Analysis Overview
SHA256
918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170
Threat Level: Known bad
The file 918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 11:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 11:53
Reported
2024-10-07 11:57
Platform
win7-20240903-en
Max time kernel
149s
Max time network
83s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tafoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ajvou.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tafoe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ajvou.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tafoe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe
"C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe"
C:\Users\Admin\AppData\Local\Temp\tafoe.exe
"C:\Users\Admin\AppData\Local\Temp\tafoe.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ajvou.exe
"C:\Users\Admin\AppData\Local\Temp\ajvou.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/488-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/488-0-0x00000000000D0000-0x0000000000151000-memory.dmp
\Users\Admin\AppData\Local\Temp\tafoe.exe
| MD5 | d5ec62d03b18cabf0e2bb4361b83b15d |
| SHA1 | b1d10fa6bfdbf0d3c2e40d1ca0a9fcbe99cc491e |
| SHA256 | fd22209772991c6503efca49e0cb3c3729666fb35c13b042513dd1679a0ef928 |
| SHA512 | 0166c9e36df6952d5cba66053259d478ad1da0ea44cb6529dee124710ec5a66417d56536a3f42a8b130038cfe7e0f37ce8a27e8f6d3798858f3fc14078afe017 |
memory/488-9-0x00000000025E0000-0x0000000002661000-memory.dmp
memory/2428-21-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2428-20-0x0000000000EC0000-0x0000000000F41000-memory.dmp
memory/488-19-0x00000000000D0000-0x0000000000151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 398b693664e2956c2bc3e3f798674b61 |
| SHA1 | ba41c38c2976a65c6ec5b3c45e74255daf254ea1 |
| SHA256 | 4fcccbdbf1222ebe99b4c127304aef73b0ce95ecd6b25453b6dc2a75de33a30a |
| SHA512 | b4fb040828ad6c4d1d1dd3cbd6d36b2d533dccb00e9a1327663877f08b692a76eb8b311be5fad9aa0b64867504bba56f16cb085602f74f26c61b14ec1f019776 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 812388eaa7a4405a672e115da0a54dec |
| SHA1 | 9ed3e3b0ecc8a2a90630cc489cd2299d06ac445e |
| SHA256 | 9a2c34946c832e00cdf24c95a2356e253ac1fd105012c003319e086db34c9ceb |
| SHA512 | c9e2f90c871b1f4cf19a2c68ba05cc348bb6046b2883a4b5c2dae42c1af90ec63f01c9189ae0ce01f3fe2011cda4ff313edaca135f8b4a8e33267d99c15896d1 |
memory/2428-24-0x0000000000EC0000-0x0000000000F41000-memory.dmp
memory/2428-37-0x0000000003980000-0x0000000003A19000-memory.dmp
\Users\Admin\AppData\Local\Temp\ajvou.exe
| MD5 | a667cda550847383ee8572bb36252eff |
| SHA1 | 21e9267e4aeac695e7a91bb5bdb793747a354646 |
| SHA256 | c9abc151eab57e720ff0b6509a86fd89b747d0241cbf499b8c46d229dfee8637 |
| SHA512 | 52de8a9408144d5b63c96e1b033b71c51839b39eb64df16cb8ed6d8e1b5f047b566a1ab87118f99e8e5442edf059c816ba71169d71274470ab1acc594bbb7ec6 |
memory/1988-43-0x0000000000280000-0x0000000000319000-memory.dmp
memory/1988-42-0x0000000000280000-0x0000000000319000-memory.dmp
memory/2428-41-0x0000000000EC0000-0x0000000000F41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tafoe.exe
| MD5 | 46ec469bd1e447d04562bf8d91280578 |
| SHA1 | cdab05853778b17479565225b502a366a24fee19 |
| SHA256 | c76d8aa4a98e4add5e97c62acd64e511783378438b93a95756b610563d0bba58 |
| SHA512 | eea085dce1e65f6f9aa79245fc00d60d8a6cce261077202c4a13bcec901985cf30366b5121da55fcdaed5c45fab7de8f2c7bf4f57b407622a050906a1746041c |
memory/1988-48-0x0000000000280000-0x0000000000319000-memory.dmp
memory/1988-49-0x0000000000280000-0x0000000000319000-memory.dmp
memory/1988-50-0x0000000000280000-0x0000000000319000-memory.dmp
memory/1988-51-0x0000000000280000-0x0000000000319000-memory.dmp
memory/1988-52-0x0000000000280000-0x0000000000319000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 11:53
Reported
2024-10-07 11:56
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wihuk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wihuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afpos.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wihuk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\afpos.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe
"C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe"
C:\Users\Admin\AppData\Local\Temp\wihuk.exe
"C:\Users\Admin\AppData\Local\Temp\wihuk.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\afpos.exe
"C:\Users\Admin\AppData\Local\Temp\afpos.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/648-0-0x0000000000AA0000-0x0000000000B21000-memory.dmp
memory/648-1-0x0000000000A40000-0x0000000000A41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wihuk.exe
| MD5 | c41ed6c9f8bef9f70d484d99530e4be0 |
| SHA1 | 590913482f7a7602ee18629d5b3dd490f1d63c01 |
| SHA256 | f4d81b5541a0c85da0e21ee01ce8794bd514bcf409f14fe45f6c169ab0078777 |
| SHA512 | 30b270c105ed0bfb46ae33edea34b3d37b9dea23e96daa0c5d9eec353b40c11d3a51576eb298d12e6587262585461c158a50bba735dba2c0ef8a9c091553b75b |
memory/4608-14-0x00000000007D0000-0x00000000007D1000-memory.dmp
memory/4608-11-0x0000000000B70000-0x0000000000BF1000-memory.dmp
memory/648-17-0x0000000000AA0000-0x0000000000B21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 398b693664e2956c2bc3e3f798674b61 |
| SHA1 | ba41c38c2976a65c6ec5b3c45e74255daf254ea1 |
| SHA256 | 4fcccbdbf1222ebe99b4c127304aef73b0ce95ecd6b25453b6dc2a75de33a30a |
| SHA512 | b4fb040828ad6c4d1d1dd3cbd6d36b2d533dccb00e9a1327663877f08b692a76eb8b311be5fad9aa0b64867504bba56f16cb085602f74f26c61b14ec1f019776 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 22de7aaa0bf08e4bd1225b5bb04f935f |
| SHA1 | bb9a3513e3ce1d9c39b2525741938a23b1072298 |
| SHA256 | fa8463e35d72269e3e487d8bb586db3ee686c6215047fe066fd495eeee7c27e6 |
| SHA512 | 4993665aeb6f3ee1d32775233afe24b348ae1e2e145d4fd26013d1f83008f7f3ffe6b2bde961cef844e88bf4cabaa200664148c4c28ef6f0d2f69a5dbd85a23c |
memory/4608-20-0x0000000000B70000-0x0000000000BF1000-memory.dmp
memory/4608-21-0x00000000007D0000-0x00000000007D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\afpos.exe
| MD5 | 30dd051dbfb8c4168acfccab9eadf8bb |
| SHA1 | 11e195a770745ec99effe7892229bfbaa0d972ac |
| SHA256 | 98a8c667fed588591999b2e0c5f3dc2e31068969eb7e23167f2c172a35016915 |
| SHA512 | 85a0a421050cd8a83de8b1418127ae24086b25f53918e63103b397d881d853e876aed50b11fc5fe05cef94526ae719b027a6d10d8526c013505ef2229ece93e4 |
memory/3328-38-0x0000000000BD0000-0x0000000000C69000-memory.dmp
memory/3328-39-0x0000000000BB0000-0x0000000000BB2000-memory.dmp
memory/3328-40-0x0000000000BD0000-0x0000000000C69000-memory.dmp
memory/4608-44-0x0000000000B70000-0x0000000000BF1000-memory.dmp
memory/3328-47-0x0000000000BB0000-0x0000000000BB2000-memory.dmp
memory/3328-46-0x0000000000BD0000-0x0000000000C69000-memory.dmp
memory/3328-48-0x0000000000BD0000-0x0000000000C69000-memory.dmp
memory/3328-49-0x0000000000BD0000-0x0000000000C69000-memory.dmp
memory/3328-50-0x0000000000BD0000-0x0000000000C69000-memory.dmp
memory/3328-51-0x0000000000BD0000-0x0000000000C69000-memory.dmp