Analysis Overview
SHA256
7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1
Threat Level: Known bad
The file 7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 19:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 19:24
Reported
2024-10-10 19:26
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ruqow.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ruqow.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rejei.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ruqow.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rejei.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe
"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"
C:\Users\Admin\AppData\Local\Temp\ruqow.exe
"C:\Users\Admin\AppData\Local\Temp\ruqow.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\rejei.exe
"C:\Users\Admin\AppData\Local\Temp\rejei.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4568-0-0x0000000000010000-0x0000000000091000-memory.dmp
memory/4568-1-0x00000000007C0000-0x00000000007C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ruqow.exe
| MD5 | c1f11b932853342107c35f70d473cae1 |
| SHA1 | 90b728d28997ad7f967f29b6ec3954fba6ba13f5 |
| SHA256 | a321c0bd222bc67ec2589c350d1777b705018344fec3c2d864e3ef491a6d0eca |
| SHA512 | 5afa9cd15178d909a3632061795d44d9a7461e005492e558a2a638844d5fbae4143f883b43d4aa63138cae7f8a6bf20450b6228cdcff9f40d5074223bfed29a9 |
memory/2832-14-0x0000000000740000-0x0000000000741000-memory.dmp
memory/2832-13-0x00000000006B0000-0x0000000000731000-memory.dmp
memory/4568-16-0x0000000000010000-0x0000000000091000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 27218cda5675ca52eb82d36f8f60a7df |
| SHA1 | 8f22e3c007d9d7b444b6ccb39cb0f15822693609 |
| SHA256 | b48effa75c2c365bd1440a63de608c75e0f4cf3640f7d543b4bbf99f3e32560d |
| SHA512 | 803e0cba1e7a0452cac368872c70424def2002fa22caae7281223680c963de71a3d03f208742abe29490537621060afac9cac3f1f3aeed57db5a89f748507930 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e371d0dc7cbb417bbbd81bd8572e05c6 |
| SHA1 | d252a24dbcd0f873dfbfc93b83abaf52116e5f37 |
| SHA256 | 730453f56cb56a7e16ff8ed25b9c75e5e38c4bf749a7c2d54fc572126142648f |
| SHA512 | 59a23016fe09729a44b5665d77053f1a0b40017659b47dc19589cf3d670866fba2365e7ac8bfed35d7fb867512238e7e31f99c68d11edbea525631b9bce91e3d |
memory/2832-19-0x00000000006B0000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rejei.exe
| MD5 | c57f59738bcb755ed44852f98cd83d4e |
| SHA1 | f9533e1c082789842fd5c08e626ed8477a1f4d9b |
| SHA256 | f3019a282101464ad3a7b4e2e0b51f2ac2ccdb06693728a851a567c97e46e36e |
| SHA512 | b273097f1a7731667502b52ecb8affe80894022bed1bdb95475649b9b380ece8f16c56a3d0ab7c1a50a88eb8d0a4af95edf52f8b02a3520a24ee1d55690fda49 |
memory/4228-36-0x0000000000C50000-0x0000000000CE9000-memory.dmp
memory/4228-37-0x0000000000F70000-0x0000000000F72000-memory.dmp
memory/4228-39-0x0000000000C50000-0x0000000000CE9000-memory.dmp
memory/2832-42-0x00000000006B0000-0x0000000000731000-memory.dmp
memory/4228-44-0x0000000000F70000-0x0000000000F72000-memory.dmp
memory/4228-45-0x0000000000C50000-0x0000000000CE9000-memory.dmp
memory/4228-46-0x0000000000C50000-0x0000000000CE9000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 19:24
Reported
2024-10-10 19:26
Platform
win7-20240729-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zajuc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sufip.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zajuc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zajuc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sufip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe
"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"
C:\Users\Admin\AppData\Local\Temp\zajuc.exe
"C:\Users\Admin\AppData\Local\Temp\zajuc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\sufip.exe
"C:\Users\Admin\AppData\Local\Temp\sufip.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1072-0-0x00000000011C0000-0x0000000001241000-memory.dmp
memory/1072-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\zajuc.exe
| MD5 | 8a90ee02075a521e8616e678c9e6564c |
| SHA1 | 8340005c9ad5b066156014b4f8bd9a71fe6d8292 |
| SHA256 | edfece4f204c7efa523a2cc50ccdcfbc1bfec37861db0ea054c7ac45957fdda0 |
| SHA512 | 940af6188206e23d90c6d0afe36c43749b125508b1e94c22f7e5a06bc18480cd8c9abcb18821045c38c19528e1312845a7a0bb674c492a157fa9bccdf0e5b167 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 27218cda5675ca52eb82d36f8f60a7df |
| SHA1 | 8f22e3c007d9d7b444b6ccb39cb0f15822693609 |
| SHA256 | b48effa75c2c365bd1440a63de608c75e0f4cf3640f7d543b4bbf99f3e32560d |
| SHA512 | 803e0cba1e7a0452cac368872c70424def2002fa22caae7281223680c963de71a3d03f208742abe29490537621060afac9cac3f1f3aeed57db5a89f748507930 |
memory/2804-12-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2804-11-0x0000000001090000-0x0000000001111000-memory.dmp
memory/1072-9-0x0000000002770000-0x00000000027F1000-memory.dmp
memory/1072-21-0x00000000011C0000-0x0000000001241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 910ea820e932cf16852b366d79c9b06d |
| SHA1 | e00b779ee627e80e5f4d436846f135d419fc5890 |
| SHA256 | c7314c75b36414c8a9b62bbc06378cde6af59b131cfc756ab3ad3f9697e8880c |
| SHA512 | 261b9dd3c4046419ffa029d816539d98c64e58ee3d48e4dc6893e23a14547b91c5e0f8c8a45e4529a23c549b90fc34e0e32deaed1e8e3da38015f7a2d06a5540 |
memory/2804-24-0x0000000001090000-0x0000000001111000-memory.dmp
memory/2804-25-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2804-39-0x0000000003320000-0x00000000033B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sufip.exe
| MD5 | ebbda67478dab23d67037bcddc11c770 |
| SHA1 | 2a928f43f6855537c1d2d65d41e38a8a7c58b808 |
| SHA256 | a9afd9813c9391f8a581e13134959effedec766d86db47d0fc86fdc9553d49bf |
| SHA512 | d7d6b99d7fbcdc5e6030d165631de38d9a6d28609bdb9c1d23cce6381cc3872d30420041af71c67c390b66f8b5488cd7b4bf90f5cb0d91ba1b553837a4aedab6 |
memory/1740-43-0x0000000000EC0000-0x0000000000F59000-memory.dmp
memory/2804-42-0x0000000001090000-0x0000000001111000-memory.dmp
memory/1740-44-0x0000000000EC0000-0x0000000000F59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zajuc.exe
| MD5 | 7029fe605e355df1b51359462c38b189 |
| SHA1 | 0e828fb7518739936bf26c14ffc5d09ef948ef63 |
| SHA256 | b650a8bca312bb9e74bec5fdda0c999d7a900c8868dedc12f015adc37c4d4d19 |
| SHA512 | c165f8eed0b1f13c5e77f9dd79b1023fbfe166e06ec33d60966a38ec69d6a2946ec1ecf0bb4830266e08eff26b6034b607c65be18e1cbacfd5e082d9f11b9c09 |
memory/1740-49-0x0000000000EC0000-0x0000000000F59000-memory.dmp
memory/1740-50-0x0000000000EC0000-0x0000000000F59000-memory.dmp