Analysis Overview
SHA256
0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4
Threat Level: Known bad
The file 0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 19:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 19:16
Reported
2024-10-10 19:18
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\boebo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nuper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\boebo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\boebo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nuper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe
"C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe"
C:\Users\Admin\AppData\Local\Temp\boebo.exe
"C:\Users\Admin\AppData\Local\Temp\boebo.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\nuper.exe
"C:\Users\Admin\AppData\Local\Temp\nuper.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2876-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2876-0-0x0000000000F70000-0x0000000000FF1000-memory.dmp
\Users\Admin\AppData\Local\Temp\boebo.exe
| MD5 | b2ba9fe514b8d030f2e76d6347143fb5 |
| SHA1 | 82204fd2764870e3827b433bc515c91827ee625d |
| SHA256 | 1871057682919a9a2733b27adec972c77f8fd9469dd05f8176c85fa113ce6ca6 |
| SHA512 | ee3402365675da4ad256baab37c8e4a6c39a14ad98cd223de72e9b67e90d05c013d334f025794ddfbd6bcf84b32da60fe412c90b3b054badce0fc9a79edd6284 |
memory/2268-13-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2268-12-0x0000000001130000-0x00000000011B1000-memory.dmp
memory/2876-9-0x0000000002770000-0x00000000027F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 6240009bc9ebfcb32460db20e454f77e |
| SHA1 | b78826380d8ae52fc82a4fbe9d0d0705c738815b |
| SHA256 | ec00de87dfc982119d3fac3d11337d6526bec753da616cb15e1ae474d9e20edd |
| SHA512 | d96bd9a8383ffdefd1f872ec7893cc61325afdf1d5ddc26ec4210cdff5c293aeac6ba568e7d9bd2be668bbd3370fade929056a53b02c5b152a4c0fe63d8da58b |
memory/2876-21-0x0000000000F70000-0x0000000000FF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 2e6df454c8bd66381290884da2bca994 |
| SHA1 | ca79d92626cb4af91fd974f2c89d82b47618f8eb |
| SHA256 | 2947fafe3445797cea3b38d68a51c435d5ebac3cd859e25b26fbe38c2f36ddf2 |
| SHA512 | 8b26f42dc5f3c77dfbc3de2d93bff3ba00813578259144b04c39e04d7191eddbb6c1e78b45bdb9146b9ba3e0f9682058827c2343cac3aabfa324bbe817ae3b92 |
memory/2268-24-0x0000000001130000-0x00000000011B1000-memory.dmp
memory/2268-39-0x0000000003840000-0x00000000038D9000-memory.dmp
\Users\Admin\AppData\Local\Temp\nuper.exe
| MD5 | c4167d509973d91022714d87f50e3afd |
| SHA1 | 8dbdc3f022b2d15dfc6729f8e977867674b8c14e |
| SHA256 | ec50d21a9e71e6d9bba991498950f66a45bc55312aa3bb23d95ac7fa3aa4b476 |
| SHA512 | 2b4ae27e0c3653f66e6a5d52a364200b1bd1e262e800da09f3c185a81c8ddd7072ef118bfe18a21354d4520d1c51621330a8f3e068e22fdbda96f6b2a9f85c84 |
memory/2556-45-0x0000000000D50000-0x0000000000DE9000-memory.dmp
memory/2556-42-0x0000000000D50000-0x0000000000DE9000-memory.dmp
memory/2268-41-0x0000000001130000-0x00000000011B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\boebo.exe
| MD5 | 549de14c27cefdd1dfe294bb34879eb3 |
| SHA1 | 9ba112b71727ceb9de3c9629e19e76c3a8217bd2 |
| SHA256 | 30e5dd34c8465d5834edcfe7d837d4a57fb145df6d58e461f97a04f887531824 |
| SHA512 | 7d78e25bd7ca210371c367e55373cdf96483c2b635ab09012538cff2e0a9ac415a8e8fa6c169a088b25e1d816aec871b11653b2c9e3a0fe27d2b08d6ede0dd35 |
memory/2556-48-0x0000000000D50000-0x0000000000DE9000-memory.dmp
memory/2556-49-0x0000000000D50000-0x0000000000DE9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 19:16
Reported
2024-10-10 19:18
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tobir.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tobir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\patyp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tobir.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\patyp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe
"C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe"
C:\Users\Admin\AppData\Local\Temp\tobir.exe
"C:\Users\Admin\AppData\Local\Temp\tobir.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\patyp.exe
"C:\Users\Admin\AppData\Local\Temp\patyp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1932-0-0x0000000000B70000-0x0000000000BF1000-memory.dmp
memory/1932-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tobir.exe
| MD5 | 8f1e98d34e413c84c7eba2df52c047a2 |
| SHA1 | bc48590844f1b0405cbd5b0f2bea8b58237e9747 |
| SHA256 | 07106896a81f6c3f1f369dc94a03aede2fb29c851df15f5ebd5e0a2aececb4b9 |
| SHA512 | d0c193f605a5a171a9a9f83db9fafd7bb3a27b228cc4d031e2689092d88e63797e827a99402d447ebc848f4eafeba5e1894d55582de8b345ce97b08ffaad8e69 |
memory/3624-11-0x00000000004E0000-0x0000000000561000-memory.dmp
memory/3624-14-0x0000000000440000-0x0000000000441000-memory.dmp
memory/1932-17-0x0000000000B70000-0x0000000000BF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 6240009bc9ebfcb32460db20e454f77e |
| SHA1 | b78826380d8ae52fc82a4fbe9d0d0705c738815b |
| SHA256 | ec00de87dfc982119d3fac3d11337d6526bec753da616cb15e1ae474d9e20edd |
| SHA512 | d96bd9a8383ffdefd1f872ec7893cc61325afdf1d5ddc26ec4210cdff5c293aeac6ba568e7d9bd2be668bbd3370fade929056a53b02c5b152a4c0fe63d8da58b |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a838e1c38b7a90e0b89df9f8bb9315ed |
| SHA1 | cb8d04abb905c7c26b6bd9ba55a0fa27b49fa180 |
| SHA256 | 48cbd50c501c89fe2ae5990f5962a10166825e7290d1b52bad38476c69c588a0 |
| SHA512 | 59fb5efc07b602e77e235263a311e86199e79db99f754fa8f1b1134a193d4290bc0119d9e24fa4dcf60b055b59bae875d7d23ed5eeb43013c9bbd1ab4d7c910d |
memory/3624-21-0x0000000000440000-0x0000000000441000-memory.dmp
memory/3624-20-0x00000000004E0000-0x0000000000561000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\patyp.exe
| MD5 | 452e55d13c389171e16f264478ea89a1 |
| SHA1 | 0ae7938bae5a3bffaa82bfabbb7e2c4da0a0b42a |
| SHA256 | c73d10975dac72fa85a75d31a9005a61ffcbce3b5f1332a933e3ccebd5fc2715 |
| SHA512 | dee749dc4c424f87416ba5d2f3160707c42a7e2e239e60ee7a8ac2ecef0ca14ac21831b36f8d8ee3a42d33196babf2f14eb0353d4737eff24559b735c37e5245 |
memory/3624-41-0x00000000004E0000-0x0000000000561000-memory.dmp
memory/2752-39-0x0000000000800000-0x0000000000802000-memory.dmp
memory/2752-38-0x0000000000760000-0x00000000007F9000-memory.dmp
memory/2752-42-0x0000000000760000-0x00000000007F9000-memory.dmp
memory/2752-47-0x0000000000800000-0x0000000000802000-memory.dmp
memory/2752-46-0x0000000000760000-0x00000000007F9000-memory.dmp
memory/2752-48-0x0000000000760000-0x00000000007F9000-memory.dmp