Analysis Overview
SHA256
26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfc
Threat Level: Known bad
The file 26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 12:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 12:40
Reported
2024-10-10 12:43
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\puput.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ukkod.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\puput.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\puput.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ukkod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe
"C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe"
C:\Users\Admin\AppData\Local\Temp\puput.exe
"C:\Users\Admin\AppData\Local\Temp\puput.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ukkod.exe
"C:\Users\Admin\AppData\Local\Temp\ukkod.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2792-0-0x0000000000B50000-0x0000000000BD1000-memory.dmp
memory/2792-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2260-19-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1bcf6e84593a2737b72f9e5f92ad7641 |
| SHA1 | 94ae68f6245af06df5a0bc05f99ec90e7303cda6 |
| SHA256 | 887ef62fe79f18188c91b50d989cecb9921e7880559238376bb4e470099c313c |
| SHA512 | 30da01bb8cb955e9e501f00b4e4a4c4a7215ec457b2ebc8a64af4c46bb444bbb514d7c89e8a878c1ff413451aef2bf55e21e88f9426125c97ef93a0889e91649 |
memory/2792-21-0x0000000000B50000-0x0000000000BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\puput.exe
| MD5 | 17b47673e62c3b5bfa05b936f7c551b3 |
| SHA1 | 98bee63a4ca1c01729772a4859475e2a432039e8 |
| SHA256 | 1362a7613206ec7a250e01684ad570cbdc80644301b697624fe877ee94d686d0 |
| SHA512 | 1beb955a6601d882767b1821895f4a5ae3fd948e26c105f3351c3f0f1cb5c171d3902ca53c0466cf6fe3243a8e2c6cde908b43a1151bdb73dc1f28a660014719 |
memory/2260-18-0x0000000000B40000-0x0000000000BC1000-memory.dmp
memory/2792-17-0x0000000002510000-0x0000000002591000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 15bdf146bfa8d69a4c3e313e3c19178a |
| SHA1 | a2eea39c8a765d8379e6441dc27b89e976bf776d |
| SHA256 | 961198d6a3b18b70e15fac6abec716df94ae249d516c17b6070f4da29044d8cc |
| SHA512 | f39877e29be668bf93c72b64a053d8f793a660169cfe60a880ea1e9d9299e54d0f67ef8ff1a6a63379efb45b0957bb63f0c3bc9407f4896b9548d1eb9117a4b6 |
memory/2260-24-0x0000000000B40000-0x0000000000BC1000-memory.dmp
\Users\Admin\AppData\Local\Temp\ukkod.exe
| MD5 | 6b4b78122905b97d8120956ebc52d243 |
| SHA1 | bcbcdf9fc6a18a461e1997fd5d770edb1c4a8cd5 |
| SHA256 | b93e35c3df28ee0b5165d4b278ccd87768adf5d7d46d54e3b1a9e5d2b04c1e9f |
| SHA512 | 14b7f673d38244bb810694bb8b42ba4f2020684fe2b63e9b97b64a202e64e571f3abd6a43c3e9e2c725a0aea652f0f3cd88fe7f2bef0cc4a6d3128808a20ebd0 |
memory/2260-38-0x0000000003790000-0x0000000003829000-memory.dmp
memory/680-43-0x00000000000A0000-0x0000000000139000-memory.dmp
memory/680-42-0x00000000000A0000-0x0000000000139000-memory.dmp
memory/2260-41-0x0000000000B40000-0x0000000000BC1000-memory.dmp
memory/680-47-0x00000000000A0000-0x0000000000139000-memory.dmp
memory/680-48-0x00000000000A0000-0x0000000000139000-memory.dmp
memory/680-49-0x00000000000A0000-0x0000000000139000-memory.dmp
memory/680-50-0x00000000000A0000-0x0000000000139000-memory.dmp
memory/680-51-0x00000000000A0000-0x0000000000139000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 12:40
Reported
2024-10-10 12:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\uvnoq.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uvnoq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ecofg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uvnoq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ecofg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe
"C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe"
C:\Users\Admin\AppData\Local\Temp\uvnoq.exe
"C:\Users\Admin\AppData\Local\Temp\uvnoq.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ecofg.exe
"C:\Users\Admin\AppData\Local\Temp\ecofg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4480-0-0x0000000000220000-0x00000000002A1000-memory.dmp
memory/4480-1-0x0000000000750000-0x0000000000751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uvnoq.exe
| MD5 | 482059179adc5c8e0fe3c7e337f33bda |
| SHA1 | efd80c2626a3499b063ab68eafe55d1816ba890a |
| SHA256 | a72db3b9e28453dfd9524e80c4763b29d04e84cc27704caab5cc317c9ab17a9b |
| SHA512 | 11d133330fa43ee0c026494cb2d3bb7382fb4db6fb717ea0a5e87ac08026d7ff94eec6135ee7af93f80bffeb5f938bbd212fbffa337edb09de2999f0a42d6dea |
memory/1036-11-0x0000000000810000-0x0000000000891000-memory.dmp
memory/1036-14-0x0000000000380000-0x0000000000381000-memory.dmp
memory/4480-17-0x0000000000220000-0x00000000002A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1bcf6e84593a2737b72f9e5f92ad7641 |
| SHA1 | 94ae68f6245af06df5a0bc05f99ec90e7303cda6 |
| SHA256 | 887ef62fe79f18188c91b50d989cecb9921e7880559238376bb4e470099c313c |
| SHA512 | 30da01bb8cb955e9e501f00b4e4a4c4a7215ec457b2ebc8a64af4c46bb444bbb514d7c89e8a878c1ff413451aef2bf55e21e88f9426125c97ef93a0889e91649 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | cfbe2fa26882c48ca924d6f6712fa3fe |
| SHA1 | e5125cdf46669e2bff83b09410af7ae63d89db55 |
| SHA256 | 11efd0c6f1c19c2fcd8e1fe55c2d5687c0f4aa4fcccea5353049f3caaa899a1d |
| SHA512 | 499bed0f5222b085b40cf4e6fbfe59cd2b4f6a2c9567babec28f91efe65a5a07602bc5d5b9acb07aa0aee7208d942a3f6256a60ec549cb9b68464f0174bdac64 |
memory/1036-21-0x0000000000380000-0x0000000000381000-memory.dmp
memory/1036-20-0x0000000000810000-0x0000000000891000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ecofg.exe
| MD5 | acf36ac2c013bf925855ef5de75d78b7 |
| SHA1 | 905a4d545c8f67c97e8349fb4a89d7cdd37f0f74 |
| SHA256 | ae60886047436c5439ae6a6231b4a69f7f7f7e27bf430b5a1d1e47adf99288bc |
| SHA512 | 1e8b34ea71c60e99ccff8f826792531856807a3c076ee0a965f635366027112026434358a7ef147314c44fb045e1c6efebe46495a397fb08708e4e0c28e3089d |
memory/2964-39-0x00000000001E0000-0x00000000001E2000-memory.dmp
memory/2964-38-0x0000000000AB0000-0x0000000000B49000-memory.dmp
memory/1036-41-0x0000000000810000-0x0000000000891000-memory.dmp
memory/2964-42-0x0000000000AB0000-0x0000000000B49000-memory.dmp
memory/2964-46-0x00000000001E0000-0x00000000001E2000-memory.dmp
memory/2964-47-0x0000000000AB0000-0x0000000000B49000-memory.dmp
memory/2964-48-0x0000000000AB0000-0x0000000000B49000-memory.dmp
memory/2964-49-0x0000000000AB0000-0x0000000000B49000-memory.dmp
memory/2964-50-0x0000000000AB0000-0x0000000000B49000-memory.dmp
memory/2964-51-0x0000000000AB0000-0x0000000000B49000-memory.dmp