Analysis Overview
SHA256
12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04
Threat Level: Known bad
The file 12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 15:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 15:42
Reported
2024-10-08 15:45
Platform
win7-20240729-en
Max time kernel
149s
Max time network
78s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tetox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biwyk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tetox.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tetox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biwyk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe
"C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe"
C:\Users\Admin\AppData\Local\Temp\tetox.exe
"C:\Users\Admin\AppData\Local\Temp\tetox.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\biwyk.exe
"C:\Users\Admin\AppData\Local\Temp\biwyk.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1456-0-0x0000000000EE0000-0x0000000000F61000-memory.dmp
memory/1456-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\tetox.exe
| MD5 | e6b905206d0d2f738b073a011992986a |
| SHA1 | 843627cc13e23c9091222a94758975d57ab0669a |
| SHA256 | 613b2f4186dfa420956d606dbd84462a7aa605411e29f71bb93d93740819c446 |
| SHA512 | 9691abc521c4307311fce8edd0f146c237a36b55a9218fd5c485013ddec6f71ecffb1d2dd0f29b822f5d31370476f5493ed1fe5aaf68a52fca6d941fa7f43184 |
memory/1456-7-0x0000000002780000-0x0000000002801000-memory.dmp
memory/2940-18-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 3c51bcaa5da5fa784fb29c00bfda4618 |
| SHA1 | f98248a0f4c3bc4b2ff4a509de8bf8d42e85d174 |
| SHA256 | feeee607be7e00b06fc8319a237ae7637d12ffd097f4d57c433ad86f872a4649 |
| SHA512 | a5d8f0f4c4a1fd2943193bc1c9a83500eb8920579815086e6cc847d4b514cf57c9675d79abcca8fb1a0665253b09f521b7d243debc0bc80179facb828aa5d6b5 |
memory/2940-13-0x0000000000C10000-0x0000000000C91000-memory.dmp
memory/1456-21-0x0000000000EE0000-0x0000000000F61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9736f58558b741767606417811c85052 |
| SHA1 | 675356951e174842eace35f78f2d32a61b581eed |
| SHA256 | 91efedd19e40c3cb35af4a9597b2a85a228e4da8f4d4cf3c18ff7255def145c6 |
| SHA512 | 74ed465c9e35ae11cca47c7b7b146b6624a9ed96b75db52e03e4f5096e7d1ed9f2fde00e9078d2a62bf1f6661b60ee7faace6f2e547a5a08066e3e3ff4c6005c |
memory/2940-24-0x0000000000C10000-0x0000000000C91000-memory.dmp
\Users\Admin\AppData\Local\Temp\biwyk.exe
| MD5 | 8ba74132f824084ab9e8af6d8fd6f82a |
| SHA1 | 11ffa1626daf4e319959f00b0509cd988a51bfc4 |
| SHA256 | 975d924311c801c8267c51daa0e30b7c0157844aa167b2175c7149ed0f5fc8d5 |
| SHA512 | 44d16a5bdefee16d632fc1da99e209184ce02a1da7f6b88f7cc4ff099df1c50935394a0de7ff64ad5f49f144cec8e265c51794b86b64da74c4c64b498c58652e |
memory/2948-42-0x00000000012B0000-0x0000000001349000-memory.dmp
memory/2940-40-0x0000000000C10000-0x0000000000C91000-memory.dmp
memory/2940-38-0x0000000003670000-0x0000000003709000-memory.dmp
memory/2948-43-0x00000000012B0000-0x0000000001349000-memory.dmp
memory/2948-47-0x00000000012B0000-0x0000000001349000-memory.dmp
memory/2948-48-0x00000000012B0000-0x0000000001349000-memory.dmp
memory/2948-49-0x00000000012B0000-0x0000000001349000-memory.dmp
memory/2948-50-0x00000000012B0000-0x0000000001349000-memory.dmp
memory/2948-51-0x00000000012B0000-0x0000000001349000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 15:42
Reported
2024-10-08 15:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vekoz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vekoz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\belou.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vekoz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\belou.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe
"C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe"
C:\Users\Admin\AppData\Local\Temp\vekoz.exe
"C:\Users\Admin\AppData\Local\Temp\vekoz.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\belou.exe
"C:\Users\Admin\AppData\Local\Temp\belou.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2276-0-0x0000000000470000-0x00000000004F1000-memory.dmp
memory/2276-1-0x0000000001200000-0x0000000001201000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vekoz.exe
| MD5 | 0c9f21830fe67a1f90d96b1e1ffe469e |
| SHA1 | ae399e92cb4b77c29b286f042d497a7f69936dcb |
| SHA256 | bbe877630af4519868c972661a9906c011ceafd20ec7d918036a0a990fa152d2 |
| SHA512 | c07971d22d33a40fa456b821e3550f30f126a2e5477449845f9890530179b9a2ec565c6f53090e4ba4f495a7a3dc698687d73d3aca6004bb5fe1b07838c128b7 |
memory/3808-14-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/3808-11-0x0000000000B10000-0x0000000000B91000-memory.dmp
memory/2276-17-0x0000000000470000-0x00000000004F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 3c51bcaa5da5fa784fb29c00bfda4618 |
| SHA1 | f98248a0f4c3bc4b2ff4a509de8bf8d42e85d174 |
| SHA256 | feeee607be7e00b06fc8319a237ae7637d12ffd097f4d57c433ad86f872a4649 |
| SHA512 | a5d8f0f4c4a1fd2943193bc1c9a83500eb8920579815086e6cc847d4b514cf57c9675d79abcca8fb1a0665253b09f521b7d243debc0bc80179facb828aa5d6b5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ccbb3679795f249040d619c7f85f42eb |
| SHA1 | d922b4f00a0902428b2fd09004f92b77e5764e20 |
| SHA256 | 77f3fb5565ad83ad23a39c2cd959ccbc2a4022cb0abfefd737f3b3922bf9fdbe |
| SHA512 | 5efb9039ffe1e3a6980b2dfd5cc3c6d4dfef3373cf5ebb235d89907fc5fdf8c4de7f95f21a91b0bca278f6685481adec6ae368e7bc0fc418dcfee1b2f21c412e |
memory/3808-21-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/3808-20-0x0000000000B10000-0x0000000000B91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\belou.exe
| MD5 | 9dc9b94af5facd8969f7e04d79587f0e |
| SHA1 | 580c964298aa45caaa11975342b124f15cc8a4fb |
| SHA256 | f0ba314310aef98612c3d3d8dd5a0b81183e6e6e9139ea78fc0753ddc8459922 |
| SHA512 | d7f1a0fdae32736de8bee4773ba78a55b299a4600a37a6532613c3e94d447adc7c1375f452fcc0c9b6b94e1ca1d3c283dcc05ffab3ea7e679b2118ba69b84029 |
memory/2600-39-0x00000000004D0000-0x00000000004D2000-memory.dmp
memory/2600-38-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/2600-40-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/3808-44-0x0000000000B10000-0x0000000000B91000-memory.dmp
memory/2600-47-0x00000000004D0000-0x00000000004D2000-memory.dmp
memory/2600-46-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/2600-48-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/2600-49-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/2600-50-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/2600-51-0x0000000000B30000-0x0000000000BC9000-memory.dmp