Analysis Overview
SHA256
2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312
Threat Level: Known bad
The file 2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 05:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 05:24
Reported
2024-10-10 05:27
Platform
win7-20240903-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lobum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jovur.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lobum.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jovur.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lobum.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe
"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"
C:\Users\Admin\AppData\Local\Temp\lobum.exe
"C:\Users\Admin\AppData\Local\Temp\lobum.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\jovur.exe
"C:\Users\Admin\AppData\Local\Temp\jovur.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1680-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1680-0-0x0000000000EF0000-0x0000000000F71000-memory.dmp
memory/1680-21-0x0000000000EF0000-0x0000000000F71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d8ca98f5566c72ce8f642652674bebd1 |
| SHA1 | 00cb696909ab1f6ccf44a36a4c524c633fcdf634 |
| SHA256 | 49118f9536946bf95785ac001138ed4fb605f69e533c755ace4772d1e58351c0 |
| SHA512 | 738acd3d1cb95190afebe41c605a1cfa025c6d8cd5a99ad742e55ba62f0699e78e2a1e4fe21992298fb47fbbd54392472427b1eacd56be69cb966c7c6e4473ed |
C:\Users\Admin\AppData\Local\Temp\lobum.exe
| MD5 | a544b095f653177a95055ef7f0a48700 |
| SHA1 | a2f45b4c48a66b0080afefd331a19a443ba90eb3 |
| SHA256 | 9b5b4173e4cea57345da2590dbbce7e8e3e9caad069ecbc6fd620eec2cc67f5b |
| SHA512 | 34916ac13e7c2765643774b16ba80184429660d8191d3480e66f9ddaf5923545c388c8f7119af657fc0f7473475fa474e389ff55d7e6f817e236d272572b4df1 |
memory/1672-20-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1672-19-0x0000000000FE0000-0x0000000001061000-memory.dmp
memory/1680-17-0x0000000002650000-0x00000000026D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | dbff0e191a4ea6c63b88a60b9806e4d3 |
| SHA1 | be362fe1a0ccb781f91b7da7244cee545a7896f7 |
| SHA256 | d06b8d7fceb8606bacc16bb593715092f28757120498141d8d8abefd3ad556a6 |
| SHA512 | 7072e9b997fb8cd148c0b9240deb847ed7448360c221fe2a22448483354e6404742759e4aad2bbb02efb121741ad65a45b6c7a430b98de22b3c697fe32123529 |
memory/1672-25-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1672-24-0x0000000000FE0000-0x0000000001061000-memory.dmp
memory/1672-39-0x0000000003410000-0x00000000034A9000-memory.dmp
memory/1672-42-0x0000000000FE0000-0x0000000001061000-memory.dmp
memory/1364-43-0x0000000000A20000-0x0000000000AB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jovur.exe
| MD5 | 826e7d644a7ac280067657d68ab30a02 |
| SHA1 | 7a8fc2e521615d8750ea4db014f9636be145f20d |
| SHA256 | 038a9cbdcf34040181d6afd5ce429be0a1470caa03a39f561aace67d13d2c292 |
| SHA512 | 0bc7840a5007a24e84eb8361b8d6a7d810faff238808260c50433156197a8eef7c3dbf0a5ff9f66b8f851d4de9deb1d32436574254bc3c0c019e556e0f752a41 |
memory/1364-44-0x0000000000A20000-0x0000000000AB9000-memory.dmp
memory/1364-48-0x0000000000A20000-0x0000000000AB9000-memory.dmp
memory/1364-49-0x0000000000A20000-0x0000000000AB9000-memory.dmp
memory/1364-50-0x0000000000A20000-0x0000000000AB9000-memory.dmp
memory/1364-51-0x0000000000A20000-0x0000000000AB9000-memory.dmp
memory/1364-52-0x0000000000A20000-0x0000000000AB9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 05:24
Reported
2024-10-10 05:27
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xouhy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xouhy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\umviz.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xouhy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\umviz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe
"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"
C:\Users\Admin\AppData\Local\Temp\xouhy.exe
"C:\Users\Admin\AppData\Local\Temp\xouhy.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\umviz.exe
"C:\Users\Admin\AppData\Local\Temp\umviz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/448-0-0x0000000000AF0000-0x0000000000B71000-memory.dmp
memory/448-1-0x0000000000780000-0x0000000000781000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xouhy.exe
| MD5 | eac73a1010a6f97a9a8113d4b0efee8a |
| SHA1 | bdfcf4b7c53afcee6bbe794a9f523836c6654208 |
| SHA256 | 42f0970ad502f385917a9afe0bec32673517efeba5e73b7caea018b420c27203 |
| SHA512 | 06fb3e7efe41b35c001145285527d0c81049cf2bd11a66090dac90e4efcc3cf920cfea98a12bd0f314423387606933b8d39a2019c3f683ad5da7d5ad03e8a3dd |
memory/5016-11-0x0000000000BD0000-0x0000000000C51000-memory.dmp
memory/5016-14-0x0000000000F80000-0x0000000000F81000-memory.dmp
memory/448-17-0x0000000000AF0000-0x0000000000B71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d8ca98f5566c72ce8f642652674bebd1 |
| SHA1 | 00cb696909ab1f6ccf44a36a4c524c633fcdf634 |
| SHA256 | 49118f9536946bf95785ac001138ed4fb605f69e533c755ace4772d1e58351c0 |
| SHA512 | 738acd3d1cb95190afebe41c605a1cfa025c6d8cd5a99ad742e55ba62f0699e78e2a1e4fe21992298fb47fbbd54392472427b1eacd56be69cb966c7c6e4473ed |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a4dddd60e540478b876ea01812c33655 |
| SHA1 | 207c97072aa1a2c5c279da9a1fb424611e5a07c8 |
| SHA256 | 77b634fa326109d9246a77f4ec72f7f26d4e2c95400083583382d92e5e1892a3 |
| SHA512 | 464fe304f1ad708161a18b5a5f352b74e1f1efa2c0a2f6e63a06d4832ae12e907ad8e225a20725b7a935a9510524b03d00aed0bf2d7d87afba2523040751efe0 |
memory/5016-20-0x0000000000BD0000-0x0000000000C51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\umviz.exe
| MD5 | 35ffdd06c720ca086866dcc5e66ab99c |
| SHA1 | 7a90c2ff7969243886003839d8a20a6c19b57d9f |
| SHA256 | 830ef262c39925dfa12bce92e531321aae2103807b751f0739b555f99ed454c4 |
| SHA512 | d2053f00c5c3ac673fe24de0cdb631bb947afe821c87cecb59a925736313aa24032adde6b65ad48d5a5d48952245f896ec5144b3fbefec700c13b3106cf774a7 |
memory/1580-37-0x0000000000DA0000-0x0000000000E39000-memory.dmp
memory/1580-38-0x0000000000190000-0x0000000000192000-memory.dmp
memory/1580-41-0x0000000000DA0000-0x0000000000E39000-memory.dmp
memory/5016-40-0x0000000000BD0000-0x0000000000C51000-memory.dmp
memory/1580-45-0x0000000000190000-0x0000000000192000-memory.dmp
memory/1580-46-0x0000000000DA0000-0x0000000000E39000-memory.dmp
memory/1580-47-0x0000000000DA0000-0x0000000000E39000-memory.dmp
memory/1580-48-0x0000000000DA0000-0x0000000000E39000-memory.dmp
memory/1580-49-0x0000000000DA0000-0x0000000000E39000-memory.dmp
memory/1580-50-0x0000000000DA0000-0x0000000000E39000-memory.dmp