Analysis Overview
SHA256
574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53e
Threat Level: Known bad
The file 574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 02:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 02:51
Reported
2024-10-10 02:53
Platform
win7-20240708-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moreu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oqidm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moreu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\moreu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oqidm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe
"C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe"
C:\Users\Admin\AppData\Local\Temp\moreu.exe
"C:\Users\Admin\AppData\Local\Temp\moreu.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\oqidm.exe
"C:\Users\Admin\AppData\Local\Temp\oqidm.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2052-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2052-0-0x0000000000E50000-0x0000000000ED1000-memory.dmp
\Users\Admin\AppData\Local\Temp\moreu.exe
| MD5 | bb933fbe1ca2c57f620d8b017bb1b4a4 |
| SHA1 | cab0f62bd8bed9fa98e0c5d5d33bc1a15e1541e8 |
| SHA256 | 8d41e0adab8864ede196517a2f898f02493ef9b7fab489bcb02105471eaf4396 |
| SHA512 | 6e3cbccb15a0222ce2da323cf41b0b7ed4f4c3fb116e7c4309a709fb235b7ca76ea5090ac1b96c7eb7ae8f6173f23a03386371c840e41f6a220ae50e049e7bd5 |
memory/2052-19-0x0000000000E50000-0x0000000000ED1000-memory.dmp
memory/2136-21-0x0000000000EE0000-0x0000000000F61000-memory.dmp
memory/2136-20-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2052-16-0x0000000000C00000-0x0000000000C81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 2ac8bad7a05f3bdc1723eef5800eb79c |
| SHA1 | a044dd8d21f925f722d8928ab090ed0700440102 |
| SHA256 | 4e21be48d3d6bf7a95c749ba0d9f9fddef739edcb6445032282dffe033169d28 |
| SHA512 | 480e592af44a045b8f0ef68f5b71404bc6ed09c66c9443821dc562435386e8ab886ce2c75ae82a07ed31a35481c5cb22f837253a9ff518144198858334c3dace |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 957de31757e9549a9373adb0f3d7d7e8 |
| SHA1 | 5474c74a301b507cb9ea8e5f13eb3af862b2dbab |
| SHA256 | 3bba5775049c93a70c4d43ca98d0b93490808db27422693679578586ad611a1f |
| SHA512 | f5447acb2cb3bca93814f8e9f81dd5b0cc4c029dc9d7e8295051016c10a5035b6e29b9b88ba80e8be110d13bd86bb24dcdc960cf9c38bf81ba011bb50ff771e8 |
memory/2136-24-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2136-25-0x0000000000EE0000-0x0000000000F61000-memory.dmp
\Users\Admin\AppData\Local\Temp\oqidm.exe
| MD5 | 25643646cdfa09142cf3b815c76367f5 |
| SHA1 | 8581eb14f1bf584a033e17a29e22edc4611cae0e |
| SHA256 | b78579b7ccf24d26ba82b7c8b5d3ded7701f312c82cbe528be992c452f6e6efa |
| SHA512 | 849466cb8b011237715314407384a515a221fb09afe52a03f61371f92f6bd6ebcc0d0bb6df33d51b76c56e95b542d6d41f4bb4a199d8bb2a3857108dbbbfce26 |
memory/1884-46-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/1884-43-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/2136-42-0x0000000000EE0000-0x0000000000F61000-memory.dmp
memory/2136-39-0x0000000000B20000-0x0000000000BB9000-memory.dmp
memory/1884-48-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/1884-49-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/1884-50-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/1884-51-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/1884-52-0x0000000000DE0000-0x0000000000E79000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 02:51
Reported
2024-10-10 02:53
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qekoz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qekoz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cipoj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qekoz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cipoj.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe
"C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe"
C:\Users\Admin\AppData\Local\Temp\qekoz.exe
"C:\Users\Admin\AppData\Local\Temp\qekoz.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\cipoj.exe
"C:\Users\Admin\AppData\Local\Temp\cipoj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3100-0-0x00000000002D0000-0x0000000000351000-memory.dmp
memory/3100-1-0x0000000000570000-0x0000000000571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qekoz.exe
| MD5 | 3132bf33042f4ae6b883db5154c94c1a |
| SHA1 | b359faa2e1482dfde712cdc4b59a902e37878b90 |
| SHA256 | 526b1d1acd9134386dd71d8aacabf9f317f2e54eea3c6db3dd3c047ea14634c8 |
| SHA512 | e991786386bc11f7ad9bb98d04c4887d4367f6e773b397aa9389b2398e16ce50d506d8c8eca4043ce6dc6cb82afefa88be8f79bfb78a6d7d3f0b667c8bde0ed0 |
memory/1000-11-0x0000000000880000-0x0000000000901000-memory.dmp
memory/1000-14-0x0000000000840000-0x0000000000841000-memory.dmp
memory/3100-17-0x00000000002D0000-0x0000000000351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 2ac8bad7a05f3bdc1723eef5800eb79c |
| SHA1 | a044dd8d21f925f722d8928ab090ed0700440102 |
| SHA256 | 4e21be48d3d6bf7a95c749ba0d9f9fddef739edcb6445032282dffe033169d28 |
| SHA512 | 480e592af44a045b8f0ef68f5b71404bc6ed09c66c9443821dc562435386e8ab886ce2c75ae82a07ed31a35481c5cb22f837253a9ff518144198858334c3dace |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1f825bd1d2f8366713c2ba72083579ff |
| SHA1 | b86a4edc26bdf897e4e340ebe8ecf49c53a799bd |
| SHA256 | a055b21159d71a37a91ad912fb07f66c54b3736c38670f89a7c4014cd49ae919 |
| SHA512 | dfd2a18b239a39593de0c922c8857326c4741f76bf9413f8c6da60dd62892d8e3accc4d01ddf72ee95aa61290924bbb70f8d28d28b06e3fec94cc55649c97e42 |
memory/1000-20-0x0000000000880000-0x0000000000901000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cipoj.exe
| MD5 | 1f17f5be646a5678e43bd59ddc1264d8 |
| SHA1 | 87f17cfe5f7f1462812074772ca10427af0fb8f4 |
| SHA256 | 3ed9c61079d98f69e4c6ffbaa1160ae09c6ca5ff8214a6a29e420431e00393f7 |
| SHA512 | 3eeebc20e4a8752646fbf8470a63fdacad1f22697e3a4f848d183be113e20f018426703bc9d2add4e6530456e451ad172440342907470ed48d46e0466dee6679 |
memory/4936-39-0x0000000000A60000-0x0000000000AF9000-memory.dmp
memory/4936-37-0x0000000000A60000-0x0000000000AF9000-memory.dmp
memory/1000-43-0x0000000000880000-0x0000000000901000-memory.dmp
memory/4936-38-0x00000000005F0000-0x00000000005F2000-memory.dmp
memory/4936-45-0x00000000005F0000-0x00000000005F2000-memory.dmp
memory/4936-46-0x0000000000A60000-0x0000000000AF9000-memory.dmp
memory/4936-47-0x0000000000A60000-0x0000000000AF9000-memory.dmp
memory/4936-48-0x0000000000A60000-0x0000000000AF9000-memory.dmp
memory/4936-49-0x0000000000A60000-0x0000000000AF9000-memory.dmp
memory/4936-50-0x0000000000A60000-0x0000000000AF9000-memory.dmp