Analysis Overview
SHA256
30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136
Threat Level: Known bad
The file 30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136 was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 19:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 19:48
Reported
2024-10-09 19:50
Platform
win7-20240903-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gyzos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vacoh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gyzos.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gyzos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vacoh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe
"C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe"
C:\Users\Admin\AppData\Local\Temp\gyzos.exe
"C:\Users\Admin\AppData\Local\Temp\gyzos.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\vacoh.exe
"C:\Users\Admin\AppData\Local\Temp\vacoh.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1448-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1448-0-0x0000000001090000-0x0000000001111000-memory.dmp
memory/1448-21-0x0000000001090000-0x0000000001111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9383283f479675881268cf6d444f593c |
| SHA1 | 0db979a0fca57a9680ab69c40c42a431a8e82e00 |
| SHA256 | 731b0e5d4714239b1ba6ee58260f42e0f9e293c8e9e91148c9a3ad0a8a9f6ed6 |
| SHA512 | 93a232308fb0eb027ff4cd1a08154f5b770fcb7840bfe513cc1f2412315ae0544a10537c8f2016973ab339390b59595e4bf329a387922a1953db07cf10f9fc5a |
memory/2788-19-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2788-18-0x0000000000D60000-0x0000000000DE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gyzos.exe
| MD5 | 7f27c3a54d1807087e11819c4b124fdb |
| SHA1 | 6cbd37a3fcaa5dd602fd453f9ce10b1da279a772 |
| SHA256 | e2e5cb1385642c1432c28de69a35b9d40f473228f0a473bbc20734a3340d75ca |
| SHA512 | 3934fa8ddc8c7df6eb88df994aa3677ac53f5f00c2bbefea6ce9291c14d13de1286a20302ee0fd14ab1a34c58befc27c618ec86c92fa80aa2d6e721d676d38f8 |
memory/1448-17-0x0000000002A60000-0x0000000002AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ddf36697988338d5b33be2ae9a48ad81 |
| SHA1 | 9228ef4d27ce26cb89a40b2d2e31a52831bcb700 |
| SHA256 | 1ca66855f6bb4909031e768c4c8feedba656e9a447c45937a5979b05d811d9c0 |
| SHA512 | e61baf33d4e3ef80e1bb23bcaebd5ccc6ddded035af31ab49029163f552c273ce07d5bff803ff8799727a2ed6ea2e15aa9b2835245de781a05fca9bc9e43cff0 |
memory/2788-24-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2788-25-0x0000000000D60000-0x0000000000DE1000-memory.dmp
\Users\Admin\AppData\Local\Temp\vacoh.exe
| MD5 | aaa03f28f84eb7e95e39e59d7f6633ec |
| SHA1 | f9e2997fb990c550d060544813e05d8bc6c52f33 |
| SHA256 | 5131a7c87d378b54e46f9cf60b05c9794e6ad320f991bd60fd627de84f0a60a4 |
| SHA512 | 4316ca3a2589cdd581f4fa2d5677156c38b8997c86d0abb977b1ce67755558d42284ea98d2fcf2308effc82400a503b56c20d33baf8024d425ad01c29c52d676 |
memory/1632-43-0x0000000000CD0000-0x0000000000D69000-memory.dmp
memory/1632-42-0x0000000000CD0000-0x0000000000D69000-memory.dmp
memory/2788-41-0x0000000000D60000-0x0000000000DE1000-memory.dmp
memory/1632-47-0x0000000000CD0000-0x0000000000D69000-memory.dmp
memory/1632-48-0x0000000000CD0000-0x0000000000D69000-memory.dmp
memory/1632-49-0x0000000000CD0000-0x0000000000D69000-memory.dmp
memory/1632-50-0x0000000000CD0000-0x0000000000D69000-memory.dmp
memory/1632-51-0x0000000000CD0000-0x0000000000D69000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 19:48
Reported
2024-10-09 19:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
97s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\biefg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biefg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qevoz.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biefg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qevoz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe
"C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe"
C:\Users\Admin\AppData\Local\Temp\biefg.exe
"C:\Users\Admin\AppData\Local\Temp\biefg.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\qevoz.exe
"C:\Users\Admin\AppData\Local\Temp\qevoz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.11.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 193.108.222.173.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 201.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/220-0-0x0000000000700000-0x0000000000781000-memory.dmp
memory/220-1-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biefg.exe
| MD5 | 20c48abed1f10a7d4aee0f9b67a81fad |
| SHA1 | e063aa6d314205a47fc12be6bdcfa0eaa9789d73 |
| SHA256 | 9d652e357303bc0e17b8821583a4d5a4857780bac7bd9874ee28be583bb2d8af |
| SHA512 | 93229d9c4a345388fc47675ce08c1056dc212910c61263745c8c90a8cee59870fc5491a814151be43063197e4854afb7ac797a379722898c791385f5610ad007 |
memory/2076-11-0x00000000006A0000-0x0000000000721000-memory.dmp
memory/2076-14-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/220-17-0x0000000000700000-0x0000000000781000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9383283f479675881268cf6d444f593c |
| SHA1 | 0db979a0fca57a9680ab69c40c42a431a8e82e00 |
| SHA256 | 731b0e5d4714239b1ba6ee58260f42e0f9e293c8e9e91148c9a3ad0a8a9f6ed6 |
| SHA512 | 93a232308fb0eb027ff4cd1a08154f5b770fcb7840bfe513cc1f2412315ae0544a10537c8f2016973ab339390b59595e4bf329a387922a1953db07cf10f9fc5a |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | fd2f8e2c778b4fd03ac0ae1f3dc1db17 |
| SHA1 | 15387e7b6a5da265da1e57f0dd9b232d0606e5ec |
| SHA256 | 04dff21cedc87b327556d8b75bc4aada760e4515798853cb30cc56225e785c45 |
| SHA512 | 3d156c41d1487c0ffd6d4aa2eeba5f2ac9fec8e713b5e3834b7c551ab8c1a64cdfac38dde1daea054c70c06fd4a8cc04874246defc4571a9b6fa86f29c75458f |
memory/2076-20-0x00000000006A0000-0x0000000000721000-memory.dmp
memory/2076-21-0x00000000009F0000-0x00000000009F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qevoz.exe
| MD5 | b1bac068ff8fab92f999da6f2f4eeef2 |
| SHA1 | 235aedcbc7b81f7a9bdcc553c57cb5d91e813e56 |
| SHA256 | d72a8cb0aba108ff5b60084ee915e50943e17a4ae638774fbf752186feafd350 |
| SHA512 | 86f8b5ba8bfb8362dbffb07b91ab1f79150a94b9246923550cf7ef8242e5234e2b72b3595d0ebec1046ba532aee1db4935dfa7b497091d71330dcde95214fc7d |
memory/2076-38-0x00000000006A0000-0x0000000000721000-memory.dmp
memory/3052-39-0x0000000000B90000-0x0000000000C29000-memory.dmp
memory/3052-41-0x0000000000B90000-0x0000000000C29000-memory.dmp
memory/3052-44-0x0000000001330000-0x0000000001332000-memory.dmp
memory/3052-46-0x0000000000B90000-0x0000000000C29000-memory.dmp
memory/3052-47-0x0000000000B90000-0x0000000000C29000-memory.dmp
memory/3052-48-0x0000000000B90000-0x0000000000C29000-memory.dmp
memory/3052-49-0x0000000000B90000-0x0000000000C29000-memory.dmp
memory/3052-50-0x0000000000B90000-0x0000000000C29000-memory.dmp