Analysis Overview
SHA256
220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38
Threat Level: Known bad
The file 220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 18:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 18:50
Reported
2024-10-10 18:52
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nefux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\obexv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nefux.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nefux.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\obexv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe
"C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe"
C:\Users\Admin\AppData\Local\Temp\nefux.exe
"C:\Users\Admin\AppData\Local\Temp\nefux.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\obexv.exe
"C:\Users\Admin\AppData\Local\Temp\obexv.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2996-0-0x00000000003A0000-0x0000000000421000-memory.dmp
memory/2996-1-0x00000000772E0000-0x0000000077489000-memory.dmp
memory/2996-19-0x0000000001D70000-0x0000000001DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 04ae8575358a6e4753354a75af0a0fd3 |
| SHA1 | cc3b14399a325bc0233b67452320a3a7d2f12be8 |
| SHA256 | fffdefb01b6fc9f80338d08019baa05904673878f275ff8f6665d474c178c531 |
| SHA512 | fb5ddecc23f9c010c5df56c8c3f385b5f0f75aa61c045fb2519c85576e37f354b468202e8bb253812bb4cb72f6dad56141b167124afa66e42fea110787cbd1ad |
memory/2748-20-0x0000000001130000-0x00000000011B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\nefux.exe
| MD5 | a9371eaef0f6941714ef8d734316fa48 |
| SHA1 | 57f6c9422e3d50e0722a19710554048c404794bd |
| SHA256 | 6d4ff5f1b061caf8286673fd0192f9e592815b728b133c3ce5a1c6d82d54268e |
| SHA512 | d563aa05d2bcab1abcde5f7de59817673e5bd3d7db019e8d42fdc2beab1bce41ecea3a15210be7f8cccf0290d16778639672f36941f247ce30d90eef9e9a77e2 |
memory/2996-18-0x00000000003A0000-0x0000000000421000-memory.dmp
memory/2748-21-0x00000000772E0000-0x0000000077489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0a63c7fe9a494919c7c7fc20ead3c62d |
| SHA1 | 71880be862c80342f41b72af62243f7188d0b78b |
| SHA256 | 48f9ea0bcf4022525c91c979fe32040503a7f87c8fd9511279ee519a613f49dd |
| SHA512 | 3db54e49414faab9c7cdfda4425457863afe7c841fd45662d98b47377e4686bc7d0960fefb7f737103217a62c02d3da824e51fe7217cb233ae711b05ea7d86ab |
memory/2748-24-0x0000000001130000-0x00000000011B1000-memory.dmp
memory/2996-32-0x0000000001D70000-0x0000000001DF1000-memory.dmp
memory/2748-40-0x00000000032C0000-0x0000000003359000-memory.dmp
\Users\Admin\AppData\Local\Temp\obexv.exe
| MD5 | bf6dcdb6a2c9784f5db5d3fb302a102f |
| SHA1 | a0b3cb1fd5195e8087877e1f852d65ce12acf7b3 |
| SHA256 | 99e33b1616c09c8b4b9de64de771ad7ec893f94f6ebc86a2564ec197a9abf508 |
| SHA512 | 72f337bce8981754c703e4434d84305627a67824c92486936d0840ebee4c6b18799060ef58bdc972fa82765b96711463b6f85a02102c4228d45dbf2d09e9f9da |
memory/1044-43-0x0000000000E70000-0x0000000000F09000-memory.dmp
memory/1044-46-0x0000000000E70000-0x0000000000F09000-memory.dmp
memory/2748-42-0x0000000001130000-0x00000000011B1000-memory.dmp
memory/1044-48-0x0000000000E70000-0x0000000000F09000-memory.dmp
memory/1044-49-0x0000000000E70000-0x0000000000F09000-memory.dmp
memory/1044-50-0x0000000000E70000-0x0000000000F09000-memory.dmp
memory/1044-51-0x0000000000E70000-0x0000000000F09000-memory.dmp
memory/1044-52-0x0000000000E70000-0x0000000000F09000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 18:50
Reported
2024-10-10 18:52
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vywer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vywer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ryriz.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vywer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ryriz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe
"C:\Users\Admin\AppData\Local\Temp\220bfaba60f72f0ae171a3e1f2964d8c9fdb6f8403f327bf8d1dc1ae68617c38N.exe"
C:\Users\Admin\AppData\Local\Temp\vywer.exe
"C:\Users\Admin\AppData\Local\Temp\vywer.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ryriz.exe
"C:\Users\Admin\AppData\Local\Temp\ryriz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2880-0-0x0000000000FF0000-0x0000000001071000-memory.dmp
memory/2880-1-0x0000000000800000-0x0000000000801000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vywer.exe
| MD5 | b02b2e16444e621e60c7a2ff1dd8a476 |
| SHA1 | 2db8b8c742afd557bae098bb9f60bb81bc42b5c1 |
| SHA256 | d1e080789faa8ea1d6bc79eb96de610aa656565ace866a8cc433181e6b7006df |
| SHA512 | 059fc0a4aeedde953c89c621c6fea6a7d2655862a398ccfa770b952fd1ff6a632c8963af263ed0642809a9fc56186a82caf19af0c38a5bbb171094e24a96eca1 |
memory/2880-17-0x0000000000FF0000-0x0000000001071000-memory.dmp
memory/3296-14-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/3296-11-0x00000000001D0000-0x0000000000251000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 04ae8575358a6e4753354a75af0a0fd3 |
| SHA1 | cc3b14399a325bc0233b67452320a3a7d2f12be8 |
| SHA256 | fffdefb01b6fc9f80338d08019baa05904673878f275ff8f6665d474c178c531 |
| SHA512 | fb5ddecc23f9c010c5df56c8c3f385b5f0f75aa61c045fb2519c85576e37f354b468202e8bb253812bb4cb72f6dad56141b167124afa66e42fea110787cbd1ad |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1a7df8e7e1d7b32831043b714776a4b7 |
| SHA1 | ebd2443ca5ad0833cbcf7e700d372e56af0c061c |
| SHA256 | 5f0f6dd0be3940b10a1f12a77a47e51ebb446c4bfb9dc888ea757e5e7ca8e23a |
| SHA512 | f3f9d72f347d84dd8759d6f17fc9da0ef222f48cb310de045a8c07bc976136fcbe51ed9c86ae7ae3207d9e25d7d182cd0c895a1a08f9f425dac5ada2cdec4131 |
memory/3296-20-0x00000000001D0000-0x0000000000251000-memory.dmp
memory/3296-21-0x00000000009E0000-0x00000000009E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ryriz.exe
| MD5 | 9e1af3897586a6d26b090d10bba4b713 |
| SHA1 | b0bde7ee54d5a240cc398fb29dcbfcbfea31f87c |
| SHA256 | e8a16db74dadd7c5b6c4155ac2722e0127c2e6365d607765ee1ac6f7fca1b951 |
| SHA512 | bc96e2c93ee5dede9a2fac03644792deba456d288a7d707deb866ff8541beac452fd95d5dd64f6a089d88ca730edde81d489a9e038b80555e07a3c0412189f63 |
memory/4696-39-0x0000000000C80000-0x0000000000C82000-memory.dmp
memory/4696-40-0x0000000000D20000-0x0000000000DB9000-memory.dmp
memory/3296-44-0x00000000001D0000-0x0000000000251000-memory.dmp
memory/4696-38-0x0000000000D20000-0x0000000000DB9000-memory.dmp
memory/4696-47-0x0000000000C80000-0x0000000000C82000-memory.dmp
memory/4696-46-0x0000000000D20000-0x0000000000DB9000-memory.dmp
memory/4696-48-0x0000000000D20000-0x0000000000DB9000-memory.dmp
memory/4696-49-0x0000000000D20000-0x0000000000DB9000-memory.dmp
memory/4696-50-0x0000000000D20000-0x0000000000DB9000-memory.dmp
memory/4696-51-0x0000000000D20000-0x0000000000DB9000-memory.dmp