Analysis Overview
SHA256
2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312
Threat Level: Known bad
The file 2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 05:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 05:22
Reported
2024-10-10 05:24
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cisus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aclol.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cisus.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aclol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cisus.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe
"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"
C:\Users\Admin\AppData\Local\Temp\cisus.exe
"C:\Users\Admin\AppData\Local\Temp\cisus.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\aclol.exe
"C:\Users\Admin\AppData\Local\Temp\aclol.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2576-0-0x0000000000220000-0x00000000002A1000-memory.dmp
memory/2576-1-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d8ca98f5566c72ce8f642652674bebd1 |
| SHA1 | 00cb696909ab1f6ccf44a36a4c524c633fcdf634 |
| SHA256 | 49118f9536946bf95785ac001138ed4fb605f69e533c755ace4772d1e58351c0 |
| SHA512 | 738acd3d1cb95190afebe41c605a1cfa025c6d8cd5a99ad742e55ba62f0699e78e2a1e4fe21992298fb47fbbd54392472427b1eacd56be69cb966c7c6e4473ed |
C:\Users\Admin\AppData\Local\Temp\cisus.exe
| MD5 | 9a5d3ec8e0d0436169deb374554b5e8c |
| SHA1 | 901d18e80a78cc70ac72f07418225ed680930261 |
| SHA256 | a2f167332f637d53e4e9b569f9a9e8ccb341fc8947080441fb4a5e3c9d2ca965 |
| SHA512 | 0cd29924971d10b0d5f7149b932ba2a1fa2c49d51599e9743cf8dec03ada419d939c0eabac91a45287d3c41d082949e76e7d5a25631e96e1fdd49aee940e4abb |
memory/1724-20-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1724-19-0x0000000001390000-0x0000000001411000-memory.dmp
memory/2576-18-0x0000000000220000-0x00000000002A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b15d450d9fb22339b6cdda559d95b469 |
| SHA1 | 11d8927ba8f1c4cae617d55ae0913b1109f0a3af |
| SHA256 | fcfe658b894e0065279bc174ded77b5b08b8e22e48ef13a9d12e6043fe2702c6 |
| SHA512 | f9381d8a10623272096aa7fa443be1085ed16792b394ece03109e40ad487c31aab605997e27eb72d517f027e55b966cfb643d40cd1b4a70f04e9436d464723f3 |
memory/1724-23-0x0000000001390000-0x0000000001411000-memory.dmp
memory/2576-31-0x0000000002560000-0x00000000025E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\aclol.exe
| MD5 | d880e2d091170d05d15abc1f49ff7e5b |
| SHA1 | 95e8c4866a3fd264b5ac2c7c5cc54e0009740867 |
| SHA256 | 35bf12372f5662a8731f0acab6ee2ded815c5026284022920a31247ebf1acf0e |
| SHA512 | 3f2b770fd469fc3cb92e6e5085bd9777e153ca456f7c36851435d0694776a3a116e7c5ef6d040af47d4198c39b1db89dc8c6ce9f7683221fd9978e68a1df55d2 |
memory/1724-41-0x0000000001390000-0x0000000001411000-memory.dmp
memory/904-42-0x00000000011A0000-0x0000000001239000-memory.dmp
memory/1724-39-0x0000000003270000-0x0000000003309000-memory.dmp
memory/904-43-0x00000000011A0000-0x0000000001239000-memory.dmp
memory/904-47-0x00000000011A0000-0x0000000001239000-memory.dmp
memory/904-48-0x00000000011A0000-0x0000000001239000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 05:22
Reported
2024-10-10 05:24
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\oprio.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oprio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zetov.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oprio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zetov.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe
"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"
C:\Users\Admin\AppData\Local\Temp\oprio.exe
"C:\Users\Admin\AppData\Local\Temp\oprio.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\zetov.exe
"C:\Users\Admin\AppData\Local\Temp\zetov.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4960-0-0x0000000000FF0000-0x0000000001071000-memory.dmp
memory/4960-1-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oprio.exe
| MD5 | 16cc1859e49b4d11e14a22857a55695b |
| SHA1 | 2f7935c177eafc4900f0bae90bf7d976156d5e01 |
| SHA256 | 48aae625489072bd694cccaf91ff87efac4f06d3a91f249310396c9474e81cea |
| SHA512 | 0ab4049da36ea23cd46e0eccbea13d03084b478acc924b650fcb5d0775b4ff0291b8fda1c8b5dce990b878a5c607a4c3785c8699d6a0bade853c1b1a09b732c2 |
memory/1688-11-0x0000000000CA0000-0x0000000000D21000-memory.dmp
memory/1688-14-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/4960-16-0x0000000000FF0000-0x0000000001071000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d8ca98f5566c72ce8f642652674bebd1 |
| SHA1 | 00cb696909ab1f6ccf44a36a4c524c633fcdf634 |
| SHA256 | 49118f9536946bf95785ac001138ed4fb605f69e533c755ace4772d1e58351c0 |
| SHA512 | 738acd3d1cb95190afebe41c605a1cfa025c6d8cd5a99ad742e55ba62f0699e78e2a1e4fe21992298fb47fbbd54392472427b1eacd56be69cb966c7c6e4473ed |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | c8e736929c5432ade6fd547e86cee784 |
| SHA1 | 61d94db6c1d9f8801059ef16ca9d8ce5436e4c64 |
| SHA256 | 249051d5a539a3bfffb1c0404b708221a5224c494a1178e059250bcbecbc867e |
| SHA512 | a1cb517cc557e6e82eb3c63ee38ac7aae787e78d327f90f6fc7ed0ab989fa17edbab301eb8f884b286f5ca454fd413cc7ed7d0ae09c6f74cbc32bad40a8192e6 |
memory/1688-19-0x0000000000CA0000-0x0000000000D21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zetov.exe
| MD5 | f761f48de9c1466392ee401463d748af |
| SHA1 | 1bac5b0638c62a0b583fbba6123b6b49ef9bd346 |
| SHA256 | 111f7b1fcdfda6f39efddef8a55df4e43b0e0b1a5e83467445d7e60e5c5b5188 |
| SHA512 | 21bb3612e42291cb13b5d0157c488e47a6e39ea2bc6bdf4d104544a2b1caec641c11caa458ecdae18670c22dc667cbaf40715b5a49e45a1cfd37aca74ba25a8a |
memory/2400-37-0x00000000004E0000-0x00000000004E2000-memory.dmp
memory/2400-35-0x0000000000410000-0x00000000004A9000-memory.dmp
memory/1688-39-0x0000000000CA0000-0x0000000000D21000-memory.dmp
memory/2400-40-0x0000000000410000-0x00000000004A9000-memory.dmp
memory/2400-45-0x00000000004E0000-0x00000000004E2000-memory.dmp
memory/2400-44-0x0000000000410000-0x00000000004A9000-memory.dmp
memory/2400-46-0x0000000000410000-0x00000000004A9000-memory.dmp