Analysis Overview
SHA256
30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136
Threat Level: Known bad
The file 30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136 was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 19:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 19:51
Reported
2024-10-09 19:54
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zineu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\liros.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zineu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zineu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\liros.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe
"C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe"
C:\Users\Admin\AppData\Local\Temp\zineu.exe
"C:\Users\Admin\AppData\Local\Temp\zineu.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\liros.exe
"C:\Users\Admin\AppData\Local\Temp\liros.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2792-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2792-0-0x00000000011D0000-0x0000000001251000-memory.dmp
\Users\Admin\AppData\Local\Temp\zineu.exe
| MD5 | 0330a615aee93bae11e7113787882490 |
| SHA1 | 8a24df8bd6dca558756597ed095b194b6a3de1a9 |
| SHA256 | 08d6382a674a7246387683ff54dde81e8164b2dd5b81861c1fc033ccdcd14104 |
| SHA512 | aa36551713e3af125a9d152e81976d2bfcab628a759bd98f04669ec5c79ac4d644dc0bcd1c721f8f1014f5f274c51b5f5c201907af1c77a553f48aa69349998d |
memory/2792-7-0x0000000001050000-0x00000000010D1000-memory.dmp
memory/2816-19-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2816-18-0x0000000000A90000-0x0000000000B11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9383283f479675881268cf6d444f593c |
| SHA1 | 0db979a0fca57a9680ab69c40c42a431a8e82e00 |
| SHA256 | 731b0e5d4714239b1ba6ee58260f42e0f9e293c8e9e91148c9a3ad0a8a9f6ed6 |
| SHA512 | 93a232308fb0eb027ff4cd1a08154f5b770fcb7840bfe513cc1f2412315ae0544a10537c8f2016973ab339390b59595e4bf329a387922a1953db07cf10f9fc5a |
memory/2792-21-0x00000000011D0000-0x0000000001251000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0bcc3671b4acd4517440ef4727e9868f |
| SHA1 | 0dcc0b16081c313be322ccf41f5a598323eab4dd |
| SHA256 | 58009903b471f11b33e328cf059b8b8499b01f0587b67bdd2f953ffcb75a079d |
| SHA512 | cb7e1de4b384f7d17255aa274378393bf17a41fd979c4ff43a655f0ea979b641461c4f64ee951a2d3fc39f0ce89e382a954c9e58fe4b83f5f03e27fe238d7bb3 |
memory/2816-24-0x0000000000A90000-0x0000000000B11000-memory.dmp
\Users\Admin\AppData\Local\Temp\liros.exe
| MD5 | ea09dedc40d50861e948f6541a18c9a3 |
| SHA1 | b1df8c17ce3adf102f4635375a0a05b4643b60b4 |
| SHA256 | ac6d02b0cdd51399766f2d9eb0f96923b00f4089a48c1e120839ef28de13f68b |
| SHA512 | 0215f8869bcf2e7ec4ba32adf9bc3137b899d095a982c6969f3cd66d8dde5b7f6203394f5a5dc4784a2d2d529c2e1ca5e4eb919fbe4c5d52d2b728ceb45b2c47 |
memory/772-42-0x0000000001330000-0x00000000013C9000-memory.dmp
memory/2816-40-0x0000000003480000-0x0000000003519000-memory.dmp
memory/2816-39-0x0000000000A90000-0x0000000000B11000-memory.dmp
memory/772-43-0x0000000001330000-0x00000000013C9000-memory.dmp
memory/772-47-0x0000000001330000-0x00000000013C9000-memory.dmp
memory/772-48-0x0000000001330000-0x00000000013C9000-memory.dmp
memory/772-49-0x0000000001330000-0x00000000013C9000-memory.dmp
memory/772-50-0x0000000001330000-0x00000000013C9000-memory.dmp
memory/772-51-0x0000000001330000-0x00000000013C9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 19:51
Reported
2024-10-09 19:54
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xotyk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xotyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pikuj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pikuj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xotyk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe
"C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe"
C:\Users\Admin\AppData\Local\Temp\xotyk.exe
"C:\Users\Admin\AppData\Local\Temp\xotyk.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\pikuj.exe
"C:\Users\Admin\AppData\Local\Temp\pikuj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4708-0-0x0000000000F80000-0x0000000001001000-memory.dmp
memory/4708-1-0x0000000000690000-0x0000000000691000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xotyk.exe
| MD5 | 3d92d4653358cbb1a0d514adcd412d52 |
| SHA1 | 19d99a15d3f5888dfd0e7fb0efb8b54331e3cc9f |
| SHA256 | 3bbb5dca15638cbd30336e4cfdd883c0736102708d620acc14d6406384e3dbd4 |
| SHA512 | bf1cd6879ab3fc01bc65bd3bb3763832d379fdb03a741e07e849524cdbef0814ef0c94b52cad750bc4b65c7ab34f07f05a170a380b09e8c8b3dddf5caf16b6da |
memory/1472-14-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/1472-13-0x0000000000FA0000-0x0000000001021000-memory.dmp
memory/4708-16-0x0000000000F80000-0x0000000001001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9383283f479675881268cf6d444f593c |
| SHA1 | 0db979a0fca57a9680ab69c40c42a431a8e82e00 |
| SHA256 | 731b0e5d4714239b1ba6ee58260f42e0f9e293c8e9e91148c9a3ad0a8a9f6ed6 |
| SHA512 | 93a232308fb0eb027ff4cd1a08154f5b770fcb7840bfe513cc1f2412315ae0544a10537c8f2016973ab339390b59595e4bf329a387922a1953db07cf10f9fc5a |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 3523c2e56c4a6894f226d95ae9ab776d |
| SHA1 | fbcb5cd2a487b6ad02cca94da9820b8574a8a104 |
| SHA256 | 08ffea0a8c9dcd6003999c129449aee70dfb376d26a0787c87d58c492372addb |
| SHA512 | e2e6e99067e218f642f61c2c1919f7e0d6f6d2f9ed27b9ea3489a1fc19eaaf9024e6441b0b85d54d465422aa2e90b01a71a271b990a5b7ed9c0e0d7532a348b5 |
memory/1472-19-0x0000000000FA0000-0x0000000001021000-memory.dmp
memory/1472-20-0x00000000005F0000-0x00000000005F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pikuj.exe
| MD5 | 6765d073079a52d2e9f817b2f023aa7c |
| SHA1 | f7d6753e5e1fe559bdfff7dad9c585d12bc7084f |
| SHA256 | 6308ee60385ab0cf55fda48b036943a97450c49e2e5769bb5a5c9b79e261343e |
| SHA512 | 6a2cf733a02c353bcb5f0acc8065925910572fb1cb9de430ec2701b04be63f06a69b148e29ce9882b03d035e0d7d4cb6750365fb57f3024b5a930acb38c02579 |
memory/2932-38-0x0000000000D50000-0x0000000000D52000-memory.dmp
memory/2932-37-0x0000000000BE0000-0x0000000000C79000-memory.dmp
memory/2932-39-0x0000000000BE0000-0x0000000000C79000-memory.dmp
memory/1472-43-0x0000000000FA0000-0x0000000001021000-memory.dmp
memory/2932-45-0x0000000000D50000-0x0000000000D52000-memory.dmp
memory/2932-46-0x0000000000BE0000-0x0000000000C79000-memory.dmp
memory/2932-47-0x0000000000BE0000-0x0000000000C79000-memory.dmp
memory/2932-48-0x0000000000BE0000-0x0000000000C79000-memory.dmp
memory/2932-49-0x0000000000BE0000-0x0000000000C79000-memory.dmp
memory/2932-50-0x0000000000BE0000-0x0000000000C79000-memory.dmp