Analysis Overview
SHA256
7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1
Threat Level: Known bad
The file 7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 19:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 19:28
Reported
2024-10-10 19:30
Platform
win7-20241010-en
Max time kernel
150s
Max time network
82s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\odfeg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qityx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\odfeg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\odfeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qityx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe
"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"
C:\Users\Admin\AppData\Local\Temp\odfeg.exe
"C:\Users\Admin\AppData\Local\Temp\odfeg.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\qityx.exe
"C:\Users\Admin\AppData\Local\Temp\qityx.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1680-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1680-0-0x0000000000070000-0x00000000000F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\odfeg.exe
| MD5 | 976071c8de928e8fb2d85ee2da8c7bf2 |
| SHA1 | 787c57b2b2827bbc1ed1e38a911683c7bad5f945 |
| SHA256 | 8e14d4f03097763b08bf8130d799367b502cac362d50cd592dbf4f36955f6397 |
| SHA512 | 5147f904a1d62ce17b828b9d5d5906af9d469ac4511f8ce1972b8ad878ba12fd10271f00ce71c836ff44de246cb7a9e17277f8a8c9c1fa174a7bbe16bcc06ed5 |
memory/2932-19-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 27218cda5675ca52eb82d36f8f60a7df |
| SHA1 | 8f22e3c007d9d7b444b6ccb39cb0f15822693609 |
| SHA256 | b48effa75c2c365bd1440a63de608c75e0f4cf3640f7d543b4bbf99f3e32560d |
| SHA512 | 803e0cba1e7a0452cac368872c70424def2002fa22caae7281223680c963de71a3d03f208742abe29490537621060afac9cac3f1f3aeed57db5a89f748507930 |
memory/1680-9-0x00000000024D0000-0x0000000002551000-memory.dmp
memory/2932-18-0x0000000000AA0000-0x0000000000B21000-memory.dmp
memory/1680-21-0x0000000000070000-0x00000000000F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a210530789de19bdd5da750bc3aae8f3 |
| SHA1 | 80333b1bc67a88ce599dc3f9aaf44c91ab369589 |
| SHA256 | bf79ee223d9a10fc754ec14df86fb3c8544c77c98a49960720642ff9428889ff |
| SHA512 | 0c1ec3ab91602d9f84e64b066d3559cf3718187d442cfd0271a7e4d470e20f8855e93fbd18a28d6242472ed419960a2e8a6792ec85b23ab520b0d6164443afca |
memory/2932-24-0x0000000000AA0000-0x0000000000B21000-memory.dmp
\Users\Admin\AppData\Local\Temp\qityx.exe
| MD5 | 6ec3892c7a5ccca1fbacfba469080410 |
| SHA1 | fdd3748cbfa4e3475cb38fad989194cd69de73be |
| SHA256 | dc7b15947d7a079e527fb9ba31356d6ead3223b52a0bb69f410535efcf5a3202 |
| SHA512 | 97d11564ab3fe3ce7bb707741515c76f93f17aa0a915a20768977467c00193a21b5f33c10ab0e9f3459c8e2c3f701947c9307e324ead5fdb9c0e4851f6cab950 |
memory/2932-38-0x0000000003370000-0x0000000003409000-memory.dmp
memory/3020-45-0x0000000000840000-0x00000000008D9000-memory.dmp
memory/3020-42-0x0000000000840000-0x00000000008D9000-memory.dmp
memory/2932-41-0x0000000000AA0000-0x0000000000B21000-memory.dmp
memory/3020-47-0x0000000000840000-0x00000000008D9000-memory.dmp
memory/3020-48-0x0000000000840000-0x00000000008D9000-memory.dmp
memory/3020-49-0x0000000000840000-0x00000000008D9000-memory.dmp
memory/3020-50-0x0000000000840000-0x00000000008D9000-memory.dmp
memory/3020-51-0x0000000000840000-0x00000000008D9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 19:28
Reported
2024-10-10 19:30
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yfobt.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yfobt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vuard.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yfobt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vuard.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe
"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"
C:\Users\Admin\AppData\Local\Temp\yfobt.exe
"C:\Users\Admin\AppData\Local\Temp\yfobt.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\vuard.exe
"C:\Users\Admin\AppData\Local\Temp\vuard.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4560-0-0x00000000002B0000-0x0000000000331000-memory.dmp
memory/4560-1-0x00000000009F0000-0x00000000009F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yfobt.exe
| MD5 | fc545c4bbdceb8b1fdf2c954c5ab0f33 |
| SHA1 | 9f754f91f1e1f026f8a6f2f979119c8bfcd5d5aa |
| SHA256 | 12acbbf841633e22f0ab74aaa980ee1eba6c1fef8d8a8f106709be746fe3a3e5 |
| SHA512 | ad2bdb45e5bf1f9a448100967864779c5d0f122a6059cf8bbaa7f9095b189ecbd61afe12afdbbae50465f079795b45a4c194db9692ab34ee828a4ae7f4a5485e |
memory/2384-13-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/2384-11-0x0000000000720000-0x00000000007A1000-memory.dmp
memory/4560-17-0x00000000002B0000-0x0000000000331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 27218cda5675ca52eb82d36f8f60a7df |
| SHA1 | 8f22e3c007d9d7b444b6ccb39cb0f15822693609 |
| SHA256 | b48effa75c2c365bd1440a63de608c75e0f4cf3640f7d543b4bbf99f3e32560d |
| SHA512 | 803e0cba1e7a0452cac368872c70424def2002fa22caae7281223680c963de71a3d03f208742abe29490537621060afac9cac3f1f3aeed57db5a89f748507930 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 83a5a6f165c504b15dda73edf2f0526d |
| SHA1 | 6d624c018ff4787c8bf28f334527cd34eea023e6 |
| SHA256 | b514bad960d5b6401a849f5eac43169b533847eff59a6881253bd42674ca8d99 |
| SHA512 | c7dbb5d2c72d374e2d4372eae07e2d28565cf948093781f9f59bef0fb43a87cf982d9e9c77c66d8a3cb63c9d98b4d31001818e5f8d640beb3ce1a1be488ee72b |
memory/2384-21-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/2384-20-0x0000000000720000-0x00000000007A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vuard.exe
| MD5 | 420dad9b7fc869d68fbcf186d7ed1254 |
| SHA1 | ca7aba952ed41c97bd292f5c2fd5a3d74fc75a9c |
| SHA256 | 59cd54d7d8936398111aa31ca2931d5e94781a5be407a3f8fc66913843f74e4e |
| SHA512 | 6fc027c54fc336d4a08c6b717dd77031275f3a5f008ea5992e06f184c973b7c67e852dde08d51db4d8efe8e20b30220450de4450f1eb7c32e5f9788189cc6a07 |
memory/4652-39-0x00000000009E0000-0x00000000009E2000-memory.dmp
memory/4652-37-0x0000000000F50000-0x0000000000FE9000-memory.dmp
memory/4652-40-0x0000000000F50000-0x0000000000FE9000-memory.dmp
memory/2384-44-0x0000000000720000-0x00000000007A1000-memory.dmp
memory/4652-47-0x00000000009E0000-0x00000000009E2000-memory.dmp
memory/4652-46-0x0000000000F50000-0x0000000000FE9000-memory.dmp
memory/4652-48-0x0000000000F50000-0x0000000000FE9000-memory.dmp
memory/4652-49-0x0000000000F50000-0x0000000000FE9000-memory.dmp
memory/4652-50-0x0000000000F50000-0x0000000000FE9000-memory.dmp
memory/4652-51-0x0000000000F50000-0x0000000000FE9000-memory.dmp