Analysis Overview
SHA256
26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfc
Threat Level: Known bad
The file 26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Deletes itself
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 12:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 12:38
Reported
2024-10-10 12:40
Platform
win7-20240903-en
Max time kernel
120s
Max time network
76s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ifmoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vutew.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ifmoe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vutew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ifmoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe
"C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe"
C:\Users\Admin\AppData\Local\Temp\ifmoe.exe
"C:\Users\Admin\AppData\Local\Temp\ifmoe.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\vutew.exe
"C:\Users\Admin\AppData\Local\Temp\vutew.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2972-0-0x0000000001350000-0x00000000013D1000-memory.dmp
memory/2972-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2972-21-0x0000000001350000-0x00000000013D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\ifmoe.exe
| MD5 | 563c84b1b80083180a0b47e2b518b5ca |
| SHA1 | 9921bdab1f6d40c76db8d3138e3b21b5ba399191 |
| SHA256 | 36a177dac7e57b1edbec5beceb112a88ed79e7de101a0caf50b7bbb0decd8644 |
| SHA512 | 3c331d1d8ef6aa1300fc1427e8cdf5a4a391de55773a62e30c70476e896b26ab92bf619fc6770e0023c285ed29b663ea9f1881ab6521bb0212459c8717d2ef2e |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1bcf6e84593a2737b72f9e5f92ad7641 |
| SHA1 | 94ae68f6245af06df5a0bc05f99ec90e7303cda6 |
| SHA256 | 887ef62fe79f18188c91b50d989cecb9921e7880559238376bb4e470099c313c |
| SHA512 | 30da01bb8cb955e9e501f00b4e4a4c4a7215ec457b2ebc8a64af4c46bb444bbb514d7c89e8a878c1ff413451aef2bf55e21e88f9426125c97ef93a0889e91649 |
memory/2368-20-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2368-19-0x0000000000970000-0x00000000009F1000-memory.dmp
memory/2972-18-0x00000000008D0000-0x0000000000951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a9fa6a9f7b6e5fc13fcd267e3ba42ae5 |
| SHA1 | 50ceed537e994000dcdaf6f8b512a7321e6bb473 |
| SHA256 | dce9034aa0df236446d64d770785ccd4a3820ddcbfca67096971f5493690de11 |
| SHA512 | 87532155eb3820384853aaa3a6f6b4f66e98804852e6795331b9e9a5bd3512d565585ac18b671b3c89910e2a0bcc4d975395d1e6f2d8bdca958a6f7bd4308097 |
memory/2368-25-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2368-24-0x0000000000970000-0x00000000009F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\vutew.exe
| MD5 | 73be032d24c805e422f4a611cf8b1c88 |
| SHA1 | 853ff9d9fa257e2e057d7cb54b54ee249fb20398 |
| SHA256 | c94df3f4cc0ef2def192635560d74c55f340fed4140bd9216a08de540c8a88c0 |
| SHA512 | 5a9bf2d14e8baf3d042059ae5bbb3f506e1f5d0093f40c47acb254f36504669112b6de0bb13bf07976e4c51ee2287a9f8f973854a56d4db4bbd9edf149481c54 |
memory/2368-38-0x00000000035B0000-0x0000000003649000-memory.dmp
memory/2368-42-0x0000000000970000-0x00000000009F1000-memory.dmp
memory/1388-43-0x00000000012D0000-0x0000000001369000-memory.dmp
memory/1388-44-0x00000000012D0000-0x0000000001369000-memory.dmp
memory/1388-48-0x00000000012D0000-0x0000000001369000-memory.dmp
memory/1388-49-0x00000000012D0000-0x0000000001369000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 12:38
Reported
2024-10-10 12:40
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\issed.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\issed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\komes.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\komes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\issed.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe
"C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe"
C:\Users\Admin\AppData\Local\Temp\issed.exe
"C:\Users\Admin\AppData\Local\Temp\issed.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\komes.exe
"C:\Users\Admin\AppData\Local\Temp\komes.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/3104-0-0x00000000006A0000-0x0000000000721000-memory.dmp
memory/3104-1-0x0000000000530000-0x0000000000531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\issed.exe
| MD5 | aa6306b1979f634e0c59a0e17bed9033 |
| SHA1 | 7234f71cea143dc13bcbac80649b3060592bdcac |
| SHA256 | 4132900e5c2ecbf6305c66560ed1b3604a350aef850302c554b8af15bd5edc86 |
| SHA512 | 516f1594ae66882424617d0792bcd500f17ff5a220526227a8e879bc61401cddff230fe423d1e7f0dcaa153185f073ae429ef52a23d21ce87556d54616c51474 |
memory/4516-11-0x0000000000890000-0x0000000000911000-memory.dmp
memory/4516-14-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/3104-17-0x00000000006A0000-0x0000000000721000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1bcf6e84593a2737b72f9e5f92ad7641 |
| SHA1 | 94ae68f6245af06df5a0bc05f99ec90e7303cda6 |
| SHA256 | 887ef62fe79f18188c91b50d989cecb9921e7880559238376bb4e470099c313c |
| SHA512 | 30da01bb8cb955e9e501f00b4e4a4c4a7215ec457b2ebc8a64af4c46bb444bbb514d7c89e8a878c1ff413451aef2bf55e21e88f9426125c97ef93a0889e91649 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 67d3fe8c6f72dee82a96c3d20777d659 |
| SHA1 | ec6826a44d7feb906657cf63f1eadbd3f8d013ca |
| SHA256 | fb21c7bf362426ed022eed75190bbf630d5bbf066f44893ce5751d01b4e8a758 |
| SHA512 | 1f73f4c22ff6103f43e986376c36b8b42d37633c942403239b86346bda50c70b98af827a035e6d9175fa4d75cc916d86aa4a9a868dacdc4bedf6723b60995c4a |
memory/4516-20-0x0000000000890000-0x0000000000911000-memory.dmp
memory/4516-21-0x00000000001D0000-0x00000000001D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\komes.exe
| MD5 | 52d1c91796060f0ed7c8f15d873f2a63 |
| SHA1 | 94e5484f69ae6245fb9e0991564968159b1f7c3f |
| SHA256 | 8ffc51bccdf2817dfd24cc1b6060c939156df36834da3dee9251d7fc6f78e55e |
| SHA512 | 7a3135e7f603d8a8e65780a65ef3133f405127bc36f801fed0cb82d7f9b91c075f65392e19f0f9cc35dd7e10a76c78d684a66e3d83521fd5714726e04fc3bbb9 |
memory/1212-39-0x00000000006C0000-0x00000000006C2000-memory.dmp
memory/4516-44-0x0000000000890000-0x0000000000911000-memory.dmp
memory/1212-40-0x00000000007B0000-0x0000000000849000-memory.dmp
memory/1212-38-0x00000000007B0000-0x0000000000849000-memory.dmp
memory/1212-47-0x00000000006C0000-0x00000000006C2000-memory.dmp
memory/1212-46-0x00000000007B0000-0x0000000000849000-memory.dmp
memory/1212-48-0x00000000007B0000-0x0000000000849000-memory.dmp