Analysis Overview
SHA256
918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170
Threat Level: Known bad
The file 918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 11:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 11:39
Reported
2024-10-07 11:41
Platform
win7-20240903-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xesol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\koqek.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xesol.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xesol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\koqek.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe
"C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe"
C:\Users\Admin\AppData\Local\Temp\xesol.exe
"C:\Users\Admin\AppData\Local\Temp\xesol.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\koqek.exe
"C:\Users\Admin\AppData\Local\Temp\koqek.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2516-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2516-0-0x0000000000F40000-0x0000000000FC1000-memory.dmp
\Users\Admin\AppData\Local\Temp\xesol.exe
| MD5 | 0d0f2d39a81520cd78ccfdc82c5bd441 |
| SHA1 | 1a220bcc2038c814c30e2bcbd743b091bc5070b0 |
| SHA256 | e46a437cb6c90d95934d2bd8389e1bff85ea08f3cd97bfad568f78168f9f2933 |
| SHA512 | ed32d7c8ff18d8068ab72c10e0610805321f97d97f954fe2b20d1dcee4940c9bd6af1e5eb22c2048233b14a1519a286f8ac5b79d72ea744018905f1daed5cf7b |
memory/2516-9-0x0000000002530000-0x00000000025B1000-memory.dmp
memory/2308-18-0x0000000000D80000-0x0000000000E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 398b693664e2956c2bc3e3f798674b61 |
| SHA1 | ba41c38c2976a65c6ec5b3c45e74255daf254ea1 |
| SHA256 | 4fcccbdbf1222ebe99b4c127304aef73b0ce95ecd6b25453b6dc2a75de33a30a |
| SHA512 | b4fb040828ad6c4d1d1dd3cbd6d36b2d533dccb00e9a1327663877f08b692a76eb8b311be5fad9aa0b64867504bba56f16cb085602f74f26c61b14ec1f019776 |
memory/2308-21-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2516-20-0x0000000000F40000-0x0000000000FC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6c8867c6d004cc6129be924cb341f24a |
| SHA1 | 26893779e5380772f3a90f279223fc2a34695e6e |
| SHA256 | 81cb67b0f9745b7a32adb23a60f6b020f3cde46d78e96c6f4d1c514803e5414f |
| SHA512 | 7cd8e3f411809ead4b9f5044cca6b88cc1dac9cf56d6ac654c55ade930ef4de9be80beb72adaa4c8d113f6a9708d9ea49f9c5306c4fcc04560d9c5735b1d2e75 |
memory/2308-25-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2308-24-0x0000000000D80000-0x0000000000E01000-memory.dmp
memory/2308-38-0x0000000002CE0000-0x0000000002D79000-memory.dmp
\Users\Admin\AppData\Local\Temp\koqek.exe
| MD5 | 9bc7720d6b54d7045784a2780efdc274 |
| SHA1 | 2a4a270ff1300090d15e940f03e7a02bd306a7a0 |
| SHA256 | 6dcc5e571c76bb93d53f8754baa77c82a549de30619286a4fbe11ccbcf4641b8 |
| SHA512 | 2ccc403b0c1a86a30472d2dc3ffa87d047029b6b586da83d5b89bf581cd9e02ae19a2954b4d24b003e0337727aacde9268fb8f6a68c41300379a98f20b510159 |
memory/2308-42-0x0000000000D80000-0x0000000000E01000-memory.dmp
memory/2656-43-0x00000000010F0000-0x0000000001189000-memory.dmp
memory/2656-47-0x00000000010F0000-0x0000000001189000-memory.dmp
memory/2656-48-0x00000000010F0000-0x0000000001189000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 11:39
Reported
2024-10-07 11:41
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\luovt.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\luovt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lelyy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\luovt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lelyy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe
"C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe"
C:\Users\Admin\AppData\Local\Temp\luovt.exe
"C:\Users\Admin\AppData\Local\Temp\luovt.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\lelyy.exe
"C:\Users\Admin\AppData\Local\Temp\lelyy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4680-0-0x0000000000500000-0x0000000000581000-memory.dmp
memory/4680-1-0x0000000000D70000-0x0000000000D71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\luovt.exe
| MD5 | 35ba3a017c4eafe84e4f16f06e479b9a |
| SHA1 | b9144d3f9acbb6ebf655d3cf0e348f8a59590043 |
| SHA256 | fc5424255c7d4e61f542dada42c0db31de8db3f151b043132d8e826f03541a43 |
| SHA512 | db902939bd5ff0ade833539cc3c8e6c7aa1151d967131282517e8057d29d2f7ebf1f3fc740be5c223603af2af9ace1907a81e0d1e51197cca38a6661fa879c6c |
memory/640-11-0x0000000000A30000-0x0000000000AB1000-memory.dmp
memory/640-14-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/4680-17-0x0000000000500000-0x0000000000581000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 398b693664e2956c2bc3e3f798674b61 |
| SHA1 | ba41c38c2976a65c6ec5b3c45e74255daf254ea1 |
| SHA256 | 4fcccbdbf1222ebe99b4c127304aef73b0ce95ecd6b25453b6dc2a75de33a30a |
| SHA512 | b4fb040828ad6c4d1d1dd3cbd6d36b2d533dccb00e9a1327663877f08b692a76eb8b311be5fad9aa0b64867504bba56f16cb085602f74f26c61b14ec1f019776 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 302280cec29e45e6ccf6bf473d61a913 |
| SHA1 | 704e58e2d17f96b6fd39f7f4d8889a7d61cb410a |
| SHA256 | f95bede7750bc04342c882324b7948ba2df8e151dff76fe52960aa4cff51384f |
| SHA512 | 580cd5932b8195aff027479edb63c87a437dab5728bd0a76cddb331d14a2f6a5dbad968105dfe55e2a4eec6f7cf8107b9b9cb29748096371f247a9870de86750 |
memory/640-20-0x0000000000A30000-0x0000000000AB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lelyy.exe
| MD5 | ce825f75ddaa525a7e3fc081ebc977f3 |
| SHA1 | a589f6e350766abe007b1fd3e49796ba67f3cb81 |
| SHA256 | 7ac0c8790176b220fb43c643d084a4cf7409fc3ef8b103461cc5932c71f9ada4 |
| SHA512 | 92803196791c1a613380de15d2035401ddc608d609c6f39a91bc84348d826800cf40f567de2ec0640e8d32c9095add20cd74de7596c71fbe622b5d02e9dd6724 |
memory/640-40-0x0000000000A30000-0x0000000000AB1000-memory.dmp
memory/2152-41-0x0000000000730000-0x00000000007C9000-memory.dmp
memory/2152-38-0x0000000001110000-0x0000000001112000-memory.dmp
memory/2152-37-0x0000000000730000-0x00000000007C9000-memory.dmp
memory/2152-46-0x0000000001110000-0x0000000001112000-memory.dmp
memory/2152-45-0x0000000000730000-0x00000000007C9000-memory.dmp
memory/2152-47-0x0000000000730000-0x00000000007C9000-memory.dmp