Analysis Overview
SHA256
5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e
Threat Level: Known bad
The file 5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Deletes itself
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 22:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 22:01
Reported
2024-10-08 22:04
Platform
win7-20240729-en
Max time kernel
149s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moyzy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uftiv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moyzy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\moyzy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uftiv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe
"C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe"
C:\Users\Admin\AppData\Local\Temp\moyzy.exe
"C:\Users\Admin\AppData\Local\Temp\moyzy.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\uftiv.exe
"C:\Users\Admin\AppData\Local\Temp\uftiv.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1456-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1456-0-0x00000000012A0000-0x0000000001321000-memory.dmp
\Users\Admin\AppData\Local\Temp\moyzy.exe
| MD5 | 44e98094889fba9a2806a9f4546e4559 |
| SHA1 | 964a8229dee8ddba4fbe3e01c9169e6c5a3e6fc3 |
| SHA256 | d2a4f5da0f1294ac2211836b7ae90038a71b27a53d2fa8cc644bda71c1adf722 |
| SHA512 | 84dc777438690c856624e12046b07302545808bc8969216bcf25d95e256a6f217b052d8ad9c281f1884726278d0620cc4eea49a3d991d84e6fa2ded13d112fe0 |
memory/1456-7-0x0000000000DB0000-0x0000000000E31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | fbfb7b91e0cdb39726fa90448b3a9d1f |
| SHA1 | 4ed30980d6912d8aec5bd36619ce12fd69b0fc8f |
| SHA256 | 0cc8e7ab90d9cba6e791c851edae93e2d72dea64fce3460f14b339f44228494d |
| SHA512 | bcc96519fc24f6a9cbb41cc965a3ea95b94d219f736aba94fedda07183b603ee7059314d05f6090c247713a32bfa2623308cfc11a36e17e25783b99ed2e460c6 |
memory/2940-17-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1456-20-0x00000000012A0000-0x0000000001321000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 60648468bd63cbb99c56666d9194a785 |
| SHA1 | 274f5b87a1216507f9c3f69eb3ab1e3b7254fcfb |
| SHA256 | 0622295469f95a0a16c7cb27fe9919eb68a59d695fa6c0a6d9f264f8b8baea0a |
| SHA512 | 05e8d80e23a0cf9185b799bd94d911f096a0a4134a5134c43b05f19dbdf00698959c752db869a7f8e5a1d9bea2ec76391853661bbe7f0568b1106bf088ed411d |
memory/2940-23-0x0000000000E30000-0x0000000000EB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uftiv.exe
| MD5 | 0de8212d2711bad3ea09e9ec1b9ab5d3 |
| SHA1 | f10e2da259c99b7abcce8c688c1a0cfed3f9eba1 |
| SHA256 | e71056b8ce3c3ff59422714eb3060ded31cefe7d18bdbc62bdb1f9b18104047c |
| SHA512 | 69478c3e9f367af4215b296378a72fd3f09de0a75e1e2c8ed169f85b8c2b930aa64cdcbe91f396c2e53a58bd142e779a23d842152996f27a764b19a51c6995ba |
memory/348-41-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/2940-40-0x0000000003300000-0x0000000003399000-memory.dmp
memory/2940-39-0x0000000000E30000-0x0000000000EB1000-memory.dmp
memory/348-42-0x0000000000B30000-0x0000000000BC9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\moyzy.exe
| MD5 | 4fa5152d5ecdfa88cdd1742b7fd34212 |
| SHA1 | 592d32fb202c3ae76979f3baa8049e806d782625 |
| SHA256 | 29353bb596de19d3cb25b0836c4bf18be8e4207a368849dd82cafbcf40a15d56 |
| SHA512 | 8be9aed579be4cc3d5fe82e75102f41deeb902613d500afb02f5a089205f680da4e3a654e5d6ec6fa77c3c1bd6d4413c12cd16ff180a430f1c07b318e664778b |
memory/348-47-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/348-48-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/348-49-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/348-50-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/348-51-0x0000000000B30000-0x0000000000BC9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 22:01
Reported
2024-10-08 22:04
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
107s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dywut.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dywut.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sunet.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dywut.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sunet.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe
"C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe"
C:\Users\Admin\AppData\Local\Temp\dywut.exe
"C:\Users\Admin\AppData\Local\Temp\dywut.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\sunet.exe
"C:\Users\Admin\AppData\Local\Temp\sunet.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/3036-0-0x0000000000BD0000-0x0000000000C51000-memory.dmp
memory/3036-1-0x0000000000D30000-0x0000000000D31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dywut.exe
| MD5 | 5fb89bfe9c587b5acf47d8a1d9b149ef |
| SHA1 | 9a7f800c9a040c03b14b1b88ee113d49cb2291cf |
| SHA256 | b651f1b439416c74a4f524de9f88a9304da30f47d068cf2ffd7236b429492b71 |
| SHA512 | 0fb563cf1c4ccf78f7810f615e7744cc52b6623a25b840e65c16e1463847a9b57f86e97cdfb46e05441712cbaf83c671b9ecbae0d13142c9112fa93f928551fe |
memory/4288-11-0x00000000009A0000-0x0000000000A21000-memory.dmp
memory/4288-14-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/3036-16-0x0000000000BD0000-0x0000000000C51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | fbfb7b91e0cdb39726fa90448b3a9d1f |
| SHA1 | 4ed30980d6912d8aec5bd36619ce12fd69b0fc8f |
| SHA256 | 0cc8e7ab90d9cba6e791c851edae93e2d72dea64fce3460f14b339f44228494d |
| SHA512 | bcc96519fc24f6a9cbb41cc965a3ea95b94d219f736aba94fedda07183b603ee7059314d05f6090c247713a32bfa2623308cfc11a36e17e25783b99ed2e460c6 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7b2e9b68eb5742db76ebc45b99509c69 |
| SHA1 | 9f655ee8392c919f3cb091b7cbbafc259b10a4b7 |
| SHA256 | 7fd140c8eddb6ff8d651cc81503e210e8dddf2595e1e2df222a6460f2f309ae9 |
| SHA512 | 88bd9c0080ba51347ccde73294a6f18c4ca397529eac35a291c65c5e1057aa58f9d3986cfac84d3614f304d2baea1c6964a3b4b3f8d605f8f913804b474d2aa3 |
memory/4288-19-0x00000000009A0000-0x0000000000A21000-memory.dmp
memory/4288-20-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sunet.exe
| MD5 | dc3619b94cadd205f52bd837b2d1693c |
| SHA1 | 155714e7c92be4530cd3e5e87fbffaba5315b6f4 |
| SHA256 | ea957562dd02dac3511071630744c3615f2ccdc94e3c41bcdc0f2be384df7d17 |
| SHA512 | 18884299a036fa6bfd76b2618c8d36f0bbe0b132a530e32405a51d3e7ee561df0adc2f48cfd1bcf12b48135fad637c7c132b66648db229f8f588d4872b8566db |
memory/760-38-0x00000000013B0000-0x00000000013B2000-memory.dmp
memory/760-37-0x0000000000730000-0x00000000007C9000-memory.dmp
memory/4288-40-0x00000000009A0000-0x0000000000A21000-memory.dmp
memory/760-41-0x0000000000730000-0x00000000007C9000-memory.dmp
memory/760-46-0x00000000013B0000-0x00000000013B2000-memory.dmp
memory/760-45-0x0000000000730000-0x00000000007C9000-memory.dmp
memory/760-47-0x0000000000730000-0x00000000007C9000-memory.dmp
memory/760-48-0x0000000000730000-0x00000000007C9000-memory.dmp
memory/760-49-0x0000000000730000-0x00000000007C9000-memory.dmp
memory/760-50-0x0000000000730000-0x00000000007C9000-memory.dmp