Analysis Overview
SHA256
c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002
Threat Level: Known bad
The file c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 00:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 00:16
Reported
2024-10-10 00:19
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\suhis.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suhis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buibt.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\suhis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\buibt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe
"C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe"
C:\Users\Admin\AppData\Local\Temp\suhis.exe
"C:\Users\Admin\AppData\Local\Temp\suhis.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\buibt.exe
"C:\Users\Admin\AppData\Local\Temp\buibt.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4928-0-0x00000000006B0000-0x0000000000731000-memory.dmp
memory/4928-1-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\suhis.exe
| MD5 | 891aec2a52c84672b4ba8c233aa2d87a |
| SHA1 | 1c47b3f9cc860b13e76cd5050ee170606fad34fa |
| SHA256 | 446b7b35a26c8f96ea3676ff0458d3aae2bce96d398192695c6241a978ece0ac |
| SHA512 | eef21d26fa37733c91280b4902a0be16b0f7546fdb2b07177637cffe1bbf9eafa0bbf2bc448173e637a23a6cd7d7b268d9256ef31dd96d2bfd7ffa114de9a712 |
memory/924-11-0x0000000000560000-0x00000000005E1000-memory.dmp
memory/924-14-0x0000000000F60000-0x0000000000F61000-memory.dmp
memory/4928-17-0x00000000006B0000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 0724ffceef07fee872724738577bcf31 |
| SHA1 | f356ffa6edaf7df7c94346713a9da4331d0afa4b |
| SHA256 | b5540356d410b430d518472dbbfab405deb8a5d6899a175e481567f9bb67a216 |
| SHA512 | 03ec26b0757ae6cd4f80f85e2c901a2af386467aaee152c1eac210212fcde3c5de3c7e1609080d88ed1a2b2d32c9aaf37a126f3e64614d530dc7e64ca2f70522 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9779f548674c033aa1fde60405f6c3d2 |
| SHA1 | 75977e67934695de14b728e33a562e43ccdc45c0 |
| SHA256 | 76033fc7d26e3ecad23de053732637968c76cb872a43e1ae005ae654b406c312 |
| SHA512 | bb00eb4260f8c7e70296c5a00e879e3526ce5fad4e79c4cb25550611eb782264ab570b65cb6c1aa09d2665a4d877dfff36431b3616895ab9f9e0d5979d100852 |
memory/924-20-0x0000000000560000-0x00000000005E1000-memory.dmp
memory/924-21-0x0000000000F60000-0x0000000000F61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\buibt.exe
| MD5 | 7b0dbd18bdbbab4bab4857cec16332a9 |
| SHA1 | 85c7f708c9f19677e680683250c91434bced9d95 |
| SHA256 | 63c35908b930213563e343233555ecf75517e073d06b30259e3217fb3b0a10d8 |
| SHA512 | e3a8f02aa48907049d0fd2b43c2d552c6b88251f94bf460255faaa3c6ce65880797e4e8732cbe7af50d2b8f2f25c9a9b35cf5944dea1009a305da78c7becbda6 |
memory/928-39-0x00000000009E0000-0x00000000009E2000-memory.dmp
memory/928-38-0x00000000001D0000-0x0000000000269000-memory.dmp
memory/924-41-0x0000000000560000-0x00000000005E1000-memory.dmp
memory/928-42-0x00000000001D0000-0x0000000000269000-memory.dmp
memory/928-47-0x00000000009E0000-0x00000000009E2000-memory.dmp
memory/928-46-0x00000000001D0000-0x0000000000269000-memory.dmp
memory/928-48-0x00000000001D0000-0x0000000000269000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 00:16
Reported
2024-10-10 00:19
Platform
win7-20240903-en
Max time kernel
119s
Max time network
78s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ruvuj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hoxib.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ruvuj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hoxib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ruvuj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe
"C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe"
C:\Users\Admin\AppData\Local\Temp\ruvuj.exe
"C:\Users\Admin\AppData\Local\Temp\ruvuj.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\hoxib.exe
"C:\Users\Admin\AppData\Local\Temp\hoxib.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2168-0-0x0000000000C70000-0x0000000000CF1000-memory.dmp
memory/2168-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\ruvuj.exe
| MD5 | 21e0df4ad940c678813fb58e95272cc1 |
| SHA1 | b6dc12aa329e7d338176bdf7684bb5ec9b2f0655 |
| SHA256 | 08d6d2de7497ae6724657e15a5acbd9c66e775bda81e5773f1611ea88bd7617d |
| SHA512 | cd9fd414082e6b4024a6902818f8953e825e2bd1878dbd28d22a69b3f62214398e042140ca84f7c980006765cddef2a324ccb575675d86f5be0517504f6b3da8 |
memory/2168-7-0x0000000000BE0000-0x0000000000C61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 0724ffceef07fee872724738577bcf31 |
| SHA1 | f356ffa6edaf7df7c94346713a9da4331d0afa4b |
| SHA256 | b5540356d410b430d518472dbbfab405deb8a5d6899a175e481567f9bb67a216 |
| SHA512 | 03ec26b0757ae6cd4f80f85e2c901a2af386467aaee152c1eac210212fcde3c5de3c7e1609080d88ed1a2b2d32c9aaf37a126f3e64614d530dc7e64ca2f70522 |
memory/1824-12-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1824-11-0x0000000000160000-0x00000000001E1000-memory.dmp
memory/2168-21-0x0000000000C70000-0x0000000000CF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 04eff1da14f48809e43f1ece015b1c8c |
| SHA1 | b04376b3699a0eabf6b88385b274d2a761b76bed |
| SHA256 | b38c6f2917fc1142c59e967d5def46fd5551de01b5cfaf640a5eb2d7bf4e2f3f |
| SHA512 | 34577dc0edcb3a75f5dc930f241786d2eba3abea480436470dcef739961b4faeefd7aa7b41ac88578b9762e6f28c7cb323452b1bf50b4ac3b1247edb3b66c58a |
memory/1824-24-0x0000000000160000-0x00000000001E1000-memory.dmp
memory/3008-42-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/1824-41-0x0000000000160000-0x00000000001E1000-memory.dmp
memory/3008-45-0x0000000000DE0000-0x0000000000E79000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hoxib.exe
| MD5 | 18f745d0a6fa037db7637b2b6d266234 |
| SHA1 | 6c944685d43a38bdce8bcb83caf7e7899887791e |
| SHA256 | 59fb44e298f490d98ea49cd7c6e21da95600762e62f56d2c57eeaa8234e11465 |
| SHA512 | dc35b7a85f825df42dde4276df8302b528d972200971850d315a2afe2b016d93ae35de59faf7816fa5e045770ee56e9636c2aa3be6d2254124b7002e64873a43 |
memory/1824-37-0x0000000003550000-0x00000000035E9000-memory.dmp
memory/3008-47-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/3008-48-0x0000000000DE0000-0x0000000000E79000-memory.dmp