Analysis Overview
SHA256
f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9
Threat Level: Known bad
The file f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Deletes itself
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 04:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 04:37
Reported
2024-10-10 04:39
Platform
win7-20240729-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kugom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\litoz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kugom.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kugom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\litoz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe
"C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe"
C:\Users\Admin\AppData\Local\Temp\kugom.exe
"C:\Users\Admin\AppData\Local\Temp\kugom.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\litoz.exe
"C:\Users\Admin\AppData\Local\Temp\litoz.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2132-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2132-0-0x00000000012B0000-0x0000000001331000-memory.dmp
\Users\Admin\AppData\Local\Temp\kugom.exe
| MD5 | 14789885cd64f92a85facdd73e4824d0 |
| SHA1 | aef110f06102d39f959b9b53d3a36de0662c51f2 |
| SHA256 | 3ca31294d0c590762de16961201600900a82b74cb461a6c2a24532c1657ef7cf |
| SHA512 | 44a77a20e2efd4c1500a0ed22e35d2c4206dc93ee47cf1ae87f65c88942cea07a0641a207d75f23bbb5dbed007e2ef56d636940ee58079cf62a851b3af217dc5 |
memory/2132-19-0x00000000012B0000-0x0000000001331000-memory.dmp
memory/2764-21-0x0000000001130000-0x00000000011B1000-memory.dmp
memory/2764-20-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2132-15-0x0000000001130000-0x00000000011B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b2f810e7a605155d105d0a5b947a8190 |
| SHA1 | 398279a4211f8e6e70c0740302a25bdf3fb71758 |
| SHA256 | 3728e82f4121a317af347965593685d4b947d36c7b81e89f512fe9a57722f1ce |
| SHA512 | 8d717a050410028cd96971a0d698f2389c2e8f749e0b32f54ab1a00e0b67bc2fdd1e9e8cbf60bc62f88d4319362d3cf6414c196f8b594d6b1d0298834a565373 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 95b29b48f3b01d2ad3aa4ab68136fd39 |
| SHA1 | 1c12d2922322dafb4b77add23cc8760159df6e68 |
| SHA256 | 98f0b5aeefd49138fe4f89c80e0ae2e973881c3f6452093d8b8feea945c4f2ed |
| SHA512 | a0c1ad81f6f048a7a7d8797350e37b3ef7b427fc298225369c0c06635c3382b92571530e6938d5830711d5bec79448448ce16480ae8b286b8e6089643e6eebef |
memory/2764-24-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2764-25-0x0000000001130000-0x00000000011B1000-memory.dmp
memory/2764-39-0x0000000003330000-0x00000000033C9000-memory.dmp
memory/2764-42-0x0000000001130000-0x00000000011B1000-memory.dmp
memory/2872-43-0x0000000000DD0000-0x0000000000E69000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\litoz.exe
| MD5 | 1ea6febb411b8c13394b5c5c43d5bffd |
| SHA1 | 425fbeae3e4023e3d6cc223aa6a36c091ea155e3 |
| SHA256 | 97d19695a507ce2a7d379ed0bd7917430d7a33ebd93ffbb693d0e2b2eefaee47 |
| SHA512 | 410eca7b10d43e495726c01f21aee29a3d76615c6d06c9ad98cfa2f1447d0d7461667d7fec61d1daffcd4153e8ca89e199e08d634d786012235deb7bfe94155c |
memory/2872-44-0x0000000000DD0000-0x0000000000E69000-memory.dmp
memory/2872-48-0x0000000000DD0000-0x0000000000E69000-memory.dmp
memory/2872-49-0x0000000000DD0000-0x0000000000E69000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 04:37
Reported
2024-10-10 04:39
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\voame.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\muifj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\voame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\muifj.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe
"C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe"
C:\Users\Admin\AppData\Local\Temp\voame.exe
"C:\Users\Admin\AppData\Local\Temp\voame.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\muifj.exe
"C:\Users\Admin\AppData\Local\Temp\muifj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1996-0-0x0000000000C20000-0x0000000000CA1000-memory.dmp
memory/1996-1-0x00000000005A0000-0x00000000005A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\voame.exe
| MD5 | e8f62c96e48720fb1a0973e7e72006de |
| SHA1 | 9c16fc39df1d4de78f373c0fe3fe4767e2f2d9dc |
| SHA256 | 1c277a3f7a221f0817c358113e72c1468f0ec07208abbd24c98e81fa5f5675f0 |
| SHA512 | 4865499e62f43031eb09709f1e70233363ec3dfa49fb06711e0a3eef27987e7c9cb5dba97b8514e119076b7c8226f4150306c81daf93b71a66ea57266c61cea7 |
memory/5008-11-0x00000000009D0000-0x0000000000A51000-memory.dmp
memory/5008-13-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
memory/1996-17-0x0000000000C20000-0x0000000000CA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b2f810e7a605155d105d0a5b947a8190 |
| SHA1 | 398279a4211f8e6e70c0740302a25bdf3fb71758 |
| SHA256 | 3728e82f4121a317af347965593685d4b947d36c7b81e89f512fe9a57722f1ce |
| SHA512 | 8d717a050410028cd96971a0d698f2389c2e8f749e0b32f54ab1a00e0b67bc2fdd1e9e8cbf60bc62f88d4319362d3cf6414c196f8b594d6b1d0298834a565373 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b5fd85abc0599dd2b097010a3a9fd0fb |
| SHA1 | a1dc3efbc6d2e015fa7e222a76fd3c0b20668707 |
| SHA256 | 17f8c7946105091e46214e01107f932313fba4e078549ea820dd96d3feea59d5 |
| SHA512 | 8e409b7a2cd64997591ff20883274d4da4b298057b8fd73e62109bcdb25c7cd2b634e62e3db9787627af2e78820d073223b14fc42176d2df8ca61a4ec7e61b99 |
memory/5008-20-0x00000000009D0000-0x0000000000A51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\muifj.exe
| MD5 | 63a4efce12d2ce2914a641c9f25aff3d |
| SHA1 | 6ea6961ee71b9465de13184792a00ebcaf2ed5bb |
| SHA256 | 7d623da17a13e4710c8fdcb683c713b41c82977b3e72c378f4fc5c912b2d8539 |
| SHA512 | b4c59d21fc04d3fc801985c3a70fd91b7720795bf52bbdd2bec9277a18653e50197500df5bf19f2ed6fc0a270d81d5c1c0fa0b977f925630871b792d7cfb11a3 |
memory/5008-40-0x00000000009D0000-0x0000000000A51000-memory.dmp
memory/4456-38-0x00000000003F0000-0x00000000003F2000-memory.dmp
memory/4456-37-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/4456-41-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/4456-46-0x00000000003F0000-0x00000000003F2000-memory.dmp
memory/4456-45-0x0000000000DE0000-0x0000000000E79000-memory.dmp
memory/4456-47-0x0000000000DE0000-0x0000000000E79000-memory.dmp