Analysis Overview
SHA256
5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675
Threat Level: Known bad
The file 5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 11:21
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 11:21
Reported
2024-10-10 11:23
Platform
win7-20240903-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lobum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jovur.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lobum.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lobum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jovur.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N.exe
"C:\Users\Admin\AppData\Local\Temp\5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N.exe"
C:\Users\Admin\AppData\Local\Temp\lobum.exe
"C:\Users\Admin\AppData\Local\Temp\lobum.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\jovur.exe
"C:\Users\Admin\AppData\Local\Temp\jovur.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1680-0-0x0000000000400000-0x0000000000495000-memory.dmp
\Users\Admin\AppData\Local\Temp\lobum.exe
| MD5 | 28ac257834bcd363162a0e7fac188c0e |
| SHA1 | b333b5c7946a095052e3719fc28ced71556f1431 |
| SHA256 | 74b01955996d418e9ab7f349cd8ff99799923f5dc60fd8d2f8d714c35bbeec99 |
| SHA512 | 0b5f438b73c7a68d39663e8fc1a1da130ea07ded3544a6d3ebdfb37141a69208abec7f6c9f11d56e84743c6484e56ec8e1fca59f1c4bf4561eb7f07a62cdf1a5 |
memory/1680-21-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1680-19-0x0000000001F40000-0x0000000001FD5000-memory.dmp
memory/1680-17-0x0000000001F40000-0x0000000001FD5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1af1d934239a03e2bbea2aa5de68d4ec |
| SHA1 | 869d38b8b25bbd4848edd3790aa54c33643f98b8 |
| SHA256 | 7226f288cbca617c427e768467eccaa03b0cb0ebe1f0d0bbfd01a8344d056470 |
| SHA512 | 2ae4a5d079ad498c75ea68e7a29a02529d5eda9d96f840e7d22134383d238a7f0997cbd79739bad7e4330ebf6053d869129dfba4f9972567d94713338370f7d0 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d8537fdcbd80a2ea624329e8f5434fe7 |
| SHA1 | 095dad5be49d3a74b4c9e18d7275b9e8f38a7ec8 |
| SHA256 | b645cc41b627c710bd72309aaec4c424fc80ec17899a6bc13bf35ccfb08be333 |
| SHA512 | cb666e88984a12609e3df5fa469abe1777247fbc5b31eefa934ae208b6502e444fb8443004fb752fac37880744af02391d354653aa20b8424e96a306f7e44bf2 |
memory/2524-24-0x0000000000400000-0x0000000000495000-memory.dmp
\Users\Admin\AppData\Local\Temp\jovur.exe
| MD5 | edc90196e9eaf2d70a5c1b7072375ae8 |
| SHA1 | dc5d3de193e17db083315ca4f6c0b4b4cc4f0b34 |
| SHA256 | 13a4b799203080672c06ed5239f804bfa331610d5136acf47e3cd006d535a656 |
| SHA512 | 0f873de08e7d0b10c5b89cf19dd6a3b3caf5f4cc5d4cc85d61da983e578fe4bf80e96498f10e308279e77d99b4ccc66a4320c59a98a8607dd2c70a485e248b8b |
memory/2524-30-0x0000000003A70000-0x0000000003B21000-memory.dmp
memory/2524-32-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2152-33-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2152-34-0x00000000001B0000-0x0000000000261000-memory.dmp
memory/2152-36-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2152-37-0x00000000001B0000-0x0000000000261000-memory.dmp
memory/2152-38-0x00000000001B0000-0x0000000000261000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 11:21
Reported
2024-10-10 11:23
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bedyy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bedyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roiqp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\roiqp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bedyy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N.exe
"C:\Users\Admin\AppData\Local\Temp\5e5d62964856f96d33a59d80c3a67832cc8b255bbfb975c2704a6c1594200675N.exe"
C:\Users\Admin\AppData\Local\Temp\bedyy.exe
"C:\Users\Admin\AppData\Local\Temp\bedyy.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\roiqp.exe
"C:\Users\Admin\AppData\Local\Temp\roiqp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
Files
memory/4656-0-0x0000000000400000-0x0000000000495000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bedyy.exe
| MD5 | 2885cef7ac4bf0724ec4be30328ebbbe |
| SHA1 | d43dce4cf1dfd73630f3bc4ed30a501cf68bd34c |
| SHA256 | 64d02fe70facc9894ef5e2c9b069ba845ad927e7153763e09ef8a665880b6920 |
| SHA512 | a191a117fe2ea98d7ff23ff042fe6310b51b1e9f4f7bbf5d79b931f0c097e16df353e702884acf4f4a940196257b2885fd884df301a7f3426255dcb0fefc859e |
memory/4656-13-0x0000000000400000-0x0000000000495000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1af1d934239a03e2bbea2aa5de68d4ec |
| SHA1 | 869d38b8b25bbd4848edd3790aa54c33643f98b8 |
| SHA256 | 7226f288cbca617c427e768467eccaa03b0cb0ebe1f0d0bbfd01a8344d056470 |
| SHA512 | 2ae4a5d079ad498c75ea68e7a29a02529d5eda9d96f840e7d22134383d238a7f0997cbd79739bad7e4330ebf6053d869129dfba4f9972567d94713338370f7d0 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a6f3d48d2069d3dcef13732d36d91d7b |
| SHA1 | 67f59f4ee7b41f12d4c13f2ab4e73da3ca91f8ba |
| SHA256 | 8102b9d7cd5d23f2a81255baf4715dcb8fe8de5826da9758911af946a141c657 |
| SHA512 | 39f2c0548c0ddf73ef0fdce3fdc7ff0701082d34a55e9789355dbf839e16f3140ac43b98795cc82a60ecb4e286c64ca64887ed7bc79141aeaf8cd2f129c8a4dd |
memory/2856-16-0x0000000000400000-0x0000000000495000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\roiqp.exe
| MD5 | 461b5e1be8a1f265791cf668ec027b4b |
| SHA1 | 77979478064068f7b8c2743340bc7b5e407414a3 |
| SHA256 | 6b065a17b8dd1180bc49a078f7cdb0bc7dbbf81096678518e1ed03d49e60a4ae |
| SHA512 | bc3cbb5cdf1be0c66690696b4b73713e35b5f170776833acecae602e2c3b126e6532b4e3c5d62d94e0b888d9d930ff621dedc4db62368a9d7b70c9faac7e5527 |
memory/2856-27-0x0000000000400000-0x0000000000495000-memory.dmp
memory/944-26-0x0000000000430000-0x0000000000431000-memory.dmp
memory/944-25-0x0000000000470000-0x0000000000521000-memory.dmp
memory/944-30-0x0000000000430000-0x0000000000431000-memory.dmp
memory/944-29-0x0000000000470000-0x0000000000521000-memory.dmp
memory/944-31-0x0000000000470000-0x0000000000521000-memory.dmp