Analysis Overview
SHA256
62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521
Threat Level: Known bad
The file 62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 07:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 07:22
Reported
2024-10-10 07:24
Platform
win7-20240903-en
Max time kernel
119s
Max time network
88s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bonuy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miwut.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bonuy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bonuy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\miwut.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe
"C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe"
C:\Users\Admin\AppData\Local\Temp\bonuy.exe
"C:\Users\Admin\AppData\Local\Temp\bonuy.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\miwut.exe
"C:\Users\Admin\AppData\Local\Temp\miwut.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2196-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2196-0-0x0000000000D80000-0x0000000000E01000-memory.dmp
\Users\Admin\AppData\Local\Temp\bonuy.exe
| MD5 | 51f7fa40a3b59f7534ae668631215ed8 |
| SHA1 | 9a9b62f338b477b31fc09a93da54ade6d5242aa4 |
| SHA256 | 76b706db2d1339f28bff5841ca910892811c80a8c42be1596bb6b2edd0ef816d |
| SHA512 | 55f4b36ee7487d6e64b5c8a7a754a140d6807397fba0417961be0ab82190d310bb6043bccbbc0001799b70efbdad19494621814883691c411feadc5cb1919c00 |
memory/2196-7-0x0000000000CF0000-0x0000000000D71000-memory.dmp
memory/704-11-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 4da4703fa0ae5befc3ce05de510d119c |
| SHA1 | bf5ea595f26547eee2cd4892fbf6c6da43b73fe7 |
| SHA256 | 49725e6b05099257f7d738ce8da35872f19b90174225ba31d9ee8f88c5ce4bd3 |
| SHA512 | 49aca986c45ecd07e544ec670864617030878d4fde2db9bae91cd39b478f6b0a5fc6ccc83cfe6cce19307e19aa453a48fe192c1014cb76dd8f8d8246ce658f2e |
memory/2196-20-0x0000000000D80000-0x0000000000E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | bb985bdbb233d0faf474cce656d16beb |
| SHA1 | 5a11a16579427ea60781e4ef3f9f35298ddad559 |
| SHA256 | 035574c684f930c790214ed5b706198c60d160b9454fd22cf1a85178becfe2bd |
| SHA512 | 3bcfd980bbfb7054ffb2cd1857f99c12e04b4ae0f217da1bbac89a9286e4a78821e924c3bbf133dbd900abc538984d3a8f5dce512fa68168ecf225094de5088a |
memory/704-24-0x0000000000020000-0x0000000000021000-memory.dmp
memory/704-23-0x0000000001120000-0x00000000011A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\miwut.exe
| MD5 | af4b092306f3422e580e6d64471d2f9e |
| SHA1 | a0029f814cf2b32ec0e1c623499eec5175cb1cf2 |
| SHA256 | 301354b85d85bba3ec0abfc707e6f4d4ef86dea0ea063c9f2ea1a68ae1507461 |
| SHA512 | 3a77a4ff74dbb9a240280406e078235edf12bd1ea2a0d0dbf7381ffe6bb92faf0adaa4d656b08a1ce2576161be9ce399b45175b6fdf151f040f5150ffa3ac8ea |
memory/2472-42-0x0000000000E90000-0x0000000000F29000-memory.dmp
memory/704-41-0x0000000003FA0000-0x0000000004039000-memory.dmp
memory/704-40-0x0000000001120000-0x00000000011A1000-memory.dmp
memory/2472-43-0x0000000000E90000-0x0000000000F29000-memory.dmp
memory/2472-47-0x0000000000E90000-0x0000000000F29000-memory.dmp
memory/2472-48-0x0000000000E90000-0x0000000000F29000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 07:22
Reported
2024-10-10 07:24
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\coato.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coato.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\izxex.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\izxex.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\coato.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe
"C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe"
C:\Users\Admin\AppData\Local\Temp\coato.exe
"C:\Users\Admin\AppData\Local\Temp\coato.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\izxex.exe
"C:\Users\Admin\AppData\Local\Temp\izxex.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/1692-0-0x0000000000E40000-0x0000000000EC1000-memory.dmp
memory/1692-1-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coato.exe
| MD5 | 2ed9b7bc5a86b6be1e6dc4cb723889b4 |
| SHA1 | 850b8494c2ed9be24c3f8199307e9f7cdccca171 |
| SHA256 | e5fee99e786c2679e2df48d37531815b10d1a5b67a219a3afeabea40404ceeac |
| SHA512 | 3c00a1acdbca30e4fbad0b3a4e002576adabd5a71cd1e8fb27fde4c7ad32f99b74b7eb8b21101b7c5845db29df2a6363af40fb0a5559bb7b5deb75f3d0981167 |
memory/1580-11-0x00000000001E0000-0x0000000000261000-memory.dmp
memory/1580-14-0x0000000000D30000-0x0000000000D31000-memory.dmp
memory/1692-16-0x0000000000E40000-0x0000000000EC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 4da4703fa0ae5befc3ce05de510d119c |
| SHA1 | bf5ea595f26547eee2cd4892fbf6c6da43b73fe7 |
| SHA256 | 49725e6b05099257f7d738ce8da35872f19b90174225ba31d9ee8f88c5ce4bd3 |
| SHA512 | 49aca986c45ecd07e544ec670864617030878d4fde2db9bae91cd39b478f6b0a5fc6ccc83cfe6cce19307e19aa453a48fe192c1014cb76dd8f8d8246ce658f2e |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0cbfba849768a9baa5b9e20ef95d06b1 |
| SHA1 | afd8e287b84a1d8e3e466b8988c142dcad6ab355 |
| SHA256 | b802d31b4ca77a20e90d46945eb470cac758c73e47eec2e48aae5259198a1ee3 |
| SHA512 | 70a4f4dee3f69045f9a932b319e3e84a199c034b6c2594de5f8e84f12677f4ddbe909bee6d1525792f665ac87fa334d7e8b65eccd78178ae2ffc0b60d37bb239 |
memory/1580-19-0x00000000001E0000-0x0000000000261000-memory.dmp
memory/1580-20-0x0000000000D30000-0x0000000000D31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\izxex.exe
| MD5 | 7413bf2452c2d984c15f3c8449a50248 |
| SHA1 | 77f7cc935b5824511009995dc42d9e8f834ef97d |
| SHA256 | bf1637f68d227f28fd5a98d5bcc6ec39aba84e99c0cd3df8b740b129e5c9917c |
| SHA512 | 425ed713c8b075f55515848b7025288f396e21945966e5d5b34d1ab27bebad3324adf3764dfc8147ba286fd85a17d0682713c1b27c043956cf6efadb9300b6c8 |
memory/3836-38-0x0000000000BB0000-0x0000000000BB2000-memory.dmp
memory/3836-37-0x0000000000490000-0x0000000000529000-memory.dmp
memory/1580-43-0x00000000001E0000-0x0000000000261000-memory.dmp
memory/3836-40-0x0000000000490000-0x0000000000529000-memory.dmp
memory/3836-46-0x0000000000BB0000-0x0000000000BB2000-memory.dmp
memory/3836-45-0x0000000000490000-0x0000000000529000-memory.dmp
memory/3836-47-0x0000000000490000-0x0000000000529000-memory.dmp