3b66cf8b29 |
| SHA1 | 34da0b4ded510794e82bdfe58b0e66256efc7389 |
| SHA256 | 6237fad677f82b8774196b522d810030f4e50bad1b9a77e2df36b6a43ee716cf |
| SHA512 | 2008156381ebc17d98f7ae533110149d02b75b0574cedc9a9a6b16a55322e6ca5e24773de80fb6141b9ff6ace85b470245778ef93ebb8f077c5d8632dfd9b7c8 |
memory/2524-17-0x00000000013E0000-0x00000000018C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 04113afab96ff36e7da4cabf336079cf |
| SHA1 | 2ab6a01f123c1ef4227cb134612749b67a237bf6 |
| SHA256 | 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16 |
| SHA512 | 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9 |
memory/2524-20-0x00000000013E0000-0x00000000018C3000-memory.dmp
memory/2524-25-0x00000000012F0000-0x0000000001391000-memory.dmp
\Users\Admin\AppData\Local\Temp\ctfmom.exe
| MD5 | ee33d97dd90cd6987abbbe6e46e0efbb |
| SHA1 | 4c5f46e53ade4d6111d6e955f691b93614b0bd58 |
| SHA256 | 71c0d27c9d69a096307e445168e9f45031c73d157c057d83213fd8da9af6012c |
| SHA512 | 7a276a3e85b0cb5cb942f8731a46626fb9223db58927ae6cca2a4c2c3d633872fd4c75918a4455113eea7c02d126750c56dc3b6af0d12bfb00de6dbb89326a88 |
memory/2524-28-0x00000000013E0000-0x00000000018C3000-memory.dmp
memory/2028-29-0x00000000002F0000-0x0000000000391000-memory.dmp
memory/2028-32-0x00000000002F0000-0x0000000000391000-memory.dmp
memory/2028-33-0x00000000002F0000-0x0000000000391000-memory.dmp
memory/2028-34-0x00000000002F0000-0x0000000000391000-memory.dmp
memory/2028-35-0x00000000002F0000-0x0000000000391000-memory.dmp
memory/2028-36-0x00000000002F0000-0x0000000000391000-memory.dmp
memory/2028-37-0x00000000002F0000-0x0000000000391000-memory.dmp
memory/2028-38-0x00000000002F0000-0x0000000000391000-memory.dmp
memory/2028-39-0x00000000002F0000-0x0000000000391000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 23:05
Reported
2024-10-08 10:59
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-07_5e059c51a24a6d01175189a524f163bd_magniber_qakbot.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 121.88.5.183:11300 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| KR | 112.223.217.101:11300 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/4240-0-0x0000000000480000-0x0000000000963000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | abe78ecc684466dd762e28ec075b922a |
| SHA1 | 2dd097ac03a1a61b38fa85d48cdd8eb01cd4588d |
| SHA256 | 6f8f312a3c33e03472b48e1ddea55eae6ee790f3d9524345af0a7260ef5ea47c |
| SHA512 | cb3f85602fc0d8cd9a9aa732633d2e01be9de577dd5a45ba6e723a8410d73bb8aa9d44cdc236f4d044d786952f48eac826573a95d275c9fe2bbec1cb3061a637 |
memory/4052-11-0x00000000001D0000-0x00000000006B3000-memory.dmp
memory/4240-14-0x0000000000480000-0x0000000000963000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | 000d2b1cf3fab58bbf40ee1924912157 |
| SHA1 | 32929a141d564caf2a9a259f55d2c339e615e310 |
| SHA256 | cb9dac547745cba126c935f8338edd971469b52044c0f214aeda33c6ecc2248c |
| SHA512 | 4aa086ad7517dd417258faa08f9a52396fabf4e4c0dde46326b5690c1a9c2393671ad58a0699b7cee7c440fa63b9ef7f291edc2a3da017cf38556fb7bf26a009 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 04113afab96ff36e7da4cabf336079cf |
| SHA1 | 2ab6a01f123c1ef4227cb134612749b67a237bf6 |
| SHA256 | 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16 |
| SHA512 | 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9 |
memory/4052-17-0x00000000001D0000-0x00000000006B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
| MD5 | 206994a75be232089e38112662f3463b |
| SHA1 | d20fbd33f58ecbf598ccff1c861e964cbde42f58 |
| SHA256 | d85f3eca12c3ab019c027505626ff664734669319ec562b6126774a44b5f9ac1 |
| SHA512 | 76e97b331a009e887187972e5a074cb07e0bc1d1144037900cb928c318e4bf73766e1c823e9fff5be61af028e36104c96a8697fb52990e8b5435c89ebba34a19 |
memory/3588-26-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-28-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-31-0x0000000000DF0000-0x0000000000DF2000-memory.dmp
memory/4052-27-0x00000000001D0000-0x00000000006B3000-memory.dmp
memory/3588-32-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-33-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-34-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-35-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-36-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-37-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-38-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-39-0x0000000000C50000-0x0000000000CF1000-memory.dmp
memory/3588-40-0x0000000000C50000-0x0000000000CF1000-memory.dmp