Malware Analysis Report

2024-11-16 13:25

Sample ID 241010-xf1ezs1dkb
Target 4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N
SHA256 4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823

Threat Level: Known bad

The file 4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

ASPack v2.12-2.42

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 18:48

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 18:48

Reported

2024-10-10 18:51

Platform

win7-20240903-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lebol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foizqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lebol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\foizqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wiuzh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\lebol.exe
PID 2948 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\lebol.exe
PID 2948 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\lebol.exe
PID 2948 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\lebol.exe
PID 2948 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\lebol.exe C:\Users\Admin\AppData\Local\Temp\foizqo.exe
PID 1084 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\lebol.exe C:\Users\Admin\AppData\Local\Temp\foizqo.exe
PID 1084 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\lebol.exe C:\Users\Admin\AppData\Local\Temp\foizqo.exe
PID 1084 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\lebol.exe C:\Users\Admin\AppData\Local\Temp\foizqo.exe
PID 2660 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\foizqo.exe C:\Users\Admin\AppData\Local\Temp\wiuzh.exe
PID 2660 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\foizqo.exe C:\Users\Admin\AppData\Local\Temp\wiuzh.exe
PID 2660 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\foizqo.exe C:\Users\Admin\AppData\Local\Temp\wiuzh.exe
PID 2660 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\foizqo.exe C:\Users\Admin\AppData\Local\Temp\wiuzh.exe
PID 2660 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\foizqo.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\foizqo.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\foizqo.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\foizqo.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe

"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"

C:\Users\Admin\AppData\Local\Temp\lebol.exe

"C:\Users\Admin\AppData\Local\Temp\lebol.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\foizqo.exe

"C:\Users\Admin\AppData\Local\Temp\foizqo.exe" OK

C:\Users\Admin\AppData\Local\Temp\wiuzh.exe

"C:\Users\Admin\AppData\Local\Temp\wiuzh.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2948-0-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lebol.exe

MD5 20babdd60614e7c96d935a7922055b26
SHA1 0d3ece83f6917c1da86540f79f4ff4a4dc7d7096
SHA256 5e8b7ccd1cf85b55cd0a2e34b93afce04fbb1109134ff0a133d9dee555077744
SHA512 bf0f47e1db49ad0c9b8caa6d4c1061acae489f7b835b3a2b433ecd9a9a6b86f442dae6ec3b41a58ad0ed9d72c21ceaa0e822445655acfe26bff5e437e579896f

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 2c36b8dd09dd33992afa62987f881dd2
SHA1 0866e4ce15c59fca4f96bd660252bfe16449a9f5
SHA256 426c3eb9220b8a4e0d42094e935b64af0ddc4d6f787c8b78ecf610a850fcfad7
SHA512 934d3e9f679b04bf243a02761d4840a60c60e4845cdaca4a3f838ab5fbf7585519dd101ea41cc2c6331a1790615601cdc44f68b851ea5c89279631419c49cef8

memory/2948-14-0x0000000002700000-0x0000000002758000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 142d5d4b72df088b75cc28f2bdfc670e
SHA1 cf95bd7895d4c853991fb115a831307cdadd342e
SHA256 203d394d51761a1aa2a89853023dcd11af498bee43ccc5d3e0c713d5b1d78da4
SHA512 6ec7ee2fa816ea60867e34722c9f819f90cc0eb277547abdefbdd290c88d6fdc2c2d84955d6d39758691e95f5802ff13a7c2ee2e1208ed08540520df7547ba7b

memory/1084-21-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2948-20-0x0000000002700000-0x0000000002758000-memory.dmp

memory/2948-25-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1084-33-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2660-36-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1956-49-0x00000000013C0000-0x000000000144C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 769c90ac64e32248f9896757adbde0b2
SHA1 6054f9c1d5838f80ab0c188ef13f579c36f8e9bc
SHA256 0d8cfa374dcf8e6fcbcf7ab07b5a2eaf83ccdef3e5728ccda79e528b6b88b9ed
SHA512 52ebbd9b40b12a6d5086d2f91ad2079c14b607b844998a38cab19e991d86acbb9a52abb6b450b34a676db46d0664c468b7bff583f626042f36e704cbc29165aa

memory/1956-48-0x00000000013C0000-0x000000000144C000-memory.dmp

memory/1956-47-0x00000000013C0000-0x000000000144C000-memory.dmp

memory/1956-46-0x00000000013C0000-0x000000000144C000-memory.dmp

memory/2660-45-0x0000000003B10000-0x0000000003B9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wiuzh.exe

MD5 143ddf9ae20ad0bd4f3e057148ee53d1
SHA1 3176eed70a66eb3f6c6e8f637bd10460e7c054b4
SHA256 60999b47356338cd66a58bb62ba3097a295ae74419deea7f11fb7070bf23bad9
SHA512 91df39e40412d7cb01b4ebf0c4d3a7012af997696cb078694fec0ede45490df2e018c6094139c443b2ae5df74f9d9d761d85e05808d1294bacadbf1d8b60a95e

memory/2660-59-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1956-60-0x00000000013C0000-0x000000000144C000-memory.dmp

memory/1956-61-0x00000000013C0000-0x000000000144C000-memory.dmp

memory/1956-62-0x00000000013C0000-0x000000000144C000-memory.dmp

memory/1956-63-0x00000000013C0000-0x000000000144C000-memory.dmp

memory/1956-64-0x00000000013C0000-0x000000000144C000-memory.dmp

memory/1956-65-0x00000000013C0000-0x000000000144C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 18:48

Reported

2024-10-10 18:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sukiq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jubony.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sukiq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jubony.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jubony.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sukiq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zywey.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\sukiq.exe
PID 4804 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\sukiq.exe
PID 4804 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\sukiq.exe
PID 4804 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\sukiq.exe C:\Users\Admin\AppData\Local\Temp\jubony.exe
PID 372 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\sukiq.exe C:\Users\Admin\AppData\Local\Temp\jubony.exe
PID 372 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\sukiq.exe C:\Users\Admin\AppData\Local\Temp\jubony.exe
PID 3628 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\jubony.exe C:\Users\Admin\AppData\Local\Temp\zywey.exe
PID 3628 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\jubony.exe C:\Users\Admin\AppData\Local\Temp\zywey.exe
PID 3628 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\jubony.exe C:\Users\Admin\AppData\Local\Temp\zywey.exe
PID 3628 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\jubony.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\jubony.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\jubony.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe

"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"

C:\Users\Admin\AppData\Local\Temp\sukiq.exe

"C:\Users\Admin\AppData\Local\Temp\sukiq.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\jubony.exe

"C:\Users\Admin\AppData\Local\Temp\jubony.exe" OK

C:\Users\Admin\AppData\Local\Temp\zywey.exe

"C:\Users\Admin\AppData\Local\Temp\zywey.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
JP 133.242.129.155:11110 tcp

Files

memory/4804-0-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sukiq.exe

MD5 f518da769bf1655d22577a418d9cced3
SHA1 ab9d8c3b21621d20a1d0fed047b35c5fce9281ac
SHA256 78a26588eb4da4bf5f98d4efc741fa23f1bd4f887af1681cb767558cee3d64c0
SHA512 4a1f87240149bbba0d1d483934804aea0d4d6ce6e03fc32cd426b492882e06bc49dd851ae1157a9aba8079a626605e4c1d40c7a927bd9f2cfc01d9101b0752b0

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 71329856387a7e3e5bf079a267668d08
SHA1 4c7cad90fce1d53104d0723e0f8b8c932ce463de
SHA256 5ab0f933259a04fa69cd838d2534bcbdb1494f1f1f707606d64050c6271bb46e
SHA512 2f7e0d7c60cdf87cfec15da89654cb0a05e1503dae5cd3ffbfe9a0336c7ced1757e0aec5ea142d4ed794ed444e0954b0dcd3418af64e29135df2c06ee91280ed

memory/4804-15-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 2c36b8dd09dd33992afa62987f881dd2
SHA1 0866e4ce15c59fca4f96bd660252bfe16449a9f5
SHA256 426c3eb9220b8a4e0d42094e935b64af0ddc4d6f787c8b78ecf610a850fcfad7
SHA512 934d3e9f679b04bf243a02761d4840a60c60e4845cdaca4a3f838ab5fbf7585519dd101ea41cc2c6331a1790615601cdc44f68b851ea5c89279631419c49cef8

memory/372-24-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3628-25-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zywey.exe

MD5 8608d90fb59fb33e5abb59c9667aa7c6
SHA1 1fc1f794f9290247ee8efdc34d9fd905ca276d34
SHA256 496f403b2a4f2d6b001be402deb7244703f8f180858ae48ef5292a09a37f41cb
SHA512 12b7e8ecca3db09ae24973a1c5287ff66eedafc2e85b3d4ecf8c29f12d81c94a2155968b9c9beaa4191d911473f85c0542e1ddec213a8328a77368e729249059

memory/2772-39-0x00000000009B0000-0x0000000000A3C000-memory.dmp

memory/2772-40-0x00000000009B0000-0x0000000000A3C000-memory.dmp

memory/2772-38-0x00000000009B0000-0x0000000000A3C000-memory.dmp

memory/2772-37-0x00000000009B0000-0x0000000000A3C000-memory.dmp

memory/3628-42-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 5f62d002069653f5569714a4037e2be5
SHA1 0edf60be825f137dee1366d2cac3c5fc5f78fd99
SHA256 6bd52e7a502d90af27f0d6af4440fba25b6f327b1cbdaa0bcba505519b7a7cf1
SHA512 878f30adb9b8f910d94e54b381fc738affb503b79577f8a5d7b80562c92f88341825009d93d7a13adfb25d64994c977ede3f14c7cae96fa28b8b1266086f6047

memory/2772-44-0x00000000009B0000-0x0000000000A3C000-memory.dmp

memory/2772-45-0x00000000009B0000-0x0000000000A3C000-memory.dmp

memory/2772-46-0x00000000009B0000-0x0000000000A3C000-memory.dmp

memory/2772-47-0x00000000009B0000-0x0000000000A3C000-memory.dmp

memory/2772-48-0x00000000009B0000-0x0000000000A3C000-memory.dmp

memory/2772-49-0x00000000009B0000-0x0000000000A3C000-memory.dmp