Analysis Overview
SHA256
4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823
Threat Level: Known bad
The file 4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
ASPack v2.12-2.42
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 18:48
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 18:48
Reported
2024-10-10 18:51
Platform
win7-20240903-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lebol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\foizqo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wiuzh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lebol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lebol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\foizqo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lebol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\foizqo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wiuzh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe
"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"
C:\Users\Admin\AppData\Local\Temp\lebol.exe
"C:\Users\Admin\AppData\Local\Temp\lebol.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\foizqo.exe
"C:\Users\Admin\AppData\Local\Temp\foizqo.exe" OK
C:\Users\Admin\AppData\Local\Temp\wiuzh.exe
"C:\Users\Admin\AppData\Local\Temp\wiuzh.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2948-0-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lebol.exe
| MD5 | 20babdd60614e7c96d935a7922055b26 |
| SHA1 | 0d3ece83f6917c1da86540f79f4ff4a4dc7d7096 |
| SHA256 | 5e8b7ccd1cf85b55cd0a2e34b93afce04fbb1109134ff0a133d9dee555077744 |
| SHA512 | bf0f47e1db49ad0c9b8caa6d4c1061acae489f7b835b3a2b433ecd9a9a6b86f442dae6ec3b41a58ad0ed9d72c21ceaa0e822445655acfe26bff5e437e579896f |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 2c36b8dd09dd33992afa62987f881dd2 |
| SHA1 | 0866e4ce15c59fca4f96bd660252bfe16449a9f5 |
| SHA256 | 426c3eb9220b8a4e0d42094e935b64af0ddc4d6f787c8b78ecf610a850fcfad7 |
| SHA512 | 934d3e9f679b04bf243a02761d4840a60c60e4845cdaca4a3f838ab5fbf7585519dd101ea41cc2c6331a1790615601cdc44f68b851ea5c89279631419c49cef8 |
memory/2948-14-0x0000000002700000-0x0000000002758000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 142d5d4b72df088b75cc28f2bdfc670e |
| SHA1 | cf95bd7895d4c853991fb115a831307cdadd342e |
| SHA256 | 203d394d51761a1aa2a89853023dcd11af498bee43ccc5d3e0c713d5b1d78da4 |
| SHA512 | 6ec7ee2fa816ea60867e34722c9f819f90cc0eb277547abdefbdd290c88d6fdc2c2d84955d6d39758691e95f5802ff13a7c2ee2e1208ed08540520df7547ba7b |
memory/1084-21-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2948-20-0x0000000002700000-0x0000000002758000-memory.dmp
memory/2948-25-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1084-33-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2660-36-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1956-49-0x00000000013C0000-0x000000000144C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 769c90ac64e32248f9896757adbde0b2 |
| SHA1 | 6054f9c1d5838f80ab0c188ef13f579c36f8e9bc |
| SHA256 | 0d8cfa374dcf8e6fcbcf7ab07b5a2eaf83ccdef3e5728ccda79e528b6b88b9ed |
| SHA512 | 52ebbd9b40b12a6d5086d2f91ad2079c14b607b844998a38cab19e991d86acbb9a52abb6b450b34a676db46d0664c468b7bff583f626042f36e704cbc29165aa |
memory/1956-48-0x00000000013C0000-0x000000000144C000-memory.dmp
memory/1956-47-0x00000000013C0000-0x000000000144C000-memory.dmp
memory/1956-46-0x00000000013C0000-0x000000000144C000-memory.dmp
memory/2660-45-0x0000000003B10000-0x0000000003B9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wiuzh.exe
| MD5 | 143ddf9ae20ad0bd4f3e057148ee53d1 |
| SHA1 | 3176eed70a66eb3f6c6e8f637bd10460e7c054b4 |
| SHA256 | 60999b47356338cd66a58bb62ba3097a295ae74419deea7f11fb7070bf23bad9 |
| SHA512 | 91df39e40412d7cb01b4ebf0c4d3a7012af997696cb078694fec0ede45490df2e018c6094139c443b2ae5df74f9d9d761d85e05808d1294bacadbf1d8b60a95e |
memory/2660-59-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1956-60-0x00000000013C0000-0x000000000144C000-memory.dmp
memory/1956-61-0x00000000013C0000-0x000000000144C000-memory.dmp
memory/1956-62-0x00000000013C0000-0x000000000144C000-memory.dmp
memory/1956-63-0x00000000013C0000-0x000000000144C000-memory.dmp
memory/1956-64-0x00000000013C0000-0x000000000144C000-memory.dmp
memory/1956-65-0x00000000013C0000-0x000000000144C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 18:48
Reported
2024-10-10 18:51
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sukiq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\jubony.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sukiq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jubony.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zywey.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jubony.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zywey.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sukiq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe
"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"
C:\Users\Admin\AppData\Local\Temp\sukiq.exe
"C:\Users\Admin\AppData\Local\Temp\sukiq.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\jubony.exe
"C:\Users\Admin\AppData\Local\Temp\jubony.exe" OK
C:\Users\Admin\AppData\Local\Temp\zywey.exe
"C:\Users\Admin\AppData\Local\Temp\zywey.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/4804-0-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sukiq.exe
| MD5 | f518da769bf1655d22577a418d9cced3 |
| SHA1 | ab9d8c3b21621d20a1d0fed047b35c5fce9281ac |
| SHA256 | 78a26588eb4da4bf5f98d4efc741fa23f1bd4f887af1681cb767558cee3d64c0 |
| SHA512 | 4a1f87240149bbba0d1d483934804aea0d4d6ce6e03fc32cd426b492882e06bc49dd851ae1157a9aba8079a626605e4c1d40c7a927bd9f2cfc01d9101b0752b0 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 71329856387a7e3e5bf079a267668d08 |
| SHA1 | 4c7cad90fce1d53104d0723e0f8b8c932ce463de |
| SHA256 | 5ab0f933259a04fa69cd838d2534bcbdb1494f1f1f707606d64050c6271bb46e |
| SHA512 | 2f7e0d7c60cdf87cfec15da89654cb0a05e1503dae5cd3ffbfe9a0336c7ced1757e0aec5ea142d4ed794ed444e0954b0dcd3418af64e29135df2c06ee91280ed |
memory/4804-15-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 2c36b8dd09dd33992afa62987f881dd2 |
| SHA1 | 0866e4ce15c59fca4f96bd660252bfe16449a9f5 |
| SHA256 | 426c3eb9220b8a4e0d42094e935b64af0ddc4d6f787c8b78ecf610a850fcfad7 |
| SHA512 | 934d3e9f679b04bf243a02761d4840a60c60e4845cdaca4a3f838ab5fbf7585519dd101ea41cc2c6331a1790615601cdc44f68b851ea5c89279631419c49cef8 |
memory/372-24-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3628-25-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zywey.exe
| MD5 | 8608d90fb59fb33e5abb59c9667aa7c6 |
| SHA1 | 1fc1f794f9290247ee8efdc34d9fd905ca276d34 |
| SHA256 | 496f403b2a4f2d6b001be402deb7244703f8f180858ae48ef5292a09a37f41cb |
| SHA512 | 12b7e8ecca3db09ae24973a1c5287ff66eedafc2e85b3d4ecf8c29f12d81c94a2155968b9c9beaa4191d911473f85c0542e1ddec213a8328a77368e729249059 |
memory/2772-39-0x00000000009B0000-0x0000000000A3C000-memory.dmp
memory/2772-40-0x00000000009B0000-0x0000000000A3C000-memory.dmp
memory/2772-38-0x00000000009B0000-0x0000000000A3C000-memory.dmp
memory/2772-37-0x00000000009B0000-0x0000000000A3C000-memory.dmp
memory/3628-42-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 5f62d002069653f5569714a4037e2be5 |
| SHA1 | 0edf60be825f137dee1366d2cac3c5fc5f78fd99 |
| SHA256 | 6bd52e7a502d90af27f0d6af4440fba25b6f327b1cbdaa0bcba505519b7a7cf1 |
| SHA512 | 878f30adb9b8f910d94e54b381fc738affb503b79577f8a5d7b80562c92f88341825009d93d7a13adfb25d64994c977ede3f14c7cae96fa28b8b1266086f6047 |
memory/2772-44-0x00000000009B0000-0x0000000000A3C000-memory.dmp
memory/2772-45-0x00000000009B0000-0x0000000000A3C000-memory.dmp
memory/2772-46-0x00000000009B0000-0x0000000000A3C000-memory.dmp
memory/2772-47-0x00000000009B0000-0x0000000000A3C000-memory.dmp
memory/2772-48-0x00000000009B0000-0x0000000000A3C000-memory.dmp
memory/2772-49-0x00000000009B0000-0x0000000000A3C000-memory.dmp