Analysis Overview
SHA256
e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47
Threat Level: Known bad
The file e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 09:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 09:22
Reported
2024-10-07 09:25
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yxcao.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\apysq.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yxcao.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yxcao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\apysq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe
"C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe"
C:\Users\Admin\AppData\Local\Temp\yxcao.exe
"C:\Users\Admin\AppData\Local\Temp\yxcao.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\apysq.exe
"C:\Users\Admin\AppData\Local\Temp\apysq.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2728-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2728-0-0x0000000000EE0000-0x0000000000F61000-memory.dmp
\Users\Admin\AppData\Local\Temp\yxcao.exe
| MD5 | ad0aa57534410f016656e8f454817390 |
| SHA1 | 3a66c647048cb396e07cfd795376a1df1043be84 |
| SHA256 | ff58de0eeb6bdc34fdb853bac1b3f2bc40749ee136b74011c283069946ce2778 |
| SHA512 | 1743a09ba2b1df7492fb08484eb80ac0bb882ad4883dbb1d5a0ced5adf3f3ee093297133ce05a601b86c03e96358b9d4da3a95d3c2038b6cf1ad0595f4a3e128 |
memory/2728-7-0x00000000028C0000-0x0000000002941000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9e119f9c63a8d07e442a59fa120c3551 |
| SHA1 | 87f294bed0aeb68bc9440ef1c3f5fff2e2686a42 |
| SHA256 | e332095b80112a9c7e85370711e04b18ae3891e0c6b17c29b84e1cb6b7a2ae0d |
| SHA512 | f697d0e5c7e28f843a35c623a07cc75f097e649de211ffda489209a99d9ddb040f4555c67a58f2635d6b552e3a5856d601a2da3a16f519925c18ca2cbf45c8c5 |
memory/2828-19-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2828-18-0x0000000000800000-0x0000000000881000-memory.dmp
memory/2728-20-0x0000000000EE0000-0x0000000000F61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a373f06dbc4a3117dbbd040e9bd5b167 |
| SHA1 | 1e9efd12c953b311d35aea3c88dd8caa795002e4 |
| SHA256 | ede1deccee34aa1cd9427706a317fd760b9fda1935825f5e0ea58e941dd64494 |
| SHA512 | df88048bed1c0d0e4ff5fbc293920ecb6403962e2a5e11b93a1bc5682574135cab5f88f00635985db014634c6bcc519df1bfe6a95777413661349ac8e9666ae5 |
memory/2828-23-0x0000000000800000-0x0000000000881000-memory.dmp
\Users\Admin\AppData\Local\Temp\apysq.exe
| MD5 | 7c1739ff42f785b27a0c43c7dedb4cd9 |
| SHA1 | 66d8d9224c2539d37c25a12b25c997e99052d17e |
| SHA256 | 8fcc09b0e012b08cf1ab10e5851034a005eedc138c6318533b5b65903d5eba04 |
| SHA512 | 675d8a0d2ddb225915c0324cc348961afe04e0ae225976b4ea324ef163de03715121e52135c012d9e0081525b2bfc445b9c787d73715adf21b330dcf0b2c8c12 |
memory/2752-41-0x0000000000120000-0x00000000001B9000-memory.dmp
memory/2752-44-0x0000000000120000-0x00000000001B9000-memory.dmp
memory/2828-39-0x0000000003250000-0x00000000032E9000-memory.dmp
memory/2828-38-0x0000000000800000-0x0000000000881000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yxcao.exe
| MD5 | 16f9ebd49540c15f225717cf2bb11235 |
| SHA1 | a9cf0f20cd6163bb6f1ed9de37e6913d56f6fb20 |
| SHA256 | 0e673695a73599a27612fb77cc8758935d0fa7f12f0ecd4427300751ad772770 |
| SHA512 | d13176c2ac06176cad733cea1bd2b841f3acf0ca1b355283b16660264d067bbc49b02ae91a8f8001e6afe95df908d26ed899b5d5544a0668f01ac75be764008b |
memory/2752-47-0x0000000000120000-0x00000000001B9000-memory.dmp
memory/2752-48-0x0000000000120000-0x00000000001B9000-memory.dmp
memory/2752-49-0x0000000000120000-0x00000000001B9000-memory.dmp
memory/2752-50-0x0000000000120000-0x00000000001B9000-memory.dmp
memory/2752-51-0x0000000000120000-0x00000000001B9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 09:22
Reported
2024-10-07 09:25
Platform
win10v2004-20240910-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hesui.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hesui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cuwuc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hesui.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cuwuc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe
"C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe"
C:\Users\Admin\AppData\Local\Temp\hesui.exe
"C:\Users\Admin\AppData\Local\Temp\hesui.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\cuwuc.exe
"C:\Users\Admin\AppData\Local\Temp\cuwuc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/924-0-0x0000000000140000-0x00000000001C1000-memory.dmp
memory/924-1-0x0000000000F10000-0x0000000000F11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hesui.exe
| MD5 | b318ef77677c2f26c705b75b118fa9b0 |
| SHA1 | 7f82dbdbee0be8ff6798fd49a020d30d19c51616 |
| SHA256 | 198ea0ffea0c3f613e308da6939cee6e4569e8179c3a8c12c34c9d1200035ace |
| SHA512 | 9e34d0ecb06a7be52d3ab91e8b3de6b8b804da996c96d6eed8b5867c02eade9a71a24e7744e678ed68a1e03b6f99d8bda59f1f092f0744617d55ab12f4b1386f |
memory/1976-14-0x0000000001030000-0x0000000001031000-memory.dmp
memory/1976-13-0x00000000000C0000-0x0000000000141000-memory.dmp
memory/924-17-0x0000000000140000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9e119f9c63a8d07e442a59fa120c3551 |
| SHA1 | 87f294bed0aeb68bc9440ef1c3f5fff2e2686a42 |
| SHA256 | e332095b80112a9c7e85370711e04b18ae3891e0c6b17c29b84e1cb6b7a2ae0d |
| SHA512 | f697d0e5c7e28f843a35c623a07cc75f097e649de211ffda489209a99d9ddb040f4555c67a58f2635d6b552e3a5856d601a2da3a16f519925c18ca2cbf45c8c5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e50b4e28b2564ef6b365361aac01e071 |
| SHA1 | 135629a195f054643b554edcc11862625227235d |
| SHA256 | cd781e2dadea2bb87ed7f47519ab6067970bcccc29fedba6f89c2eb552d3fa86 |
| SHA512 | 61fa19b642c48559dd2cebdda1e173b8d421447e52a75ec9714f6910911ec134aa67338961b1fe3dfb05d13719710b3f56e998222672dd93d7e1c5665dfbcad9 |
memory/1976-20-0x00000000000C0000-0x0000000000141000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cuwuc.exe
| MD5 | 04a40a5308cbc04e849ed6375019aec1 |
| SHA1 | 149707534adf000eca06750e4a0d52ea6cf6a436 |
| SHA256 | 91da1f9b1d8819efce7fd5427e0749e64b798138c81fd1a45a52a3d8236e4e16 |
| SHA512 | 526da188d8a75a79942efad094d8473c31b16f6f30529d1a7e3125e082dfcd54a6231d9a0b216d85f2b72c3324b81c3c5719d73ff0a6febdfcf040c7ef274b15 |
memory/3388-38-0x0000000000DC0000-0x0000000000DC2000-memory.dmp
memory/3388-37-0x0000000000520000-0x00000000005B9000-memory.dmp
memory/1976-43-0x00000000000C0000-0x0000000000141000-memory.dmp
memory/3388-40-0x0000000000520000-0x00000000005B9000-memory.dmp
memory/3388-45-0x0000000000DC0000-0x0000000000DC2000-memory.dmp
memory/3388-46-0x0000000000520000-0x00000000005B9000-memory.dmp
memory/3388-47-0x0000000000520000-0x00000000005B9000-memory.dmp
memory/3388-48-0x0000000000520000-0x00000000005B9000-memory.dmp
memory/3388-49-0x0000000000520000-0x00000000005B9000-memory.dmp
memory/3388-50-0x0000000000520000-0x00000000005B9000-memory.dmp