Analysis Overview
SHA256
4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823
Threat Level: Known bad
The file 4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
ASPack v2.12-2.42
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 18:46
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 18:45
Reported
2024-10-10 18:48
Platform
win7-20240729-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qoams.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qubyfi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\liduz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qoams.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qoams.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qubyfi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qoams.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qubyfi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\liduz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe
"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"
C:\Users\Admin\AppData\Local\Temp\qoams.exe
"C:\Users\Admin\AppData\Local\Temp\qoams.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\qubyfi.exe
"C:\Users\Admin\AppData\Local\Temp\qubyfi.exe" OK
C:\Users\Admin\AppData\Local\Temp\liduz.exe
"C:\Users\Admin\AppData\Local\Temp\liduz.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2084-2-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2084-20-0x0000000002000000-0x0000000002058000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qoams.exe
| MD5 | 90e4f0c502a221db1abf0af111e4e719 |
| SHA1 | faea87547f69b561166be6a2adca54ec9536527d |
| SHA256 | 25489d2ae0ee0e44a277ca0282491bd4b335035b2fd87a04092429870c622aed |
| SHA512 | b5da0e0dddf41a2958754f25f3468b1b1dda2905cecca76d54176929bb0bb6c43d7f17fcabb58f72b8e949889401eb1207ba1d03a3e1601e2715a7f2d3030d45 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d8e884b19c8ed65aeb197039dcd9a63b |
| SHA1 | 9096b9945a928465297476cfb1f039c35669fba4 |
| SHA256 | c80a28f37f0226a4b392d2892b3e2c806dda1632d31fcda5593dfdacf50aed5f |
| SHA512 | c11c9197abd7103c2b5226a5a8e11d261b9e0ee981006b60b209ffa31e70510801eff4b84e75de638213c3434fbec4f2515f1a560c36c34ec086936983547d46 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 2c36b8dd09dd33992afa62987f881dd2 |
| SHA1 | 0866e4ce15c59fca4f96bd660252bfe16449a9f5 |
| SHA256 | 426c3eb9220b8a4e0d42094e935b64af0ddc4d6f787c8b78ecf610a850fcfad7 |
| SHA512 | 934d3e9f679b04bf243a02761d4840a60c60e4845cdaca4a3f838ab5fbf7585519dd101ea41cc2c6331a1790615601cdc44f68b851ea5c89279631419c49cef8 |
memory/3008-22-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2084-21-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3008-34-0x0000000002050000-0x00000000020A8000-memory.dmp
memory/2748-36-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3008-33-0x0000000002050000-0x00000000020A8000-memory.dmp
memory/3008-37-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2748-38-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 4067390887e4aac050e29c1b00c43fd3 |
| SHA1 | 6e8aa090b163d5e1e0c5c66116c8fcf08a15209e |
| SHA256 | d00291b90b1f8fdbb3b7874159cd4c3437710b516d230d71e3f88b4eafca582f |
| SHA512 | c83ff63c90c3a28de15bc80f1e45f28970c9d0711666bc281d1a8d86cfecf0ec05806616a351623cadb007725e6001569b959106812f2dae2e42178f570e492a |
\Users\Admin\AppData\Local\Temp\liduz.exe
| MD5 | 00ccd912b65548fcb962b984f98bd71f |
| SHA1 | 952e090e05a9ed502e4c5b17e428f821f1dee663 |
| SHA256 | 8eedb82eebb6ab5097e1e99a41b48809a537f7b6a08711a45643e563c3bb1659 |
| SHA512 | 79354fffd4fbfad85105fabb714d3cff53107f1cc590cc0a6c43546008606e07db097ce1c9b594e4cdd59ad740966af76e24125076e38ad51105d4728a6e867d |
memory/2820-57-0x00000000009F0000-0x0000000000A7C000-memory.dmp
memory/2820-58-0x00000000009F0000-0x0000000000A7C000-memory.dmp
memory/2820-56-0x00000000009F0000-0x0000000000A7C000-memory.dmp
memory/2820-55-0x00000000009F0000-0x0000000000A7C000-memory.dmp
memory/2748-53-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2820-61-0x00000000009F0000-0x0000000000A7C000-memory.dmp
memory/2820-62-0x00000000009F0000-0x0000000000A7C000-memory.dmp
memory/2820-63-0x00000000009F0000-0x0000000000A7C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 18:45
Reported
2024-10-10 18:48
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nyxok.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\irmeko.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nyxok.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\irmeko.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fajyt.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nyxok.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\irmeko.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fajyt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe
"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"
C:\Users\Admin\AppData\Local\Temp\nyxok.exe
"C:\Users\Admin\AppData\Local\Temp\nyxok.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\irmeko.exe
"C:\Users\Admin\AppData\Local\Temp\irmeko.exe" OK
C:\Users\Admin\AppData\Local\Temp\fajyt.exe
"C:\Users\Admin\AppData\Local\Temp\fajyt.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1052-0-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nyxok.exe
| MD5 | 5dd1ff6353c672a90dff8f8801324880 |
| SHA1 | 07487cc2bd6516dd61c840eeceee1e869a21e8c9 |
| SHA256 | a607d1cd4794bf14c9e74ef6c103153e5e604442487850024af6accdd4c8b7b5 |
| SHA512 | df3a8922c284e0c9d53f1049d65b1b67a22ccd41751fa9a5ab6bdc5bb73cca69f8d4d51fcb66d08673012781b863b1532bca997cc40c7c1d3688659cfa2dee6d |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 823e4a32a26083d604be0ed2c2377c70 |
| SHA1 | eb54186ce9a05d3ab99e5b5468c5e7b9ac81fe8f |
| SHA256 | 6c43f52fae48d7c843fa51397c3cadbd42f4c10d3cb0ae1ff5acd0e060e9ae59 |
| SHA512 | 7c176b0e31ae1f36706986d9df1235e65036890995f0b4cece93007ed1c5fe759618b439c2df963466760bbde766fbd9709067cd856a861f463c3527b2757f36 |
memory/1052-15-0x0000000000400000-0x0000000000458000-memory.dmp
memory/5056-24-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 2c36b8dd09dd33992afa62987f881dd2 |
| SHA1 | 0866e4ce15c59fca4f96bd660252bfe16449a9f5 |
| SHA256 | 426c3eb9220b8a4e0d42094e935b64af0ddc4d6f787c8b78ecf610a850fcfad7 |
| SHA512 | 934d3e9f679b04bf243a02761d4840a60c60e4845cdaca4a3f838ab5fbf7585519dd101ea41cc2c6331a1790615601cdc44f68b851ea5c89279631419c49cef8 |
memory/4128-25-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fajyt.exe
| MD5 | 6f6121fee43f19e0e5606374f12ed6f8 |
| SHA1 | b144c06367345a2787bfb9b0d4a256ab94a79096 |
| SHA256 | 0d2de68578edc0b6c3e28001bd621547eb35821d0bc5a572a14aff9891bd7328 |
| SHA512 | 90d53c7d1fd074aed742ce03a85d5aa48eb2eb3caaad427403b64a936790e8f6fa638ae7061555cf73a502541437adaa9df259353d03d559a2470c41c49d0101 |
memory/4448-39-0x0000000000520000-0x00000000005AC000-memory.dmp
memory/4448-38-0x0000000000520000-0x00000000005AC000-memory.dmp
memory/4448-40-0x0000000000520000-0x00000000005AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | c8d29bbf6b0adb85e0e239a70013771b |
| SHA1 | ce7329280b9f5cf21d98bd096084e2f41b31e4d5 |
| SHA256 | 4698c29b5de46e168a2e674b683907bed693949539786bf70c9e816c75d089d3 |
| SHA512 | bf22810caaa4aeb61a89146ac8f3b7af9c3112dc49ec02f590c9db6cb32dff971706cdcb007ce0a10e8801106a5d8039fdaa03f6c3b2cc2f57d85c57266349d9 |
memory/4448-37-0x0000000000520000-0x00000000005AC000-memory.dmp
memory/4128-43-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4448-44-0x0000000000520000-0x00000000005AC000-memory.dmp
memory/4448-45-0x0000000000520000-0x00000000005AC000-memory.dmp
memory/4448-46-0x0000000000520000-0x00000000005AC000-memory.dmp