Analysis Overview
SHA256
aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3d
Threat Level: Known bad
The file aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 20:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 20:25
Reported
2024-10-09 20:28
Platform
win7-20240729-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quvig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bygul.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quvig.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quvig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bygul.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe
"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"
C:\Users\Admin\AppData\Local\Temp\quvig.exe
"C:\Users\Admin\AppData\Local\Temp\quvig.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\bygul.exe
"C:\Users\Admin\AppData\Local\Temp\bygul.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2592-0-0x00000000010A0000-0x0000000001121000-memory.dmp
memory/2592-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\quvig.exe
| MD5 | 6ca2ef7a086076fb479c7a1c9f6e8553 |
| SHA1 | 3ab0a53e1bbc3e13ffa459a38e575137da9435b7 |
| SHA256 | c22f3230a4f72a6db82d0b74fd837c6becac0aa76e978bca004d1900ec3dd9d3 |
| SHA512 | 232e68e92ebe5c6c89ceaaf99fb95f6dd4bd18574bfcf2fd3efae7c876bcf534c0bb51d692c8c4bba09aace77f4a8ee49ff9b300441576e3c54519c38caa6aad |
memory/2592-7-0x0000000002610000-0x0000000002691000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 341c4ce3e924b56dc4c616265edeb003 |
| SHA1 | 46645aa2a5a673b4fe27a30fdebc9c7bffedfcb7 |
| SHA256 | 4b590f8945bf4998a047f53d9c1d8f9b8f31608498739d5892e08c89c4a679bb |
| SHA512 | 67d85c39b7507c974e790a35314038f47cdbc9fc664963fb717fe2d42aa4e586c5ef54cbcc56d777df32684793197dd177741c886a0ca12ed12c5cecd5a02ab7 |
memory/2448-12-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2448-11-0x0000000000850000-0x00000000008D1000-memory.dmp
memory/2592-21-0x00000000010A0000-0x0000000001121000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 3c9f0d8030a16530bf4c75023c2db68c |
| SHA1 | ee7069cf7a8fae0451c6bde0c2a2eab04ef4fcef |
| SHA256 | a3a0f2ab02f67c4921a3fc15b6fa7a0dcb80e049f0871e45a32ab926faae6eac |
| SHA512 | 41606d8936c10d31bdf6450baeb25f9fd7dbaef6d9b7c12af9b89b4e0b57dbf3366299d999de07f7f4bbc5068a2defc94bf2567088829607da5c6acb743f076d |
memory/2448-24-0x0000000000850000-0x00000000008D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\bygul.exe
| MD5 | 97c97a129671e64bd7c673b487e61e9c |
| SHA1 | e230ec8a78ac1348f8a84ff173f4b76bde278202 |
| SHA256 | ba44062571d6b7229954b0c0198f5940736e7d0dcd1bf4b451b4e6318044a89c |
| SHA512 | 717832ba1fff6de5ddf0a7e15fa78085833073a3b9f22d0db729aaa699362f425434a69e08ab83cfcbc67e97dbcca7d3ad65f2ba794b390d90ac3d318beeb250 |
memory/2448-39-0x00000000035E0000-0x0000000003679000-memory.dmp
memory/2920-45-0x0000000000CA0000-0x0000000000D39000-memory.dmp
memory/2920-42-0x0000000000CA0000-0x0000000000D39000-memory.dmp
memory/2448-40-0x0000000000850000-0x00000000008D1000-memory.dmp
memory/2920-47-0x0000000000CA0000-0x0000000000D39000-memory.dmp
memory/2920-48-0x0000000000CA0000-0x0000000000D39000-memory.dmp
memory/2920-49-0x0000000000CA0000-0x0000000000D39000-memory.dmp
memory/2920-50-0x0000000000CA0000-0x0000000000D39000-memory.dmp
memory/2920-51-0x0000000000CA0000-0x0000000000D39000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 20:25
Reported
2024-10-09 20:28
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\uzbeo.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uzbeo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rizel.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uzbeo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rizel.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe
"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"
C:\Users\Admin\AppData\Local\Temp\uzbeo.exe
"C:\Users\Admin\AppData\Local\Temp\uzbeo.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\rizel.exe
"C:\Users\Admin\AppData\Local\Temp\rizel.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1528-0-0x00000000009A0000-0x0000000000A21000-memory.dmp
memory/1528-1-0x0000000000B80000-0x0000000000B81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uzbeo.exe
| MD5 | c3620731851398454662c61dfd033573 |
| SHA1 | f9b7abe75ea6e2513d2f63b8a3156c46a4619027 |
| SHA256 | 2da9a0ac120de177d35eaa74610e52c44feb974039e39e292d5af5ff64486b7d |
| SHA512 | 4385144c1e675d963b273a26e423c2edcd1d901ee4062ada2bb82047506572fdfa06f028174cdaca6c40c5afff710208459f588bfc81552dca205731831b1a3d |
memory/2496-11-0x0000000000910000-0x0000000000991000-memory.dmp
memory/2496-13-0x0000000000760000-0x0000000000761000-memory.dmp
memory/1528-17-0x00000000009A0000-0x0000000000A21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 341c4ce3e924b56dc4c616265edeb003 |
| SHA1 | 46645aa2a5a673b4fe27a30fdebc9c7bffedfcb7 |
| SHA256 | 4b590f8945bf4998a047f53d9c1d8f9b8f31608498739d5892e08c89c4a679bb |
| SHA512 | 67d85c39b7507c974e790a35314038f47cdbc9fc664963fb717fe2d42aa4e586c5ef54cbcc56d777df32684793197dd177741c886a0ca12ed12c5cecd5a02ab7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | aa22c580155a5836fc07569d77663998 |
| SHA1 | 0256df47b0745e79584457d871a16e9c8188accf |
| SHA256 | 4a0cd29b0eb4303464e77b39051207450e45a36611b1bc0eefa3fa985e031e9c |
| SHA512 | 4b748b3b804c23d069b733bce84229a5a2eb7827b257707a6651320a9e075208f2583f192da0756307b70fa9ed3ec46fed0222e2f6052e42a7e720db7b49a6f3 |
memory/2496-20-0x0000000000910000-0x0000000000991000-memory.dmp
memory/2496-21-0x0000000000760000-0x0000000000761000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rizel.exe
| MD5 | 9b83edb28658a4e694afe50ff7a2507c |
| SHA1 | d14818f0300ee782a72f5d5fd8d9103886877223 |
| SHA256 | 9f256fc9a9d3fa9230efa5d68c3f1ef0b3acddb77003de3091068e963a3e8e5c |
| SHA512 | 7d7e28e67c12316530d8e0d79020c220474a2ed0e3e835d1982f9b40d99a6340eb246d2e6bd634ba21b4c6421867f47e11526b173145660ef0cf78e4191fcf7c |
memory/1344-39-0x0000000000DF0000-0x0000000000DF2000-memory.dmp
memory/1344-38-0x0000000000C90000-0x0000000000D29000-memory.dmp
memory/2496-41-0x0000000000910000-0x0000000000991000-memory.dmp
memory/1344-42-0x0000000000C90000-0x0000000000D29000-memory.dmp
memory/1344-46-0x0000000000DF0000-0x0000000000DF2000-memory.dmp
memory/1344-47-0x0000000000C90000-0x0000000000D29000-memory.dmp
memory/1344-48-0x0000000000C90000-0x0000000000D29000-memory.dmp
memory/1344-49-0x0000000000C90000-0x0000000000D29000-memory.dmp
memory/1344-50-0x0000000000C90000-0x0000000000D29000-memory.dmp
memory/1344-51-0x0000000000C90000-0x0000000000D29000-memory.dmp