Analysis Overview
SHA256
e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47
Threat Level: Known bad
The file e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 09:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 09:20
Reported
2024-10-07 09:22
Platform
win7-20240903-en
Max time kernel
119s
Max time network
85s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duryq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\niwaw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duryq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\duryq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\niwaw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe
"C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe"
C:\Users\Admin\AppData\Local\Temp\duryq.exe
"C:\Users\Admin\AppData\Local\Temp\duryq.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\niwaw.exe
"C:\Users\Admin\AppData\Local\Temp\niwaw.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1812-0-0x00000000003A0000-0x0000000000421000-memory.dmp
memory/1812-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\duryq.exe
| MD5 | e9719618a92bcceb404a0717aa4d124c |
| SHA1 | e95830f407bf12df9236bdcf69b5aa044017609b |
| SHA256 | c94117852b8009fa7758d75583d41973c1ea9b8d96f0dbd74ae326b80cb3a541 |
| SHA512 | 716c04886164fcab730d29a4f19910588e24c3ba2c3c80dbc7c0f1444914953e651dbc9663eb4e558f385949fcc715c38bcb230868bcbc120703b1bb06e1e819 |
memory/1812-7-0x00000000020B0000-0x0000000002131000-memory.dmp
memory/2456-11-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9e119f9c63a8d07e442a59fa120c3551 |
| SHA1 | 87f294bed0aeb68bc9440ef1c3f5fff2e2686a42 |
| SHA256 | e332095b80112a9c7e85370711e04b18ae3891e0c6b17c29b84e1cb6b7a2ae0d |
| SHA512 | f697d0e5c7e28f843a35c623a07cc75f097e649de211ffda489209a99d9ddb040f4555c67a58f2635d6b552e3a5856d601a2da3a16f519925c18ca2cbf45c8c5 |
memory/1812-20-0x00000000003A0000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | bfbbd94ed0f9d1b80a54d9c7e5413644 |
| SHA1 | 5b26c90a207885f6afc15482c069c9928e7a021d |
| SHA256 | ba40dafd4de40e0b7817b2ef64de285e5e0aa4cb3b9fcf74e0632a2b9b2e34e4 |
| SHA512 | db2e5c95f2c7f55fa0477e807ed6b7414e2ff223a4c52699ed4adfe172d035d3638d4e529c52b426dc6f97a625a3b432e715fcc848afc0b422ec9067c686b8d6 |
memory/2456-24-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2456-23-0x00000000011B0000-0x0000000001231000-memory.dmp
\Users\Admin\AppData\Local\Temp\niwaw.exe
| MD5 | 5ddeb81f5617a59b0fb5b4b9193032fa |
| SHA1 | ec24f27033b694ab0ff84aae05998b48d47ec551 |
| SHA256 | 02e9f6a7d9eb9575f35ecb848c36618db06aff7e4a379aceb1142f63864c85df |
| SHA512 | 4ce1221687fef6afa00a1c51b7f3a3ecf8cf60f3d28f328205132391f586ba1b2fa48e2d47d54f4142c2caeb5650f43fb9d7344577ab939287c52d344004f403 |
memory/2456-41-0x00000000011B0000-0x0000000001231000-memory.dmp
memory/1508-42-0x0000000000FC0000-0x0000000001059000-memory.dmp
memory/2456-39-0x00000000036D0000-0x0000000003769000-memory.dmp
memory/1508-43-0x0000000000FC0000-0x0000000001059000-memory.dmp
memory/1508-47-0x0000000000FC0000-0x0000000001059000-memory.dmp
memory/1508-48-0x0000000000FC0000-0x0000000001059000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 09:20
Reported
2024-10-07 09:22
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\duuly.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duuly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cucen.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\duuly.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cucen.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe
"C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe"
C:\Users\Admin\AppData\Local\Temp\duuly.exe
"C:\Users\Admin\AppData\Local\Temp\duuly.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\cucen.exe
"C:\Users\Admin\AppData\Local\Temp\cucen.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1264-0-0x0000000000470000-0x00000000004F1000-memory.dmp
memory/1264-1-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\duuly.exe
| MD5 | 399e608a7b38f217b261a230aeeee2da |
| SHA1 | d1a6c8f87b67a72dcc2c5d0430a7a6be0888f993 |
| SHA256 | bf28ed413a675c3fba514cfc12ac349555a26bdbeb07dc5ee50d2af15b7c6c32 |
| SHA512 | 93d4749deeeb0e395ac387008382790df5af9ca5dae1ef20dcafe007ac30c3e4925dfb397a191a4e455528eec05393538666a1f2ab000f72d297366c771088d5 |
memory/1512-14-0x0000000000790000-0x0000000000791000-memory.dmp
memory/1264-17-0x0000000000470000-0x00000000004F1000-memory.dmp
memory/1512-11-0x00000000000A0000-0x0000000000121000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9e119f9c63a8d07e442a59fa120c3551 |
| SHA1 | 87f294bed0aeb68bc9440ef1c3f5fff2e2686a42 |
| SHA256 | e332095b80112a9c7e85370711e04b18ae3891e0c6b17c29b84e1cb6b7a2ae0d |
| SHA512 | f697d0e5c7e28f843a35c623a07cc75f097e649de211ffda489209a99d9ddb040f4555c67a58f2635d6b552e3a5856d601a2da3a16f519925c18ca2cbf45c8c5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f5fb21ec1b4fa8c28aed5dab4b7e9c0c |
| SHA1 | bc7e3f624c7331d37847726e7a3ce374d5616f9d |
| SHA256 | b1af85f701c6d33bf7a023db7bf9c6aa0bc4fcd873355dd50fd8e20f9f0c23b3 |
| SHA512 | eff02516cb10d1ed89850f48d182d21e79c9837dc13791362c8596eaba5eaf3460a1ea27f247afcb7a26004e4235047b4bcf26139bebeba415dfafb748b602cd |
memory/1512-20-0x00000000000A0000-0x0000000000121000-memory.dmp
memory/1512-21-0x0000000000790000-0x0000000000791000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cucen.exe
| MD5 | 5fcd3d474b9474ce135fdbee7a74faf8 |
| SHA1 | 013cc9a52f8131029458d5dad4c15c70dc940fbb |
| SHA256 | 4589ee25b405bf2fee3c72113e7b760ac52e9a87fc8db9ce2c961261aea9c014 |
| SHA512 | f1a2a33ae9cda4337dbf55beff894e23147412517c7944dbbf17193f2ec17e8b6e5bec9447f9dd5fd747018d209e7261f44f44c87a075c1af1be6386aa303843 |
memory/2544-38-0x0000000000490000-0x0000000000529000-memory.dmp
memory/2544-42-0x0000000001200000-0x0000000001202000-memory.dmp
memory/1512-44-0x00000000000A0000-0x0000000000121000-memory.dmp
memory/2544-39-0x0000000000490000-0x0000000000529000-memory.dmp
memory/2544-46-0x0000000000490000-0x0000000000529000-memory.dmp
memory/2544-47-0x0000000000490000-0x0000000000529000-memory.dmp