Analysis Overview
SHA256
680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77e
Threat Level: Known bad
The file 680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 16:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 16:27
Reported
2024-10-10 16:30
Platform
win7-20241010-en
Max time kernel
150s
Max time network
92s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kotuv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gubel.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kotuv.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kotuv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gubel.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"
C:\Users\Admin\AppData\Local\Temp\kotuv.exe
"C:\Users\Admin\AppData\Local\Temp\kotuv.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\gubel.exe
"C:\Users\Admin\AppData\Local\Temp\gubel.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2412-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2412-0-0x0000000001120000-0x00000000011A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\kotuv.exe
| MD5 | aeb1d50ed35297feff19de28117aff39 |
| SHA1 | 840ee824e7c8f20d6960086e07d6889424b77bd3 |
| SHA256 | 883f8b64d30ac6ab62f3b7d39bcd685582e701f18b13a0d9169b0e24d8112d96 |
| SHA512 | ebe700322a282de0fab7ebcc362f32a2bb1eccacfbc3663e0fa7400fbdb0a625ea6ed6071dd48feb317039ee2039fc28fcd97029c2c1047f7bf5960cccbedaed |
memory/3068-18-0x0000000000020000-0x0000000000021000-memory.dmp
memory/3068-17-0x0000000000210000-0x0000000000291000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | af5416b8428b7024077aca61c2fbc1e8 |
| SHA1 | 6b1b9c4ff6c207c84eb39368680a8306bf800a3c |
| SHA256 | 31fdb35446b2485ff5d3ded870b3c1903ef2abd41c254edc92dd959f647bb4a3 |
| SHA512 | 2f159410e5996080e31f9cf2228401668cc8e168d5cc0686578f07d31cb031ceb10332788609e6389f288d1c55158f81abad51fcf6ab6d1f90a2423f497904db |
memory/2412-9-0x0000000000D20000-0x0000000000DA1000-memory.dmp
memory/2412-21-0x0000000001120000-0x00000000011A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6787e349d981a5d45797c00921d76359 |
| SHA1 | 82142095f935c119eb12ce366d74f074e365b540 |
| SHA256 | 2b7727fc94470d2c4bfa9d9e254d7f0ce7cf0f1ff90b00faa997d300b14f8b0c |
| SHA512 | ea5f369b102c4b340aa4a1d78a270332eaef4ee5bfa1e1faea7865906763c5d1fdc6e405af067851288e7b62e6fc7ab1514aa991f814c09464a23abb8159b4be |
memory/3068-24-0x0000000000210000-0x0000000000291000-memory.dmp
memory/3068-25-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\gubel.exe
| MD5 | 88a58f50cd8a744b697447fcceeb06e6 |
| SHA1 | b925fca0a426b79c57b86478400517895fe63b02 |
| SHA256 | 94292c7486dee1f423f606b13ecde7eee8b6837af8d6bd56bc079a6b57436e84 |
| SHA512 | f9dd6a4186fb9eff1db23d6cc08e9ad44d7dde8d8427b650b1d124f1cd2803b746002ba00e99341717969ea640799c8d46a78d7795187351c566ddcbeb14319d |
memory/3068-37-0x00000000035B0000-0x0000000003649000-memory.dmp
memory/2108-43-0x0000000000B50000-0x0000000000BE9000-memory.dmp
memory/3068-42-0x0000000000210000-0x0000000000291000-memory.dmp
memory/2108-44-0x0000000000B50000-0x0000000000BE9000-memory.dmp
memory/2108-48-0x0000000000B50000-0x0000000000BE9000-memory.dmp
memory/2108-49-0x0000000000B50000-0x0000000000BE9000-memory.dmp
memory/2108-50-0x0000000000B50000-0x0000000000BE9000-memory.dmp
memory/2108-51-0x0000000000B50000-0x0000000000BE9000-memory.dmp
memory/2108-52-0x0000000000B50000-0x0000000000BE9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 16:27
Reported
2024-10-10 16:30
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gaton.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gaton.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fusir.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gaton.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fusir.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"
C:\Users\Admin\AppData\Local\Temp\gaton.exe
"C:\Users\Admin\AppData\Local\Temp\gaton.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\fusir.exe
"C:\Users\Admin\AppData\Local\Temp\fusir.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/4760-0-0x00000000005A0000-0x0000000000621000-memory.dmp
memory/4760-1-0x00000000007C0000-0x00000000007C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gaton.exe
| MD5 | a8e408f1ca88d1008e3690ea6395b1f8 |
| SHA1 | db51ac301ec87031abbb32b2098f6254950b6797 |
| SHA256 | adfa182be2c927f342d2d1e60cf891cb42f2d95a51d8d32b8967fc8c5735f129 |
| SHA512 | d9ea7106eac9c0524ab0ca1af1cba8d80bff45af398fc754e957f3b9bcbad9d16a6329ee2c91e85b9537c4fb309abba1f766261c7570c138395f7782aa054b25 |
memory/1712-14-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1712-11-0x0000000000AB0000-0x0000000000B31000-memory.dmp
memory/4760-17-0x00000000005A0000-0x0000000000621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | af5416b8428b7024077aca61c2fbc1e8 |
| SHA1 | 6b1b9c4ff6c207c84eb39368680a8306bf800a3c |
| SHA256 | 31fdb35446b2485ff5d3ded870b3c1903ef2abd41c254edc92dd959f647bb4a3 |
| SHA512 | 2f159410e5996080e31f9cf2228401668cc8e168d5cc0686578f07d31cb031ceb10332788609e6389f288d1c55158f81abad51fcf6ab6d1f90a2423f497904db |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 63ef950c4f0331a74f8d485d8b69fa39 |
| SHA1 | da2b9978ab13a519f2b4e55714654103f8b6e224 |
| SHA256 | d8d7289faec99c182302a64a956959c6dc31ce5cb2898a7b05c010ec426b06c8 |
| SHA512 | 980edeff71d1f564e29e04371182df5b41e16f1af60c41daaa93fdbdbca43222e1a86eeb438d2d55d7630eb1d40f8ac8ac462d243a4a6d4892a733e85d5482c5 |
memory/1712-20-0x0000000000AB0000-0x0000000000B31000-memory.dmp
memory/1712-21-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fusir.exe
| MD5 | 6a36b4af050b371fb980554e25b38d5b |
| SHA1 | 19a1796c3454658ab738e8b6d91619dc8d8521c3 |
| SHA256 | fd6dc67706a2c1e1f1f9271705f65a43d0ced4b237a9f73e8ae793575c7eae18 |
| SHA512 | 95f1a80d3ae45d7ea0df812542ff57c804411ab0b96b2628ee2c8a60687b40b3159ac1ec2d529d03b37c162bd845030d3c9f22b49203015b4a25a230e5ad0d05 |
memory/2272-39-0x0000000000A20000-0x0000000000A22000-memory.dmp
memory/2272-38-0x0000000000500000-0x0000000000599000-memory.dmp
memory/1712-41-0x0000000000AB0000-0x0000000000B31000-memory.dmp
memory/2272-42-0x0000000000500000-0x0000000000599000-memory.dmp
memory/2272-47-0x0000000000A20000-0x0000000000A22000-memory.dmp
memory/2272-46-0x0000000000500000-0x0000000000599000-memory.dmp
memory/2272-48-0x0000000000500000-0x0000000000599000-memory.dmp
memory/2272-49-0x0000000000500000-0x0000000000599000-memory.dmp
memory/2272-50-0x0000000000500000-0x0000000000599000-memory.dmp
memory/2272-51-0x0000000000500000-0x0000000000599000-memory.dmp