Analysis Overview
SHA256
509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072
Threat Level: Known bad
The file 509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072N was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Deletes itself
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 20:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 20:04
Reported
2024-10-09 20:06
Platform
win7-20240729-en
Max time kernel
119s
Max time network
81s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jiadh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iwkey.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jiadh.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jiadh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iwkey.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072N.exe
"C:\Users\Admin\AppData\Local\Temp\509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072N.exe"
C:\Users\Admin\AppData\Local\Temp\jiadh.exe
"C:\Users\Admin\AppData\Local\Temp\jiadh.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\iwkey.exe
"C:\Users\Admin\AppData\Local\Temp\iwkey.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2300-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2300-0-0x0000000000BB0000-0x0000000000C31000-memory.dmp
\Users\Admin\AppData\Local\Temp\jiadh.exe
| MD5 | 7e2bce5d40c4f1da6e7f7c99c1916ad6 |
| SHA1 | 11bde2c24bac65723c2975c371674583e678ca0f |
| SHA256 | 23f89e3c9675c01f19a122d0e6c14df9eed860912d2d00d6cd01fcc41c087bd3 |
| SHA512 | 2d24ecbf8675f7b5948c31f5052f776ba2eb64657966dcddcb92e9f0505bc8864f48c8872d05acd3cc7477d100567b3448641afdc15b9539151d36e70cd4ce8d |
memory/1748-12-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1748-11-0x0000000000C60000-0x0000000000CE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 5796554d2eea59efaeb61bb5ec395f57 |
| SHA1 | 8f52df8b63a101ece5e4bb2df9b9124211678e3e |
| SHA256 | 909c03df67faf293216a802cc908421708e6f15f99fd49bc5eaa85ff0d51c3b1 |
| SHA512 | e757ed2f5ab7e542bc29cbc0c52ea07316132aef49e3c95782008bd178f69c85a0b6b01abb8880a202ba55d9f64850f35a99ebdb73e1223277ae820a29ad1085 |
memory/2300-9-0x0000000002630000-0x00000000026B1000-memory.dmp
memory/2300-21-0x0000000000BB0000-0x0000000000C31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 28d0664a7ae11d64efc1993fbd6b8d2b |
| SHA1 | b6ed3d08cef413dbfe6528dca95745a60be39a5a |
| SHA256 | 11412d3a284402ba9ea9e631bc573aeb4ce8d7fd95eb0c9a0f194b2b37ed22a1 |
| SHA512 | c4f6a14faa5a97b3d191768286ec519b2cf1cdb38ab6aed69227666c0ddad72a0c7190f9f5b5e0b45cd161d09829066ab61429ed8bee078f34a909515351390a |
memory/1748-25-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1748-24-0x0000000000C60000-0x0000000000CE1000-memory.dmp
\Users\Admin\AppData\Local\Temp\iwkey.exe
| MD5 | 97f7c6b54a259ec14a711c7b131dff1d |
| SHA1 | 5c8667f0190eb5b24c7cc8e702d782521116b2ae |
| SHA256 | 314154abd41b42a60bd6c747e36b14eb6528b7066b84154979a11ea8d47acfe2 |
| SHA512 | acb091960b4ded6342b9667ac45ee313c15b824e862ba1fb5fb52201a6a9c02263252d388d842f1a7642a4cabf5ef5bd1610317220463bbbb40f67e998de2b3b |
memory/1748-38-0x0000000003200000-0x0000000003299000-memory.dmp
memory/2880-43-0x0000000000FF0000-0x0000000001089000-memory.dmp
memory/1748-42-0x0000000000C60000-0x0000000000CE1000-memory.dmp
memory/2880-47-0x0000000000FF0000-0x0000000001089000-memory.dmp
memory/2880-48-0x0000000000FF0000-0x0000000001089000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 20:04
Reported
2024-10-09 20:06
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
107s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fawio.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fawio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pypex.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fawio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pypex.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072N.exe
"C:\Users\Admin\AppData\Local\Temp\509c86296d37ce341685a31861879e8925db44f8f2f27ea8d19d488d00f99072N.exe"
C:\Users\Admin\AppData\Local\Temp\fawio.exe
"C:\Users\Admin\AppData\Local\Temp\fawio.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\pypex.exe
"C:\Users\Admin\AppData\Local\Temp\pypex.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 135.72.21.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2104-0-0x0000000000050000-0x00000000000D1000-memory.dmp
memory/2104-1-0x00000000007E0000-0x00000000007E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fawio.exe
| MD5 | 9ffd0642bdd1568cf6379232a3a8419f |
| SHA1 | 9737bc24f7f0d5e723d5ad7f531600e98f07a22f |
| SHA256 | b1178a47500bcc501e84268911f4179832373d9e2f38ebf180799613a8d20dc8 |
| SHA512 | 3c04c8f6eaf778972328af777176981e0411df898595d1bde50087265ecdb77c7f2840d430a73ad74635a6b810d45b95d3fe9b11a7645e1973cd70d9ba0a341a |
memory/1132-13-0x00000000002A0000-0x0000000000321000-memory.dmp
memory/1132-14-0x0000000000F50000-0x0000000000F51000-memory.dmp
memory/2104-17-0x0000000000050000-0x00000000000D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 5796554d2eea59efaeb61bb5ec395f57 |
| SHA1 | 8f52df8b63a101ece5e4bb2df9b9124211678e3e |
| SHA256 | 909c03df67faf293216a802cc908421708e6f15f99fd49bc5eaa85ff0d51c3b1 |
| SHA512 | e757ed2f5ab7e542bc29cbc0c52ea07316132aef49e3c95782008bd178f69c85a0b6b01abb8880a202ba55d9f64850f35a99ebdb73e1223277ae820a29ad1085 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ccc3e84030f3006412d7360c1823c22c |
| SHA1 | 2bad1267cd9a0f552ae24171b94a842cb84baed0 |
| SHA256 | 67a7fafe116b68f110a7ba4df8e6cdb89f8e2ca19abf3a31c5cf851040ce612a |
| SHA512 | 601e604b6595e2578a1004709fb08dc367b819ebf288116b37f026eeb23dfec812de931cf48247f4a7f08094c022e35759d39eaea6737948859c39962f59f97f |
memory/1132-20-0x00000000002A0000-0x0000000000321000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pypex.exe
| MD5 | 198c8a3ee8a311a334113eaa3cd8afc3 |
| SHA1 | b6cd9d8274a3b6722498c03e7038372e01c56019 |
| SHA256 | 1e2825ad35937ec67de931f237c8f19f11a02eca116535207a90b30a178e16af |
| SHA512 | 60ed062d2c6789fe732b5ab77f1d6dbb3f5db6ac10ebe6869e714c3b76be53bd4c19ed4dc725f0e3163dcd5d89f90f2df3060e0a4c7826783ec9ef7f6e9e0dff |
memory/3712-37-0x00000000006D0000-0x0000000000769000-memory.dmp
memory/1132-39-0x00000000002A0000-0x0000000000321000-memory.dmp
memory/3712-40-0x0000000000B30000-0x0000000000B32000-memory.dmp
memory/3712-41-0x00000000006D0000-0x0000000000769000-memory.dmp
memory/3712-46-0x0000000000B30000-0x0000000000B32000-memory.dmp
memory/3712-45-0x00000000006D0000-0x0000000000769000-memory.dmp
memory/3712-47-0x00000000006D0000-0x0000000000769000-memory.dmp