Analysis Overview
SHA256
680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77e
Threat Level: Known bad
The file 680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 16:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 16:25
Reported
2024-10-10 16:27
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uzoki.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nulez.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uzoki.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uzoki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nulez.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"
C:\Users\Admin\AppData\Local\Temp\uzoki.exe
"C:\Users\Admin\AppData\Local\Temp\uzoki.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\nulez.exe
"C:\Users\Admin\AppData\Local\Temp\nulez.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1684-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1684-0-0x0000000000210000-0x0000000000291000-memory.dmp
\Users\Admin\AppData\Local\Temp\uzoki.exe
| MD5 | 8334be050a2a61abeb3ccc426179f57e |
| SHA1 | 6d660b0d985656372ab13cb321ef9e61e90591d1 |
| SHA256 | 4d7827f05a6831414fe4be166372f50e4d383735d5243065f603628c428e5eba |
| SHA512 | 5d0264a9f21f567d1a9c81097ed76adb90e6cfc4ab2c949fbe6fcf1d2ce949c79a4cddd1c0218d300e271cda9e1a6624d469df98b259f476a09718ababa4fad5 |
memory/1684-6-0x0000000002460000-0x00000000024E1000-memory.dmp
memory/2964-13-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2964-11-0x0000000000920000-0x00000000009A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | af5416b8428b7024077aca61c2fbc1e8 |
| SHA1 | 6b1b9c4ff6c207c84eb39368680a8306bf800a3c |
| SHA256 | 31fdb35446b2485ff5d3ded870b3c1903ef2abd41c254edc92dd959f647bb4a3 |
| SHA512 | 2f159410e5996080e31f9cf2228401668cc8e168d5cc0686578f07d31cb031ceb10332788609e6389f288d1c55158f81abad51fcf6ab6d1f90a2423f497904db |
memory/1684-21-0x0000000000210000-0x0000000000291000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b51cc6ae1f00d6cb6304094d1570ad24 |
| SHA1 | 78f3883ad5439072df41f7544141952a42374fb5 |
| SHA256 | 1e2f2818b27aadead255312837cde5037599cff47af73394ed8b0c74d4554b30 |
| SHA512 | 2b9cde5e6443277978e2f549d6d77eb19a83c6ab6975e467186c6b44d4b255cfa665663bad9f3f4856a69ec91c2c68f6e08e1070f9c299b4f936e2f5c39c8cfc |
memory/2964-24-0x0000000000920000-0x00000000009A1000-memory.dmp
memory/2964-40-0x0000000000920000-0x00000000009A1000-memory.dmp
memory/2964-38-0x0000000003250000-0x00000000032E9000-memory.dmp
memory/2456-42-0x0000000000020000-0x00000000000B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nulez.exe
| MD5 | 91814eff58d55623be50399ac6a53432 |
| SHA1 | 865724cf46f0a98a78df4be2c13bcc5d34a13b8d |
| SHA256 | 323215464c73524ca40849bbeeecad12c41fa0e71c813b67fc0c6365c020cfc2 |
| SHA512 | f97edf6b421ce4c75d4a1f0580489be7b53244811d0df992c7bd3f27a101ae068b447896ac6d00992e4c783eab4092f165553572c6ba1e03f094ca8270196c13 |
memory/2456-44-0x0000000000020000-0x00000000000B9000-memory.dmp
memory/2456-47-0x0000000000020000-0x00000000000B9000-memory.dmp
memory/2456-48-0x0000000000020000-0x00000000000B9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 16:25
Reported
2024-10-10 16:27
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\diloo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diloo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loguk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\diloo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\loguk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"
C:\Users\Admin\AppData\Local\Temp\diloo.exe
"C:\Users\Admin\AppData\Local\Temp\diloo.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\loguk.exe
"C:\Users\Admin\AppData\Local\Temp\loguk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1340-0-0x0000000000250000-0x00000000002D1000-memory.dmp
memory/1340-1-0x0000000000550000-0x0000000000551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\diloo.exe
| MD5 | c5c7ef95cf17abb477827838bf403fa8 |
| SHA1 | 690c840b0cd023313fbba31eef64f8ac677e6278 |
| SHA256 | c1c7ba9d1764b9d7374fce3493bea0a044cfccbb95dd772ee87e0f260b1bec8f |
| SHA512 | 989178bd3e93ffc8541eb12335b4c3a0e01ef5b1896f79d2861bc12e856fc32df5ef0d07f2cda73c22292fd6827f61f9375e3065873eab28685bfffdcc1f64f2 |
memory/2136-14-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2136-11-0x0000000000580000-0x0000000000601000-memory.dmp
memory/1340-17-0x0000000000250000-0x00000000002D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | af5416b8428b7024077aca61c2fbc1e8 |
| SHA1 | 6b1b9c4ff6c207c84eb39368680a8306bf800a3c |
| SHA256 | 31fdb35446b2485ff5d3ded870b3c1903ef2abd41c254edc92dd959f647bb4a3 |
| SHA512 | 2f159410e5996080e31f9cf2228401668cc8e168d5cc0686578f07d31cb031ceb10332788609e6389f288d1c55158f81abad51fcf6ab6d1f90a2423f497904db |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a7f64c43d39a874557eb61c9662c09c7 |
| SHA1 | c28d60941d3c0e7906dbc6e5ac526167d6e29713 |
| SHA256 | 674d9ad49ec5ed32ee7e2fcc1548d603215f922f5dd2d2dd4e01d3404b5e4b45 |
| SHA512 | 85294bb5ba31b8714b0dddbedf1e77666783b337901fc4aa3991d4d30dbe4c4e24743a86a512faf305c9aa4cfbde008b63c3747c0dfdbba702a632aa1eb44809 |
memory/2136-21-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2136-20-0x0000000000580000-0x0000000000601000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\loguk.exe
| MD5 | d03f654ebdb8d9871713863b72d2057b |
| SHA1 | 29fbd3209108d6da0f26a200a329b76814f2de28 |
| SHA256 | 497c85a1fa0fb957f216b21e60ef5f9a37487c6fc9c7fea6a274259a29deb779 |
| SHA512 | d3523cba26cd84a4b50f2f7c27016fa8e940606a07e00f3194382487926a3e0b1e2e7c8f0e5487864ff742f840d2e75c1cfeb6ec2fa930621688c63f4886faf4 |
memory/4476-37-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/2136-39-0x0000000000580000-0x0000000000601000-memory.dmp
memory/4476-41-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/4476-44-0x0000000000A90000-0x0000000000A92000-memory.dmp
memory/4476-46-0x0000000000B30000-0x0000000000BC9000-memory.dmp
memory/4476-47-0x0000000000B30000-0x0000000000BC9000-memory.dmp