Analysis Overview
SHA256
aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3d
Threat Level: Known bad
The file aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 20:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 20:22
Reported
2024-10-09 20:24
Platform
win7-20240903-en
Max time kernel
119s
Max time network
83s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\niinu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pucop.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\niinu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pucop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\niinu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe
"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"
C:\Users\Admin\AppData\Local\Temp\niinu.exe
"C:\Users\Admin\AppData\Local\Temp\niinu.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\pucop.exe
"C:\Users\Admin\AppData\Local\Temp\pucop.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2732-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2732-0-0x0000000000350000-0x00000000003D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\niinu.exe
| MD5 | 19716fc5cf365cdcf515b94ab06e7a62 |
| SHA1 | b4fb360c41f6dcad584b11a170f7183c1bf4a479 |
| SHA256 | 81acc85eab1343f759aa22bbf2f555f475e2f573c7599079f9a42e2507901f30 |
| SHA512 | 5c13bbe37b55239ebb80cb72f87b67122009c1ef76deba117f292f800870b8c7c601a6bb7ecb126e722a8f8bacd71c2ba0207041e9e592820c04d94baef9c1aa |
memory/2732-7-0x0000000000410000-0x0000000000491000-memory.dmp
memory/3024-11-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 341c4ce3e924b56dc4c616265edeb003 |
| SHA1 | 46645aa2a5a673b4fe27a30fdebc9c7bffedfcb7 |
| SHA256 | 4b590f8945bf4998a047f53d9c1d8f9b8f31608498739d5892e08c89c4a679bb |
| SHA512 | 67d85c39b7507c974e790a35314038f47cdbc9fc664963fb717fe2d42aa4e586c5ef54cbcc56d777df32684793197dd177741c886a0ca12ed12c5cecd5a02ab7 |
memory/2732-20-0x0000000000350000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7163d2c6414f7dd3fc3b1d50f50c75c1 |
| SHA1 | 41480eb7c2d60f4f2bb89aa0ae921d538d13a244 |
| SHA256 | df0b622729f03145fca9418ba19ac578a699d174386f14b90285ccb5e60b10d5 |
| SHA512 | dbeabfd393bfca1dfafbda29bb43e00bbb95da6bc220b36555aeae913ff6053da97b9546197f63349ecec59dbcc4c794b277aeb0624a888aeadf0fc0bc154fe3 |
memory/3024-23-0x0000000001320000-0x00000000013A1000-memory.dmp
memory/3024-24-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\pucop.exe
| MD5 | 893308ef6cfd4d412a266a1313fe0442 |
| SHA1 | 6cfe138f1e347ccecbf72081b7ff3ebb178c6322 |
| SHA256 | 60abbb5ded3067c6dd1a49bcf863f614728da4020c421e8fa6611e77169e7a1e |
| SHA512 | 167215e8da0f91580171d4cf91719e4e065760650249833b1565bd787080522755c468bd9087a1522869aeec4840aaaba9577ca63d114e05739b26ce2320f0ec |
memory/608-42-0x0000000000860000-0x00000000008F9000-memory.dmp
memory/3024-41-0x0000000001320000-0x00000000013A1000-memory.dmp
memory/3024-39-0x0000000000BE0000-0x0000000000C79000-memory.dmp
memory/608-44-0x0000000000860000-0x00000000008F9000-memory.dmp
memory/608-47-0x0000000000860000-0x00000000008F9000-memory.dmp
memory/608-48-0x0000000000860000-0x00000000008F9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 20:22
Reported
2024-10-09 20:25
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ecavx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ecavx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kemot.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ecavx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kemot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe
"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"
C:\Users\Admin\AppData\Local\Temp\ecavx.exe
"C:\Users\Admin\AppData\Local\Temp\ecavx.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\kemot.exe
"C:\Users\Admin\AppData\Local\Temp\kemot.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/536-0-0x0000000000C60000-0x0000000000CE1000-memory.dmp
memory/536-1-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ecavx.exe
| MD5 | 9e5fcf439bcd56ea8c48d1cadc2ab0d2 |
| SHA1 | d6a24caea4ca71fa1cc6315d9e031f21f0057031 |
| SHA256 | 4a16e50623be7eab49fc697916135c507e77e067ad2a321dfc945af66fcf30be |
| SHA512 | 03dd865353a54c291c3c6e2aa2a82376ff584a76b88ab1cc967bf583887ca4713ae88bc0913726b1ba970bf602799d42aaa198829ebea60d11622c8aed2e2829 |
memory/880-11-0x0000000000580000-0x0000000000601000-memory.dmp
memory/880-14-0x0000000000B90000-0x0000000000B91000-memory.dmp
memory/536-17-0x0000000000C60000-0x0000000000CE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 341c4ce3e924b56dc4c616265edeb003 |
| SHA1 | 46645aa2a5a673b4fe27a30fdebc9c7bffedfcb7 |
| SHA256 | 4b590f8945bf4998a047f53d9c1d8f9b8f31608498739d5892e08c89c4a679bb |
| SHA512 | 67d85c39b7507c974e790a35314038f47cdbc9fc664963fb717fe2d42aa4e586c5ef54cbcc56d777df32684793197dd177741c886a0ca12ed12c5cecd5a02ab7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ba80f6161b81140b8cf3ddc3ff6dc564 |
| SHA1 | 5a87c08fe1d3a7067846b47d653701daf0c66813 |
| SHA256 | 64c6d0a2ef76fb8ab744222a243dd5648407dbb1683e803ed9813a42080a0dbc |
| SHA512 | e6ecbbfe8613bddcf9ffcea669b1b13d7df0a1a506ebc5b5fdb058588a87d5f018c0464714bb311251b23c0979dfdd768cdb02b6240155626ace43919ff6773f |
memory/880-20-0x0000000000580000-0x0000000000601000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kemot.exe
| MD5 | 3bc26accdbf33fb50918aeaa01b48b7c |
| SHA1 | db3e58dff9fd74dbef07ac1cd7f22988589a6fef |
| SHA256 | a72fa1cfc1422cd3fa114bc98ac2c0ebd399b7f5d1ea380d440881142268b1ee |
| SHA512 | a094d49dc7026ea7712902fca15e6ec1dddc1427f549cb056c2d5b7472b16768b81d8cb21c157ef7af01d0ae73fc5e6b19115963887f070318f8c5793d670a66 |
memory/3636-37-0x0000000000280000-0x0000000000319000-memory.dmp
memory/3636-41-0x00000000007A0000-0x00000000007A2000-memory.dmp
memory/880-43-0x0000000000580000-0x0000000000601000-memory.dmp
memory/3636-38-0x0000000000280000-0x0000000000319000-memory.dmp
memory/3636-45-0x0000000000280000-0x0000000000319000-memory.dmp
memory/3636-46-0x0000000000280000-0x0000000000319000-memory.dmp