Analysis Overview
SHA256
32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9
Threat Level: Known bad
The file 32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 03:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 03:32
Reported
2024-10-10 03:34
Platform
win7-20240903-en
Max time kernel
120s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vuuzm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duovt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vuuzm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\duovt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vuuzm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe
"C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe"
C:\Users\Admin\AppData\Local\Temp\vuuzm.exe
"C:\Users\Admin\AppData\Local\Temp\vuuzm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\duovt.exe
"C:\Users\Admin\AppData\Local\Temp\duovt.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2972-0-0x0000000000D40000-0x0000000000DC1000-memory.dmp
memory/2972-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\vuuzm.exe
| MD5 | 9f6b370113535aa1eaf6433cd3d9ae45 |
| SHA1 | 8b14b4fbeb1a7624efe201d3fa0f0c3c8a976d08 |
| SHA256 | 24ff86e79148c87b68cad6ce4be77a65dc5f28794f6585a45715efe85bcc85a5 |
| SHA512 | f2c32f537d7dfc33b4c94ff9003d5f8626702e84a141bc3213ee8618d5571f502d33df65c2e67794f9d5b14199d10f0df687656ced9e641ae0ebe7644cb54cbc |
memory/2368-12-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2368-11-0x0000000000C50000-0x0000000000CD1000-memory.dmp
memory/2972-10-0x0000000000C50000-0x0000000000CD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 2caa52bcf6a6a165c89037603b1e0422 |
| SHA1 | 480972ca5827afb9483bed3facd830ca8bcd819d |
| SHA256 | f7ad65b6ff6d3c6b0a861957f9320bec9691dd16f0daca5e4834634bd4605685 |
| SHA512 | 4d5040e6c469c0ef98cd1afa4c3d1ab3a03e1c89e3bb682af3eb97c71a44e55b3a4d9290e048c2afa830e1a224f706aa6cabdd492b9ec9a5c0cdcc15fada1758 |
memory/2972-21-0x0000000000D40000-0x0000000000DC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 13d2d94636b9f0baa0649bf101f98e36 |
| SHA1 | e23065df66d7f5e81dc1de10b1289102172ff7a6 |
| SHA256 | 21bad59a0527bb387a36a36f1fe6518fc939b2153954a0f206caf49c717fe4b8 |
| SHA512 | 231143703b53f4e752d4bf176d1ee2466394647e842e23112055721a1ad2aad42ed5b052eb916c5d1216dba628c2aab9d8fc001e4eec07ad3e71ca473f929bd9 |
memory/2368-24-0x0000000000C50000-0x0000000000CD1000-memory.dmp
\Users\Admin\AppData\Local\Temp\duovt.exe
| MD5 | 89b2af1f1b013f5f3692427f8e715f37 |
| SHA1 | afd03a608c02e2c89d34f6e40e03ceaf698553df |
| SHA256 | badb78f117935c8c4b7813738ca58bbfe0a4194cfb6470b8408a20bbd0920d14 |
| SHA512 | 114d1cdd2a0f410fcbcde90ae8989b24f5a8d7e046b28cd2154c5d6b34e846c31523bff1043114c58af84f2327d13e698a152ecd31cdacfb34abc3ab8ddc46ef |
memory/2368-38-0x0000000003FA0000-0x0000000004039000-memory.dmp
memory/2556-45-0x00000000003D0000-0x0000000000469000-memory.dmp
memory/2556-42-0x00000000003D0000-0x0000000000469000-memory.dmp
memory/2368-41-0x0000000000C50000-0x0000000000CD1000-memory.dmp
memory/2556-47-0x00000000003D0000-0x0000000000469000-memory.dmp
memory/2556-48-0x00000000003D0000-0x0000000000469000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 03:32
Reported
2024-10-10 03:34
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wovoi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wovoi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\noajx.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\noajx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wovoi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe
"C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe"
C:\Users\Admin\AppData\Local\Temp\wovoi.exe
"C:\Users\Admin\AppData\Local\Temp\wovoi.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\noajx.exe
"C:\Users\Admin\AppData\Local\Temp\noajx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4180-0-0x0000000000010000-0x0000000000091000-memory.dmp
memory/4180-1-0x00000000003D0000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wovoi.exe
| MD5 | bf30a17560a5cedfdf660b286c60fd78 |
| SHA1 | a73aadcef94b250bf8387764f5af321296056112 |
| SHA256 | 42a36deb372fd005ef8df1873db636d6d82f7e9b93bc38a38456237fd9512cf3 |
| SHA512 | 73234c7b2950b0e169cebdd4c955277040a3da7505ab1b77711c71c1382f02d9979ad4fc9f913fb66d456869c85945b6dd9590043882ed94f89705d23afadf4d |
memory/2140-14-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/2140-11-0x00000000006D0000-0x0000000000751000-memory.dmp
memory/4180-17-0x0000000000010000-0x0000000000091000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 2caa52bcf6a6a165c89037603b1e0422 |
| SHA1 | 480972ca5827afb9483bed3facd830ca8bcd819d |
| SHA256 | f7ad65b6ff6d3c6b0a861957f9320bec9691dd16f0daca5e4834634bd4605685 |
| SHA512 | 4d5040e6c469c0ef98cd1afa4c3d1ab3a03e1c89e3bb682af3eb97c71a44e55b3a4d9290e048c2afa830e1a224f706aa6cabdd492b9ec9a5c0cdcc15fada1758 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8f986fe109aab23f7920b0791350bcec |
| SHA1 | cc14bc682c33ae3df4c1ec4f6e93a24575bc4f5a |
| SHA256 | 994e3a0890de3f24d9a34f78984ac8cf1473f8141382795fe60beca0df08f2bb |
| SHA512 | 6e629bb518f8c7f10014ecbd5bfb63ba42ed34662713fba7d6684fe2b88548cb3b8c2b150fac2fb0f03d69ac2b1957e5bd6fcffd19bfa8c448f2d43c0829afa3 |
memory/2140-20-0x00000000006D0000-0x0000000000751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\noajx.exe
| MD5 | c350d2d6f78a8173ed694b835a60d22a |
| SHA1 | 2a7ea8e6a6f30dbe3ec10516c4954c5dce2dd73e |
| SHA256 | c76e9fa8f3958949f8a85ba7ac2002bd827604297d3f4801b2099dc8a0d59aa4 |
| SHA512 | 57d1929fa1ed1a3c594e725628afba60936d6333537d0b6d128ace466bd08e6f9e7ddb51e3ef91605f50f16e8730d9bd46876ac51656e9e7338910e285d428fe |
memory/2604-38-0x0000000000200000-0x0000000000202000-memory.dmp
memory/2140-40-0x00000000006D0000-0x0000000000751000-memory.dmp
memory/2604-37-0x0000000000280000-0x0000000000319000-memory.dmp
memory/2604-41-0x0000000000280000-0x0000000000319000-memory.dmp
memory/2604-46-0x0000000000200000-0x0000000000202000-memory.dmp
memory/2604-45-0x0000000000280000-0x0000000000319000-memory.dmp
memory/2604-47-0x0000000000280000-0x0000000000319000-memory.dmp