Analysis Overview
SHA256
220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38
Threat Level: Known bad
The file 220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Deletes itself
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 18:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 18:47
Reported
2024-10-10 18:49
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ikabx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lyyzz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ikabx.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ikabx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lyyzz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe
"C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe"
C:\Users\Admin\AppData\Local\Temp\ikabx.exe
"C:\Users\Admin\AppData\Local\Temp\ikabx.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\lyyzz.exe
"C:\Users\Admin\AppData\Local\Temp\lyyzz.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2428-0-0x0000000000860000-0x00000000008E1000-memory.dmp
memory/2428-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\ikabx.exe
| MD5 | 18cca1a3ee4d96926f47d4384aefd4b5 |
| SHA1 | 15d7e005b968cac9fd4700a447c9b0a6f611eda2 |
| SHA256 | ccc3068323be2ca747b2577df6b47c57f221c73f45513d75d0832ee749caaa46 |
| SHA512 | 5af09616bccbb5b86816a6d33098f4f4f9939438216dd9fbfdaff87d450501bc21b0db89ef313bb40b7a645c892541eb2fd85ea27d07383c2099275cee7276ba |
memory/2968-11-0x0000000000250000-0x00000000002D1000-memory.dmp
memory/2428-10-0x0000000002110000-0x0000000002191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 04ae8575358a6e4753354a75af0a0fd3 |
| SHA1 | cc3b14399a325bc0233b67452320a3a7d2f12be8 |
| SHA256 | fffdefb01b6fc9f80338d08019baa05904673878f275ff8f6665d474c178c531 |
| SHA512 | fb5ddecc23f9c010c5df56c8c3f385b5f0f75aa61c045fb2519c85576e37f354b468202e8bb253812bb4cb72f6dad56141b167124afa66e42fea110787cbd1ad |
memory/2968-13-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2428-21-0x0000000000860000-0x00000000008E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | c799eb58e645cb0000bafd6aa3594df0 |
| SHA1 | a27977836aae9bb009bfbe0f3d0a79ba5061cf57 |
| SHA256 | b57ce28fdae64dd2588a4579db5994701f10827da87f05e365374bfae04a7274 |
| SHA512 | 5d653caced5c61cb05dc5e62038d261d566bdaa385c973742d558bf674692d91461699a0a4a4be0c52edd0fc6dbc7a34eb30a9583c2f6cdd19aa9b6eb2506214 |
memory/2968-25-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2968-24-0x0000000000250000-0x00000000002D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\lyyzz.exe
| MD5 | a407694198037f88c4b5bbb71f3ca2e1 |
| SHA1 | ba58e246d9d4527d33586b74f469015afe1f97dc |
| SHA256 | 93fa2e924788720c2fe2bdab23737d8ff4955743fe70f74562ea2c64568e1d96 |
| SHA512 | 173e9f00c00d1bbfec90c2f3aa7df5e848a8a5c2f9b96a1d8116f4134cb0b7248767668131f6f8ea2108a84a37cfe63913200572728b94f538d8eb957f354a0a |
memory/2008-43-0x0000000001190000-0x0000000001229000-memory.dmp
memory/2968-41-0x0000000004300000-0x0000000004399000-memory.dmp
memory/2968-40-0x0000000000250000-0x00000000002D1000-memory.dmp
memory/2008-44-0x0000000001190000-0x0000000001229000-memory.dmp
memory/2008-48-0x0000000001190000-0x0000000001229000-memory.dmp
memory/2008-49-0x0000000001190000-0x0000000001229000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 18:47
Reported
2024-10-10 18:49
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\niwob.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\niwob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sehen.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sehen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\niwob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe
"C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe"
C:\Users\Admin\AppData\Local\Temp\niwob.exe
"C:\Users\Admin\AppData\Local\Temp\niwob.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\sehen.exe
"C:\Users\Admin\AppData\Local\Temp\sehen.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/1080-0-0x0000000000CE0000-0x0000000000D61000-memory.dmp
memory/1080-1-0x00000000005D0000-0x00000000005D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\niwob.exe
| MD5 | 2bda985fd9a2505eba224c39d14ef0c8 |
| SHA1 | e61ef08d3e9824fcecb3f489ba859e65441d0ef1 |
| SHA256 | 45524875a30e54dbee826f5715561e3d45249e92665624d38d4a34b6f50121ce |
| SHA512 | 1602ba5f71bcc64d9aa06eddd0fc8318943530a60fd21bac11d9ebaaa0100c3133673587a97c5d4f8439d3aad75a29f34e3171767700b69e7461f6afac208aba |
memory/4280-13-0x00000000007D0000-0x00000000007D1000-memory.dmp
memory/4280-12-0x0000000000030000-0x00000000000B1000-memory.dmp
memory/1080-16-0x0000000000CE0000-0x0000000000D61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 04ae8575358a6e4753354a75af0a0fd3 |
| SHA1 | cc3b14399a325bc0233b67452320a3a7d2f12be8 |
| SHA256 | fffdefb01b6fc9f80338d08019baa05904673878f275ff8f6665d474c178c531 |
| SHA512 | fb5ddecc23f9c010c5df56c8c3f385b5f0f75aa61c045fb2519c85576e37f354b468202e8bb253812bb4cb72f6dad56141b167124afa66e42fea110787cbd1ad |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f2be5151ba7cd6593e4dd7f26b4bceee |
| SHA1 | b0e8b5f883866fb282d83abd3ea9aa88ff307b35 |
| SHA256 | c44a6a4fa9d4b31c5c3b259b4f00f25377e59d7263d3c238c914b05a219114e1 |
| SHA512 | 47674c88e65421d0adaa0a54ef948eeaeba6fab38ef9c9f662f28f157229ad5bb319f8ac739601ef6388431dc68fab036fc1314f9f03276c122612a39aafdf5b |
memory/4280-19-0x0000000000030000-0x00000000000B1000-memory.dmp
memory/4280-20-0x00000000007D0000-0x00000000007D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sehen.exe
| MD5 | fcde2c249eb81015c6eebee1be32843e |
| SHA1 | 57d04c61d49927dbfbda64f4493b40315f92b66b |
| SHA256 | 1cdd5b5f789bbe5cddd7260c3610416e43bda97346ec7ba5f6eb3a386226fe95 |
| SHA512 | ea4992ec943f68f3f8b76e5bcc891ec769cdfc2b5bd9af856aff85fc5286116dafc9ab47e6199005d0d16a458b189dad7a484e40bee02723d13ee1a554419eb0 |
memory/4268-38-0x0000000000780000-0x0000000000782000-memory.dmp
memory/4268-37-0x00000000005B0000-0x0000000000649000-memory.dmp
memory/4280-43-0x0000000000030000-0x00000000000B1000-memory.dmp
memory/4268-39-0x00000000005B0000-0x0000000000649000-memory.dmp
memory/4268-46-0x0000000000780000-0x0000000000782000-memory.dmp
memory/4268-45-0x00000000005B0000-0x0000000000649000-memory.dmp
memory/4268-47-0x00000000005B0000-0x0000000000649000-memory.dmp