Analysis Overview
SHA256
12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04
Threat Level: Known bad
The file 12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 15:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 15:32
Reported
2024-10-08 15:35
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\jyvuy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jyvuy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buvuq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jyvuy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\buvuq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe
"C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe"
C:\Users\Admin\AppData\Local\Temp\jyvuy.exe
"C:\Users\Admin\AppData\Local\Temp\jyvuy.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\buvuq.exe
"C:\Users\Admin\AppData\Local\Temp\buvuq.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4028-0-0x00000000002A0000-0x0000000000321000-memory.dmp
memory/4028-1-0x00000000005E0000-0x00000000005E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jyvuy.exe
| MD5 | 1cb2c7f69e866fabb53e1c125a1b7958 |
| SHA1 | 84d8046f61bf752b000ad2b60ebe2155e702293d |
| SHA256 | 0b8c7cf18b76ad82e175db1fa23ee5305992b7d04b9cd6802616ecb04b44b80c |
| SHA512 | 2240433578708904dd5933e57a2748b8f8fb92cbce2a884a70900453261f78786c0447c92ba99d32c3b80d26417c058bde37caaa88b854613cfeac973848ca36 |
memory/4260-10-0x0000000000620000-0x00000000006A1000-memory.dmp
memory/4260-14-0x0000000000F50000-0x0000000000F51000-memory.dmp
memory/4028-17-0x00000000002A0000-0x0000000000321000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 3c51bcaa5da5fa784fb29c00bfda4618 |
| SHA1 | f98248a0f4c3bc4b2ff4a509de8bf8d42e85d174 |
| SHA256 | feeee607be7e00b06fc8319a237ae7637d12ffd097f4d57c433ad86f872a4649 |
| SHA512 | a5d8f0f4c4a1fd2943193bc1c9a83500eb8920579815086e6cc847d4b514cf57c9675d79abcca8fb1a0665253b09f521b7d243debc0bc80179facb828aa5d6b5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9c2687920400384e22c4bfded3efb52f |
| SHA1 | 51ce201972f996d2154f507db6da9707496120c3 |
| SHA256 | f649501a408521a12222765c35c7098ebeb1e5d752b5d9103738c9ca34ade2a2 |
| SHA512 | 012d9fbc04ba9864cf03b448517134a2af1ae68b1a1e0904b011b08ac812cf68b2db91f42722702415487cc67cd30a2cdf5bbba9258c895631aeef60cbeffa98 |
memory/4260-20-0x0000000000620000-0x00000000006A1000-memory.dmp
memory/4260-21-0x0000000000F50000-0x0000000000F51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\buvuq.exe
| MD5 | 6b5ccad60ddeaf864a2b3d931a1487f2 |
| SHA1 | 247a653b8ebb2c14bfe1ffb94ddc7c42a442c999 |
| SHA256 | 7b35e047fd2e80d91a1cf059dd59fe1aa34050ee071c2863fb5e89ed33ed4e50 |
| SHA512 | a5c4519a5f937b67ec7784b4c4c2b506a7507b4a508f3a2a8d952c27a2eeaeef2342c6ea2351fe5f20e0c330cf26ef2ebe5c29a89a74e24afbd00eb8587b9293 |
memory/2452-38-0x00000000007E0000-0x0000000000879000-memory.dmp
memory/2452-42-0x00000000007E0000-0x0000000000879000-memory.dmp
memory/4260-41-0x0000000000620000-0x00000000006A1000-memory.dmp
memory/2452-39-0x00000000001E0000-0x00000000001E2000-memory.dmp
memory/2452-47-0x00000000001E0000-0x00000000001E2000-memory.dmp
memory/2452-46-0x00000000007E0000-0x0000000000879000-memory.dmp
memory/2452-48-0x00000000007E0000-0x0000000000879000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 15:32
Reported
2024-10-08 15:34
Platform
win7-20240903-en
Max time kernel
120s
Max time network
98s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qigil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\poabb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qigil.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qigil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\poabb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe
"C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe"
C:\Users\Admin\AppData\Local\Temp\qigil.exe
"C:\Users\Admin\AppData\Local\Temp\qigil.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\poabb.exe
"C:\Users\Admin\AppData\Local\Temp\poabb.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1088-0-0x0000000000F80000-0x0000000001001000-memory.dmp
memory/1088-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\qigil.exe
| MD5 | 7608aa08ae4297f2453398072622d4df |
| SHA1 | 1030cc82329dab61820fe113f0e18f9d092d405b |
| SHA256 | 301af3e748d92f35d57ed3f7f627b3a11531d1f498a66fda0b2d30fb56a6695d |
| SHA512 | b953a08b732041298a78c84360be015d42cd0145197a2852d3c7e931b54eee80206ed210f803a4640659f5d27d59a127d3e34e6b159703147582393f221d2f61 |
memory/1088-7-0x0000000002760000-0x00000000027E1000-memory.dmp
memory/2200-11-0x0000000000180000-0x0000000000201000-memory.dmp
memory/2200-12-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 3c51bcaa5da5fa784fb29c00bfda4618 |
| SHA1 | f98248a0f4c3bc4b2ff4a509de8bf8d42e85d174 |
| SHA256 | feeee607be7e00b06fc8319a237ae7637d12ffd097f4d57c433ad86f872a4649 |
| SHA512 | a5d8f0f4c4a1fd2943193bc1c9a83500eb8920579815086e6cc847d4b514cf57c9675d79abcca8fb1a0665253b09f521b7d243debc0bc80179facb828aa5d6b5 |
memory/1088-21-0x0000000000F80000-0x0000000001001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d5b6effec0a6a139e9ca5cf2f02c3b6d |
| SHA1 | ac3752f28c6a2590a6d9246083f35fc2cd6e1b38 |
| SHA256 | c18075a277ae341e02530ba4a55438a404d6062cae1b3b2465a0a97fe6c6aa37 |
| SHA512 | 510d8acd0b1e67ce77cec5b4d672608e0e48d2e62708ed420e76aafa70e5eff7236b63ac4db719f23fb486201890578619b19fbf6f789f0198fd497d8eb2ef79 |
memory/2200-24-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2200-25-0x0000000000180000-0x0000000000201000-memory.dmp
\Users\Admin\AppData\Local\Temp\poabb.exe
| MD5 | 8e28f3f29a76365e1f9cbd746e2b4c37 |
| SHA1 | 99704eb3bc4a5c37fd9db18ecd1f8b9686c8a0d0 |
| SHA256 | 696458d560f944041f5159bc774e41b0a3f6f1b13b3a444c9d6927383edd2c0b |
| SHA512 | 7acff0c8a747251318868536b125e1150f413b46b6f9030ca8ed396609410150bb7e7a324e13a98ec7eced838405a4d70d9af63fe7b583e2b2749a343e20abd3 |
memory/2200-38-0x0000000003760000-0x00000000037F9000-memory.dmp
memory/2304-43-0x0000000001100000-0x0000000001199000-memory.dmp
memory/2200-42-0x0000000000180000-0x0000000000201000-memory.dmp
memory/2304-44-0x0000000001100000-0x0000000001199000-memory.dmp
memory/2304-48-0x0000000001100000-0x0000000001199000-memory.dmp
memory/2304-49-0x0000000001100000-0x0000000001199000-memory.dmp