Analysis Overview
SHA256
69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8
Threat Level: Known bad
The file 69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 15:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 15:52
Reported
2024-10-10 15:54
Platform
win7-20240708-en
Max time kernel
120s
Max time network
90s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\obwow.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roliv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\obwow.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\obwow.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\roliv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe
"C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe"
C:\Users\Admin\AppData\Local\Temp\obwow.exe
"C:\Users\Admin\AppData\Local\Temp\obwow.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\roliv.exe
"C:\Users\Admin\AppData\Local\Temp\roliv.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2444-0-0x0000000000E00000-0x0000000000E81000-memory.dmp
memory/2444-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\obwow.exe
| MD5 | ec826b981718fdb40e0dde5ed5367920 |
| SHA1 | 3a3daeab52f17e766b6445df6cfb45d236bcf59c |
| SHA256 | 4049e13411fa19c8710f558b6a5af10c7210de4b5780dfa9700b4612a61b70a7 |
| SHA512 | dbf799c56445d9dcf3f32677daf154f1332db6259c9efd44bf661f172fe95555509a942063f2fee056ca515e031986eeee8aaf452bc964036b579ff5ae5c6bba |
memory/1280-18-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1280-17-0x0000000000FB0000-0x0000000001031000-memory.dmp
memory/2444-16-0x00000000027E0000-0x0000000002861000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | e7c3e993ea2579770a925e583ba3ff27 |
| SHA1 | 6f32cf053a7d9434f99890f4e49aaa932657c905 |
| SHA256 | 1750992886861a13c2424cc030b86bf895a348c13c38d56ab6d2dabe8727ae27 |
| SHA512 | 7d486364662bf4e3598ddc1185697e06c829d662e73ce7f95e5f174dd431392f9a46abf5798ae84fb4b3443da2620173a9f80f91bbe72e4ae66e50cf74abc3d0 |
memory/2444-21-0x0000000000E00000-0x0000000000E81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0ee77bab570b4002cd9f489bed856fed |
| SHA1 | 339d4ea53e403ce0ec33223d6e6c39cd352787d4 |
| SHA256 | 5e4044565be00040932238688cd74bd748b479cb3a7f94cb794940f0e25cee91 |
| SHA512 | e33a18085b70e209ace58f2be74eee4296052aaea2c01e96713aee80fcaeda30c718b57da94abba69c7056caffb9ecbc282bb6c7486e7d5a312fc97e6c2b60ca |
memory/1280-24-0x0000000000FB0000-0x0000000001031000-memory.dmp
memory/1280-25-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\roliv.exe
| MD5 | 677d07849bf6d45fb61e7a4e276a4add |
| SHA1 | 37f0d329c92488cd0703f64c1c35938793bbb321 |
| SHA256 | b20131f41bdbf68d11a60939c4fd104df18bc2d2c7add3342a035c744f161210 |
| SHA512 | ef380dabe4f39c834258a4ca0b1d6c8622e895fb2f880842837e6549913bc28cb3b621fe9b97ea71695f25a2ecf9efdf35b689db8dfee61175bf57541adcdb33 |
memory/1280-38-0x0000000003480000-0x0000000003519000-memory.dmp
memory/792-44-0x0000000001180000-0x0000000001219000-memory.dmp
memory/792-43-0x0000000001180000-0x0000000001219000-memory.dmp
memory/1280-42-0x0000000000FB0000-0x0000000001031000-memory.dmp
memory/792-48-0x0000000001180000-0x0000000001219000-memory.dmp
memory/792-49-0x0000000001180000-0x0000000001219000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 15:52
Reported
2024-10-10 15:54
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wovoi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wovoi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\noajx.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wovoi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\noajx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe
"C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe"
C:\Users\Admin\AppData\Local\Temp\wovoi.exe
"C:\Users\Admin\AppData\Local\Temp\wovoi.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\noajx.exe
"C:\Users\Admin\AppData\Local\Temp\noajx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4916-0-0x0000000000CA0000-0x0000000000D21000-memory.dmp
memory/4916-1-0x00000000003F0000-0x00000000003F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wovoi.exe
| MD5 | 7eb4477e423451b68a91abe11a1dd3fb |
| SHA1 | 3b861919879298c8e414102731930427da0ff762 |
| SHA256 | 8774a0aa7564fcd9fe5efc34a2d6520600d43983101fb0eb57f9fea4b5d56606 |
| SHA512 | d822ec62d58322b0c754ac7f7b8ccfa4dfaecbdaec4ca5d40a1bc3d95bf6eb8660c87b30fe4eb12297e49c8e9b6d9752c8581f269271f3966bb5ae90f1c90dac |
memory/3212-14-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/3212-11-0x0000000000430000-0x00000000004B1000-memory.dmp
memory/4916-17-0x0000000000CA0000-0x0000000000D21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | e7c3e993ea2579770a925e583ba3ff27 |
| SHA1 | 6f32cf053a7d9434f99890f4e49aaa932657c905 |
| SHA256 | 1750992886861a13c2424cc030b86bf895a348c13c38d56ab6d2dabe8727ae27 |
| SHA512 | 7d486364662bf4e3598ddc1185697e06c829d662e73ce7f95e5f174dd431392f9a46abf5798ae84fb4b3443da2620173a9f80f91bbe72e4ae66e50cf74abc3d0 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8f986fe109aab23f7920b0791350bcec |
| SHA1 | cc14bc682c33ae3df4c1ec4f6e93a24575bc4f5a |
| SHA256 | 994e3a0890de3f24d9a34f78984ac8cf1473f8141382795fe60beca0df08f2bb |
| SHA512 | 6e629bb518f8c7f10014ecbd5bfb63ba42ed34662713fba7d6684fe2b88548cb3b8c2b150fac2fb0f03d69ac2b1957e5bd6fcffd19bfa8c448f2d43c0829afa3 |
memory/3212-20-0x0000000000430000-0x00000000004B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\noajx.exe
| MD5 | cf7b06666f849d1d545c440e459e66b8 |
| SHA1 | c778d9a3aab10e4c92df487226c1445fb3f1dfbd |
| SHA256 | c7a2ce2b6c4c589817652645fdde378f7ee3aea700028e4acf2970777c363e2f |
| SHA512 | 0d3b04cbe3b8dd3c2400b5b236f486de883546e661cc85a622ef1a23e4e366d3535ce6f784831fadef78c60c1b7350e11c62b1d5608423011887a72365a04acd |
memory/4376-40-0x0000000000DB0000-0x0000000000DB2000-memory.dmp
memory/3212-39-0x0000000000430000-0x00000000004B1000-memory.dmp
memory/4376-36-0x0000000000C50000-0x0000000000CE9000-memory.dmp
memory/4376-41-0x0000000000C50000-0x0000000000CE9000-memory.dmp
memory/4376-46-0x0000000000DB0000-0x0000000000DB2000-memory.dmp
memory/4376-45-0x0000000000C50000-0x0000000000CE9000-memory.dmp
memory/4376-47-0x0000000000C50000-0x0000000000CE9000-memory.dmp