Analysis Overview
SHA256
5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01
Threat Level: Known bad
The file 5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 12:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 12:59
Reported
2024-10-07 14:31
Platform
win7-20240903-en
Max time kernel
121s
Max time network
98s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fusym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uzeju.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fusym.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uzeju.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fusym.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01N.exe
"C:\Users\Admin\AppData\Local\Temp\5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01N.exe"
C:\Users\Admin\AppData\Local\Temp\fusym.exe
"C:\Users\Admin\AppData\Local\Temp\fusym.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\uzeju.exe
"C:\Users\Admin\AppData\Local\Temp\uzeju.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2952-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2952-0-0x0000000000940000-0x00000000009C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\fusym.exe
| MD5 | 16e60039465903053bf334bc00d11455 |
| SHA1 | 0482f1a2450f2522a782827dd8c558bbefbd78ce |
| SHA256 | 2e72634cee0ee2beb0871c2f69ba4f7caa454ff6aee319eb601a6864730bada7 |
| SHA512 | cfae651831ea4626417d69034f12e6179b1fee50e7c2ade7abb7d64e00dfdadd5b19ccec88c78708712453bc89b5f4e2c6a013c4a8ba280494b81371b9df6b20 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | cc4a03ef659bc58c63a71aef862cf701 |
| SHA1 | 370c348f9d352254bff715b4c5c56dfe4b9eb537 |
| SHA256 | 2c241f2176434dcba6fe65d39fdbb4ab1b96d7d88d30b953436acc048405d8b0 |
| SHA512 | de9a82911b6837a274601168c02495fab1b767fd0c196e8ad2f644017f87855ad22e11923722e31836326c1f242cb39ae4e5bf9148517ca21ae61d6e2c671851 |
memory/2784-12-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2784-11-0x0000000000C30000-0x0000000000CB1000-memory.dmp
memory/2952-9-0x0000000002620000-0x00000000026A1000-memory.dmp
memory/2952-21-0x0000000000940000-0x00000000009C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7ce67a81029dcc898258d0ba523d4bd8 |
| SHA1 | 3803196db1a84048efd6035bcb14480dcd9be6bc |
| SHA256 | abab28c5188a97a46a2ac409ccca01cfca8463f4dcda6e3c40518a3adb178e79 |
| SHA512 | 25b0c267c43fc810a29da1fced30887f5abeb4f86f8944a5255859e354d762021eb0c7eb264df9be2046ae3594586bbcf5925bbeffb02b37f148fd321f0f10ea |
memory/2784-25-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2784-24-0x0000000000C30000-0x0000000000CB1000-memory.dmp
\Users\Admin\AppData\Local\Temp\uzeju.exe
| MD5 | 22c8a6b708887bed19577eca8ac3f8e6 |
| SHA1 | 6ea8fbd7f72ede8c5a1a64153821f615d64af6c7 |
| SHA256 | 2086ede3faec18fdfa390d6739a1b9870e6af51f35121d8c921954bd24356231 |
| SHA512 | 9862674c222bcfd1175562d614c0c6f4f05e4347423777c3c4524bdf0fdf974829da2ed38d25d8433e88b61800108994ebee36d2a6d60f781fe614b565dc0855 |
memory/2784-42-0x0000000000C30000-0x0000000000CB1000-memory.dmp
memory/2064-44-0x0000000000880000-0x0000000000919000-memory.dmp
memory/2784-38-0x00000000021C0000-0x0000000002259000-memory.dmp
memory/2064-43-0x0000000000880000-0x0000000000919000-memory.dmp
memory/2064-48-0x0000000000880000-0x0000000000919000-memory.dmp
memory/2064-49-0x0000000000880000-0x0000000000919000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 12:59
Reported
2024-10-07 13:01
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gumyl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gumyl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sygov.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gumyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sygov.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01N.exe
"C:\Users\Admin\AppData\Local\Temp\5b6cdf869ba371bdf9f4b449a658507bde4c6aadaabe4fc65df106c473ef2c01N.exe"
C:\Users\Admin\AppData\Local\Temp\gumyl.exe
"C:\Users\Admin\AppData\Local\Temp\gumyl.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\sygov.exe
"C:\Users\Admin\AppData\Local\Temp\sygov.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3196-0-0x0000000000DE0000-0x0000000000E61000-memory.dmp
memory/3196-1-0x0000000000D70000-0x0000000000D71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gumyl.exe
| MD5 | f2f35adf27734f3a8a5d2da88db7321d |
| SHA1 | d483924246f28f349675c662c7f6e159ab55744e |
| SHA256 | 9b84bc990c1ef4e16eac8ffe813f22f838f1bd9c58c89e76a377b03aeb761758 |
| SHA512 | 4c6ccfaee0f1585651ede256fe8c2b0213f9ba14a46362f8a291cde52e173268aa460fcf7e0e13488f186f2a905757a07276fd7d6a7ef1f47234ab8bac2b8ebc |
memory/2612-13-0x0000000000810000-0x0000000000891000-memory.dmp
memory/2612-14-0x0000000000960000-0x0000000000961000-memory.dmp
memory/3196-17-0x0000000000DE0000-0x0000000000E61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | cc4a03ef659bc58c63a71aef862cf701 |
| SHA1 | 370c348f9d352254bff715b4c5c56dfe4b9eb537 |
| SHA256 | 2c241f2176434dcba6fe65d39fdbb4ab1b96d7d88d30b953436acc048405d8b0 |
| SHA512 | de9a82911b6837a274601168c02495fab1b767fd0c196e8ad2f644017f87855ad22e11923722e31836326c1f242cb39ae4e5bf9148517ca21ae61d6e2c671851 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 11ca1eaa56a80ae79ff8f463c69b963c |
| SHA1 | 03335ca4801c060548070ec0a6a17628e2063e71 |
| SHA256 | 649a318093eeb5b20c1a7db97f58c5f3aba95305a01390b6095e5a9a54e85e7c |
| SHA512 | 560b9640a5912887819119832ee46b0c6ee0d8d0736d9d0a852d130a1b28d02edd6290f544c9958a588fa452151bba1c6a12a522365c83b6e870c216f67afab3 |
memory/2612-20-0x0000000000810000-0x0000000000891000-memory.dmp
memory/2612-21-0x0000000000960000-0x0000000000961000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sygov.exe
| MD5 | 8a17984ff4f3434c1c3104467be58f42 |
| SHA1 | 2dbbf18911cddc323391182b02d7a8ea098ea2e3 |
| SHA256 | 526b6af3b49b58afd791278d12767b885dc8e8f55356fb824ff917d6d4b65ced |
| SHA512 | 68ae5ba4e2ce9c1f258348144a0f51ec67ad56ab5d175af061abf54dad3ab72a3964652800ef1e7650bf2f58e74a3832a9925e95622ec207d380b5734256c1bf |
memory/3200-41-0x0000000000B10000-0x0000000000BA9000-memory.dmp
memory/3200-40-0x0000000000A70000-0x0000000000A72000-memory.dmp
memory/3200-42-0x0000000000B10000-0x0000000000BA9000-memory.dmp
memory/2612-39-0x0000000000810000-0x0000000000891000-memory.dmp
memory/3200-46-0x0000000000A70000-0x0000000000A72000-memory.dmp
memory/3200-47-0x0000000000B10000-0x0000000000BA9000-memory.dmp
memory/3200-48-0x0000000000B10000-0x0000000000BA9000-memory.dmp