Analysis Overview
SHA256
24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70
Threat Level: Known bad
The file 24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 20:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 20:31
Reported
2024-10-10 20:33
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tipix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qydip.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tipix.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tipix.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qydip.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe
"C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe"
C:\Users\Admin\AppData\Local\Temp\tipix.exe
"C:\Users\Admin\AppData\Local\Temp\tipix.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\qydip.exe
"C:\Users\Admin\AppData\Local\Temp\qydip.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2052-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2052-0-0x0000000000800000-0x0000000000881000-memory.dmp
\Users\Admin\AppData\Local\Temp\tipix.exe
| MD5 | f0a382fe40733d3c3b01e29074882ea9 |
| SHA1 | 013c42710fa962a90938ca601776d78744b7b229 |
| SHA256 | 0f967363de0cb1ad05dab5df4cd6b34ca5b74121fed0f8e575ff5d0ae6ed586b |
| SHA512 | c547a4ce14acdd6e561dae31f54f7b04433288a076d0f85d88fb943a9350a907c2bf18030156bcf392408242131533ad967c0a0e39d0d529f669be03bc2df924 |
memory/2052-7-0x00000000025A0000-0x0000000002621000-memory.dmp
memory/2296-12-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | a27a922692b7d4485229662ab39e7e74 |
| SHA1 | dfe150c52526d71e825f960b646b0bef0c93338d |
| SHA256 | 5a2a5afcaf74cf2788c9a60a1aa1fefe2e06f587f3648d1d3cc20e5220ceef21 |
| SHA512 | 6e4cb42e3addb318af4d24743ed151e0dc2bcc01440247efdf460e9e080ae233e55b736ad8fc28d02b1078d5fb43a3d9c23a556c3aa5a8cea90fc62ad4c50637 |
memory/2052-20-0x0000000000800000-0x0000000000881000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 01c2ed0d8b9f6ef456c6526546fb1b9c |
| SHA1 | c5471fdd3bb1caba973ce0a782d5927e9962e9fe |
| SHA256 | cba18481ca79c18e53472581fe87f06f9f14c65527f175d110564c1fd065fb79 |
| SHA512 | 03f89c8a0873130cdaea68d4d855797f7e5df1378d07be78f83460cfd908e3b71df8c622a4897bbd9e7c3f675a40ed2ae6ef6b76a5303d757def9b1e06f33fa8 |
memory/2296-23-0x0000000000E00000-0x0000000000E81000-memory.dmp
\Users\Admin\AppData\Local\Temp\qydip.exe
| MD5 | b44fbd668bed28fdfc378816aa99bfd8 |
| SHA1 | af5727507353909261a0d60c434cf363601d4a47 |
| SHA256 | 5e565033a3c4be437f2ea4bfd008cf7075a607528a27ffccb0e231498d411031 |
| SHA512 | c6bfcc6aa38492d9d87522b00505bb7f85b28a0c6f0245709a0d0a19254c6758b9ce23a00d25a97bb466d88b1d3988dc553e00f68e1dac588eaa0842b6d31ca3 |
memory/2584-41-0x0000000000FC0000-0x0000000001059000-memory.dmp
memory/2296-40-0x0000000000E00000-0x0000000000E81000-memory.dmp
memory/2296-37-0x0000000003EE0000-0x0000000003F79000-memory.dmp
memory/2584-42-0x0000000000FC0000-0x0000000001059000-memory.dmp
memory/2584-46-0x0000000000FC0000-0x0000000001059000-memory.dmp
memory/2584-47-0x0000000000FC0000-0x0000000001059000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 20:31
Reported
2024-10-10 20:33
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\inana.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\inana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buyzq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\inana.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\buyzq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe
"C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe"
C:\Users\Admin\AppData\Local\Temp\inana.exe
"C:\Users\Admin\AppData\Local\Temp\inana.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\buyzq.exe
"C:\Users\Admin\AppData\Local\Temp\buyzq.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/1796-0-0x0000000000C00000-0x0000000000C81000-memory.dmp
memory/1796-1-0x0000000000620000-0x0000000000621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\inana.exe
| MD5 | 774be8e34b0ab81f9c488f045bde1cf4 |
| SHA1 | 30cc1774f7833980cf7e45f537f7af53576c613f |
| SHA256 | d54056f636f8d3c36aa35633b79f1f792863c3a1db7825abbb66ea2026ee5ef5 |
| SHA512 | 3636a1dbc35e604ded7da5a0b74324787c784c23d560034fcd6d274eda0a8aba07d7e44624a84f992d00f12f67c3a3cfcdbd5cd7dcfc9f38387a46352c4ffea5 |
memory/4776-11-0x0000000000D50000-0x0000000000DD1000-memory.dmp
memory/4776-14-0x0000000000170000-0x0000000000171000-memory.dmp
memory/1796-17-0x0000000000C00000-0x0000000000C81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | a27a922692b7d4485229662ab39e7e74 |
| SHA1 | dfe150c52526d71e825f960b646b0bef0c93338d |
| SHA256 | 5a2a5afcaf74cf2788c9a60a1aa1fefe2e06f587f3648d1d3cc20e5220ceef21 |
| SHA512 | 6e4cb42e3addb318af4d24743ed151e0dc2bcc01440247efdf460e9e080ae233e55b736ad8fc28d02b1078d5fb43a3d9c23a556c3aa5a8cea90fc62ad4c50637 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 446dc1747df8267f96e93db0385fc78f |
| SHA1 | cd4acfb1a9ebfd759621d46f9cf2b61ba5fc7ff3 |
| SHA256 | 963edb440b87ef2ebb4a15ba68ced837c32d5f7f3315d5523b70476ab269fc39 |
| SHA512 | a78fc4807c0579ddde2fa02600ae4ac2d1a78b45b29b57155c4a647f46474b3b03ba152f335627c82979e3e792dee5773371d8ce086b29462ec2bc7ae89b9133 |
memory/4776-20-0x0000000000D50000-0x0000000000DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\buyzq.exe
| MD5 | 841d2d7c1da437160e122febf9985547 |
| SHA1 | 409b060389b475a50b765d35f8fde4b38640fcda |
| SHA256 | b8a1e0213ee68409b1d2f7c2c3d0bc908297de91366b6b6eeec8c693e4d5955a |
| SHA512 | 475fe063d24db245517b03627874ba5f1c31e3283b28e10dd7e7c16980175ad39cc455a4db220b423097dd8e7f81865016643dd74f8b65069264b197de25cc88 |
memory/2576-38-0x0000000000D10000-0x0000000000D12000-memory.dmp
memory/2576-39-0x0000000000DC0000-0x0000000000E59000-memory.dmp
memory/4776-43-0x0000000000D50000-0x0000000000DD1000-memory.dmp
memory/2576-37-0x0000000000DC0000-0x0000000000E59000-memory.dmp
memory/2576-46-0x0000000000D10000-0x0000000000D12000-memory.dmp
memory/2576-45-0x0000000000DC0000-0x0000000000E59000-memory.dmp
memory/2576-47-0x0000000000DC0000-0x0000000000E59000-memory.dmp