Analysis Overview
SHA256
e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fc
Threat Level: Known bad
The file e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Deletes itself
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 20:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 20:54
Reported
2024-10-09 20:56
Platform
win7-20240903-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\siahk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loguc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\siahk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\siahk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\loguc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe
"C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe"
C:\Users\Admin\AppData\Local\Temp\siahk.exe
"C:\Users\Admin\AppData\Local\Temp\siahk.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\loguc.exe
"C:\Users\Admin\AppData\Local\Temp\loguc.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1120-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1120-0-0x00000000003B0000-0x0000000000431000-memory.dmp
\Users\Admin\AppData\Local\Temp\siahk.exe
| MD5 | 786edb77e190a3dd81bba6c8fdf6ab19 |
| SHA1 | 1b6e1e28cfdd258928709f9f52df5e1e5b626e5e |
| SHA256 | 854ab8a540def1ae99ee36f6b46d3e0730f3a93a2500e53eaaff01f6bb1bf7d0 |
| SHA512 | 438a6445375d00ca4400a43324bea5b80e49af641d5bde2ea188b12bcf4a8e5349c27af5ee23dbb17665548e31a8a618a90cfb9336efff246cbf7a32678f1645 |
memory/1120-7-0x0000000002550000-0x00000000025D1000-memory.dmp
memory/1120-19-0x00000000003B0000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | a129f7006d659db178e1b168e315ce17 |
| SHA1 | d5afb73a25320a15b22829bdc3605e947d080b1a |
| SHA256 | 90bb0f37a3cd9b41352b910ad81fec35c2230c763f6e66f5646cd3e1ca6b500a |
| SHA512 | 75988da030b8b745b11a2fb739412ef18a8f6ea0043e537b678668c426ed8494749ea8a13c2c91a9a274d5af519b6ba2115367e371fc1c3066d66609621bec0c |
memory/2312-21-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2312-20-0x0000000000030000-0x00000000000B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 79f0faa572994b5ffb98a08b636e34c5 |
| SHA1 | 7698bad2fc5bd3eeeab1e3e6075eb0157e13b193 |
| SHA256 | b46e406c950527d8d96b864eb25c72bc90fd932bd3312bfa8beffd59c7bfcc16 |
| SHA512 | 1ed6db9ef7d8c5224878f271b0e38c669bbeeeabb05b48e076f364ecd160d04f5232a9e25ad648a637accc2e9b198b79e69d01e2343a59133b4a41088432a38c |
memory/2312-25-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2312-24-0x0000000000030000-0x00000000000B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\loguc.exe
| MD5 | b5d1597c697ba9d2b55573d7bb6dc0a9 |
| SHA1 | d8bc43d1b8f0c518bc053e57125f99fec2696e35 |
| SHA256 | b6f41f56bae2fdd0ece209869283ccced725426402ca18eaced939e1edb16513 |
| SHA512 | 83a9b7d2676b154353a72dbb8a8293fe86c487200e887cf2f1f1f0df952eaab0bdd0ff932ee15ddcc3c8c637770791014a28ca9dd820ad616db2b1ce97b9bb79 |
memory/2312-38-0x0000000002280000-0x0000000002319000-memory.dmp
memory/2984-44-0x0000000000290000-0x0000000000329000-memory.dmp
memory/2984-43-0x0000000000290000-0x0000000000329000-memory.dmp
memory/2312-42-0x0000000000030000-0x00000000000B1000-memory.dmp
memory/2984-48-0x0000000000290000-0x0000000000329000-memory.dmp
memory/2984-49-0x0000000000290000-0x0000000000329000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 20:54
Reported
2024-10-09 20:56
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\piuto.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\piuto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qywog.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qywog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\piuto.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe
"C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe"
C:\Users\Admin\AppData\Local\Temp\piuto.exe
"C:\Users\Admin\AppData\Local\Temp\piuto.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\qywog.exe
"C:\Users\Admin\AppData\Local\Temp\qywog.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
Files
memory/1532-0-0x00000000001E0000-0x0000000000261000-memory.dmp
memory/1532-1-0x00000000005F0000-0x00000000005F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\piuto.exe
| MD5 | f6d5aee17541d30bff99dbde86ff3288 |
| SHA1 | 4cb1b41b41920aaf1dff1e9640762cec330d5456 |
| SHA256 | 7e08c19e504c9a2d6d4fda28a4297091fd18f86a2839fb7763e79bb6a9a75ca7 |
| SHA512 | 47b34f75f1466307c910048b716deef858d6bc537e384fe27310df31885491541558d916a001eaec09417e5cbc6d4b6433823499597fd66ba63df48d85e134e9 |
memory/1448-14-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1448-11-0x00000000003C0000-0x0000000000441000-memory.dmp
memory/1532-17-0x00000000001E0000-0x0000000000261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | a129f7006d659db178e1b168e315ce17 |
| SHA1 | d5afb73a25320a15b22829bdc3605e947d080b1a |
| SHA256 | 90bb0f37a3cd9b41352b910ad81fec35c2230c763f6e66f5646cd3e1ca6b500a |
| SHA512 | 75988da030b8b745b11a2fb739412ef18a8f6ea0043e537b678668c426ed8494749ea8a13c2c91a9a274d5af519b6ba2115367e371fc1c3066d66609621bec0c |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 042ba83e3e713b5ca18eb65317d8f6cc |
| SHA1 | cc3fbfeeea8cee6202f6aa8b34ac95e5296e8b2c |
| SHA256 | 0fffbb2a6c3889a616e5d0f56a1555fd204cf37cbe489ec20727eb789631b018 |
| SHA512 | b2cd15677794370328d7a90efe5f0418215689e2050878c4069eda5e9e9ef505410f9de90a4c08576fd70a0add9aec74a34ddae539b96c16dd8e754cd97d6734 |
memory/1448-20-0x00000000003C0000-0x0000000000441000-memory.dmp
memory/1448-21-0x0000000000370000-0x0000000000371000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qywog.exe
| MD5 | 018711cd81a7011dc8908bf1811a96b5 |
| SHA1 | 4e903b2500870f01703b2e0410864544f83d19c7 |
| SHA256 | 072c2e725034e191447fcac4aea2033e67b1e486be2c7996e2d4df2f7f58fa3b |
| SHA512 | 77fcca97e98a31eec6a8218c812d5441dbc5da2668b459e7749088608f116edec5fffbc3f70d54172dc45e566c76a298cc53b24a02b290d5e8e4601711ed6503 |
memory/3460-42-0x0000000000520000-0x0000000000522000-memory.dmp
memory/1448-44-0x00000000003C0000-0x0000000000441000-memory.dmp
memory/3460-39-0x00000000005D0000-0x0000000000669000-memory.dmp
memory/3460-41-0x00000000005D0000-0x0000000000669000-memory.dmp
memory/3460-46-0x00000000005D0000-0x0000000000669000-memory.dmp
memory/3460-47-0x00000000005D0000-0x0000000000669000-memory.dmp