Analysis Overview
SHA256
88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906
Threat Level: Known bad
The file 88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 23:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 23:50
Reported
2024-10-10 23:52
Platform
win7-20241010-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cagol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xousi.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cagol.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xousi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cagol.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe
"C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe"
C:\Users\Admin\AppData\Local\Temp\cagol.exe
"C:\Users\Admin\AppData\Local\Temp\cagol.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\xousi.exe
"C:\Users\Admin\AppData\Local\Temp\xousi.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2104-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2104-0-0x0000000000AC0000-0x0000000000B41000-memory.dmp
\Users\Admin\AppData\Local\Temp\cagol.exe
| MD5 | 3267f77f95f6ffd823c07419eff0565b |
| SHA1 | c22612d2094268833d0749af80418a4659d05809 |
| SHA256 | bebf183f2824edba73633af935df56d73e69d8e7149832e04350e14e923a6beb |
| SHA512 | 5f9170f85a93d72325ba8b1a8fc79eda4b30da90591136fea90a8268ca30aefb8ea149b1d671669a954cc5548744f657afe2fa0ca90b7147e172ee0715fc8883 |
memory/2116-17-0x0000000000AD0000-0x0000000000B51000-memory.dmp
memory/2116-18-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 0ec6dc88a125dc33ea25b82abde5d8c7 |
| SHA1 | 178f76cc69bbe0d5d9ebd19391c422fa7c040fa6 |
| SHA256 | d6609b7c97ee3e26ffec9ab3a404925d1737b55c62767cfd283a686a77bd3ed3 |
| SHA512 | 63f2e656c55aab111ee6537a5e1189359fe55fdd326c15bfc585756f8182815a7e8775f0c731a252fc1ee8da04f9a2145c96fe6673b05ee898732d4af0c968c2 |
memory/2104-9-0x0000000000A10000-0x0000000000A91000-memory.dmp
memory/2104-21-0x0000000000AC0000-0x0000000000B41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7a8bc1ee5918cc31168dfe1c584ba883 |
| SHA1 | 8146f27c23cebcc796ecd2b54beb231b240f7a24 |
| SHA256 | 384586dde887b0f2853cdac6debdc20c9fb7696ac8873940802f9f99fd228985 |
| SHA512 | 560bda137f39bbfc857c0e0bbe7b04dc1023a17db1b9e73a31c958279d794e98436a9d04208ac818ea808f643390e604e0326db4a56e28f9507ee4b9ea227c54 |
memory/2116-24-0x0000000000AD0000-0x0000000000B51000-memory.dmp
\Users\Admin\AppData\Local\Temp\xousi.exe
| MD5 | bfceb569be4bbe6f8a7d3608a62a0fcb |
| SHA1 | 3e4b5b803914f96861d4aec7c3b1325d14b2d5bd |
| SHA256 | ab57c53fa96910a3048148b9b55191c2a7d6d172e7b443043771a4c781fcbdaa |
| SHA512 | 06a78f8129beca28dab1e8d6f44002d198320b908b3091aabbcd99bd4ed70677493b0a5366439ac90ecbb546fd951a08e4d751eef759d955936a58be3c011f48 |
memory/2116-37-0x0000000003630000-0x00000000036C9000-memory.dmp
memory/1928-43-0x0000000001010000-0x00000000010A9000-memory.dmp
memory/1928-42-0x0000000001010000-0x00000000010A9000-memory.dmp
memory/2116-41-0x0000000000AD0000-0x0000000000B51000-memory.dmp
memory/1928-47-0x0000000001010000-0x00000000010A9000-memory.dmp
memory/1928-48-0x0000000001010000-0x00000000010A9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 23:50
Reported
2024-10-10 23:52
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\comij.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\comij.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bitay.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bitay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\comij.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe
"C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe"
C:\Users\Admin\AppData\Local\Temp\comij.exe
"C:\Users\Admin\AppData\Local\Temp\comij.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\bitay.exe
"C:\Users\Admin\AppData\Local\Temp\bitay.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1528-0-0x0000000000630000-0x00000000006B1000-memory.dmp
memory/1528-1-0x0000000000910000-0x0000000000911000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\comij.exe
| MD5 | 108c63d7577755867d21299c6a066dc7 |
| SHA1 | cce23defb7bfdf6f375a4f2de07b2887e697f050 |
| SHA256 | 0ad6c86fc240103277bde41baddecedf529b198ef27862933316b6ae165ba1f9 |
| SHA512 | c68b2218968bb33af8237698a43c68920e269c1e87a736cc3d3e4bb76425e857f2c5c220b75852a4567551d739a9a71ac0bf1f9a03a31a97f724e634aed00cac |
memory/4468-11-0x0000000000B20000-0x0000000000BA1000-memory.dmp
memory/4468-14-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
memory/1528-17-0x0000000000630000-0x00000000006B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 0ec6dc88a125dc33ea25b82abde5d8c7 |
| SHA1 | 178f76cc69bbe0d5d9ebd19391c422fa7c040fa6 |
| SHA256 | d6609b7c97ee3e26ffec9ab3a404925d1737b55c62767cfd283a686a77bd3ed3 |
| SHA512 | 63f2e656c55aab111ee6537a5e1189359fe55fdd326c15bfc585756f8182815a7e8775f0c731a252fc1ee8da04f9a2145c96fe6673b05ee898732d4af0c968c2 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 748b387e3be6c05cc44417375162d4de |
| SHA1 | d09b5ec7a8edb74d921ec97da32db4fb988028cb |
| SHA256 | dbaf7a9c6c784440b3bd2eea97e9077f89d7686e2145185a3882f02d1d2c444a |
| SHA512 | 0a9ec7cec82281741b3ce756d3dc1187a23182142dd191562e22ce0425d1cbadb1b5314d9d173712ee7f8d0ea54621706d35533a6b3e66ce32f5d8c059d7ad8f |
memory/4468-20-0x0000000000B20000-0x0000000000BA1000-memory.dmp
memory/4468-21-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bitay.exe
| MD5 | a17cbc8bcecae87c3c7fed46ba671c9a |
| SHA1 | 159ac8425a0139a2e5e16aa9f9911dd527bffc78 |
| SHA256 | 309cdb9a2fc82b5328b5a728066b9f3ccc36fbab806c32c159734348ad516ab7 |
| SHA512 | 48c0d99c759c7f5a999f2249fa73cad95327561f6cd924472f32cc8b17a8690424436a6f3f4aca820f79b3eb789ee91dd8a39dc8d526a7603794aea8e39c6bd3 |
memory/4468-43-0x0000000000B20000-0x0000000000BA1000-memory.dmp
memory/116-40-0x0000000000100000-0x0000000000199000-memory.dmp
memory/116-39-0x0000000000BF0000-0x0000000000BF2000-memory.dmp
memory/116-38-0x0000000000100000-0x0000000000199000-memory.dmp
memory/116-45-0x0000000000BF0000-0x0000000000BF2000-memory.dmp
memory/116-46-0x0000000000100000-0x0000000000199000-memory.dmp
memory/116-47-0x0000000000100000-0x0000000000199000-memory.dmp