Analysis Overview
SHA256
c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb
Threat Level: Known bad
The file c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 02:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 02:58
Reported
2024-10-09 03:01
Platform
win7-20240903-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fewic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\egifg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fewic.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\egifg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fewic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe
"C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe"
C:\Users\Admin\AppData\Local\Temp\fewic.exe
"C:\Users\Admin\AppData\Local\Temp\fewic.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\egifg.exe
"C:\Users\Admin\AppData\Local\Temp\egifg.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1736-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1736-0-0x0000000000870000-0x00000000008F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\fewic.exe
| MD5 | 9a125830878af97b5cce931a45c9f088 |
| SHA1 | 9b49675372318d4a5a9da26ec0ad63f6e13848aa |
| SHA256 | 5236438db000c9b4db3f0ceb6691e69e8b9a4e278ba4626b5c92832129f60cb3 |
| SHA512 | 7e18e44e980a966c32d4ae26f79ab144fc535e6acc56c16e2f3a2ded1e5de0d3a929ac5f674d4887eb9fa03b255f7cd5c066abeaaea15d2a2650b04a689dbfe2 |
memory/2440-19-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2440-18-0x0000000000BB0000-0x0000000000C31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 27eb9daf208f7037672259c5ffa7e22d |
| SHA1 | eaba537b6e850060417eed1f43334537f1c72f8d |
| SHA256 | 2f1e893d21676fba07a8daf902c4f48b3b838258c21bfa5da1f3aeb4150c42d6 |
| SHA512 | 3ff71c7d47648141909027c8902d13e06aa8bdc816846b65b099aa449b793fa6ee892c8449ddcf1ed229b535d579df3d1ead4f20cb2ddbec5b580c7f3c2904e5 |
memory/1736-9-0x00000000022B0000-0x0000000002331000-memory.dmp
memory/1736-21-0x0000000000870000-0x00000000008F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8121471e5155c91a47c8a31c473a681b |
| SHA1 | c9b228a842da74d072167b5a3a0f8762dbd01674 |
| SHA256 | b5a87849aba6673ea8e9cc74fcbb24b84b2c8c641313f8e3fcd1e1bdd4eb76ef |
| SHA512 | da76a4c0c036883e33c6a81537f452c0b8a2ae2d3efdfd58fe40ebae9dd1c820c28d4b7f8d83ce0e01af3d4c088cb75715f688b6e423922412160ad0b05e9ed0 |
memory/2440-24-0x0000000000BB0000-0x0000000000C31000-memory.dmp
memory/2440-38-0x0000000002CA0000-0x0000000002D39000-memory.dmp
memory/484-42-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/484-45-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/2440-41-0x0000000000BB0000-0x0000000000C31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\egifg.exe
| MD5 | c1c7e990b3b4524717b4d9050bc3d71f |
| SHA1 | 455fb76ba51c477484b6bf7cc87f480fb4f0c151 |
| SHA256 | e494e81a831f6578b8ee1ad48477ac6a6e907d63bf8bb3e5dbd64afc88524543 |
| SHA512 | b666ab145eb8d43060f8d35b0565dd816f419922fafd72a6de18edcb6d81968c48ccae627fe347e5dc3359fecd89a576552099e8b4eec44470625e1de9cb2ae0 |
memory/484-47-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/484-48-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/484-49-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/484-50-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/484-51-0x0000000000DE0000-0x0000000000E79000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 02:58
Reported
2024-10-09 03:00
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zaaxx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zaaxx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\liqoi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\liqoi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zaaxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe
"C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe"
C:\Users\Admin\AppData\Local\Temp\zaaxx.exe
"C:\Users\Admin\AppData\Local\Temp\zaaxx.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\liqoi.exe
"C:\Users\Admin\AppData\Local\Temp\liqoi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1200-0-0x0000000000B70000-0x0000000000BF1000-memory.dmp
memory/1200-1-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zaaxx.exe
| MD5 | 0588ee2fb017b85781a42149fda76de1 |
| SHA1 | 5e117a7120d54bab6faaf4da827af7f063af5547 |
| SHA256 | 40cc416209bdefb3a307b8c692f9a781a3fdc69c5d5b3198c7aac71dbf3f1266 |
| SHA512 | d5874da25dd3a365072425f0e08c8a6c2bc0ba97fba51f0224d3c135c7739fafaeb0bcc7cd77a2f576ac7f1fbdd6263a7de889a41da62061596c82bcc4203c4d |
memory/2192-14-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2192-11-0x0000000000010000-0x0000000000091000-memory.dmp
memory/1200-17-0x0000000000B70000-0x0000000000BF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 27eb9daf208f7037672259c5ffa7e22d |
| SHA1 | eaba537b6e850060417eed1f43334537f1c72f8d |
| SHA256 | 2f1e893d21676fba07a8daf902c4f48b3b838258c21bfa5da1f3aeb4150c42d6 |
| SHA512 | 3ff71c7d47648141909027c8902d13e06aa8bdc816846b65b099aa449b793fa6ee892c8449ddcf1ed229b535d579df3d1ead4f20cb2ddbec5b580c7f3c2904e5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e627945028010a37c2cc5e84233dc9ed |
| SHA1 | f43d26ae0f05dbc730f20423898cc739fd91291c |
| SHA256 | 8ec2c080b957a664edc69e76693b6592037cd816ed9d21920732a294d40367d3 |
| SHA512 | de0ec270eb65045301c4daa7a1d840758eb98082fb82da94b0c57a46aca003fcfc374fcac459c07845c20c17eee77b50beb02fbd80a371ef0eedcce2c355a709 |
memory/2192-21-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2192-20-0x0000000000010000-0x0000000000091000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\liqoi.exe
| MD5 | 85783ef41b0f2f3db0b3c839cf76ddce |
| SHA1 | 9fa956acb86c2798b7bd881f62f6f73649763f5b |
| SHA256 | 6be166de5a89ddf312cdab5aa17e6a90bc1342410d128a91049eff3f07b56b06 |
| SHA512 | c66f18b83a99d8e48ca3e5988b0646589358b97ce4784fc09e87c3a517adea9aca0914564a76989132950d294f2c1beb7e94c405a566c3c2fff049c9165a5022 |
memory/4484-37-0x0000000000890000-0x0000000000929000-memory.dmp
memory/2192-40-0x0000000000010000-0x0000000000091000-memory.dmp
memory/4484-44-0x00000000003E0000-0x00000000003E2000-memory.dmp
memory/4484-41-0x0000000000890000-0x0000000000929000-memory.dmp
memory/4484-46-0x0000000000890000-0x0000000000929000-memory.dmp
memory/4484-47-0x0000000000890000-0x0000000000929000-memory.dmp
memory/4484-48-0x0000000000890000-0x0000000000929000-memory.dmp
memory/4484-49-0x0000000000890000-0x0000000000929000-memory.dmp
memory/4484-50-0x0000000000890000-0x0000000000929000-memory.dmp