Analysis Overview
SHA256
24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70
Threat Level: Known bad
The file 24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 20:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 20:38
Reported
2024-10-10 20:40
Platform
win7-20240708-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xigim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fakuu.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xigim.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xigim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fakuu.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe
"C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe"
C:\Users\Admin\AppData\Local\Temp\xigim.exe
"C:\Users\Admin\AppData\Local\Temp\xigim.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\fakuu.exe
"C:\Users\Admin\AppData\Local\Temp\fakuu.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2772-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2772-0-0x0000000001270000-0x00000000012F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\xigim.exe
| MD5 | c689ebdf41a1fffb6317c92bcb7d5c92 |
| SHA1 | c319baa46d33d69b5ca6ad78b78b7524efa90b19 |
| SHA256 | 5d00410ff76ab539ef444dd61502b2933d25350a57a5290994f195e9c1560b09 |
| SHA512 | 270a18ca53358ee8af5aab471fff347462a2670a7ac896e4d2d1c9996f019eabcd8d5888c084f0593cf379e0a44430482313f0564b3d734834b86b6b9c76e825 |
memory/2772-7-0x00000000010E0000-0x0000000001161000-memory.dmp
memory/2844-19-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2844-18-0x00000000003E0000-0x0000000000461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | a27a922692b7d4485229662ab39e7e74 |
| SHA1 | dfe150c52526d71e825f960b646b0bef0c93338d |
| SHA256 | 5a2a5afcaf74cf2788c9a60a1aa1fefe2e06f587f3648d1d3cc20e5220ceef21 |
| SHA512 | 6e4cb42e3addb318af4d24743ed151e0dc2bcc01440247efdf460e9e080ae233e55b736ad8fc28d02b1078d5fb43a3d9c23a556c3aa5a8cea90fc62ad4c50637 |
memory/2772-21-0x0000000001270000-0x00000000012F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9979a5edbadfafdb7b352218c116927e |
| SHA1 | 4f93f8c0683f1edb44d925a47289fe81b73c0cce |
| SHA256 | 67ea5268a8bb874579c42598cef332aa3c9527f93759d240f7e65949df63a4ac |
| SHA512 | b8573602ff106d789ce12ca5ec51d78c27894fd958fe4d4b5121864ceb077e42668e589b0eaf3f84ccca7f927cd2fb7e1294892c6651d186f17040c50a92c2e2 |
memory/2844-24-0x00000000003E0000-0x0000000000461000-memory.dmp
\Users\Admin\AppData\Local\Temp\fakuu.exe
| MD5 | b964f4e35a7492af5c7c42ad5a71c41f |
| SHA1 | 55f5c40b6aeb65972b21370533706b4e7119d231 |
| SHA256 | 8b195e850a580dbd8e20b8bfc9baf1c3cfe19575b296b5df05ad449d5198ef67 |
| SHA512 | b1d6a35214a46c1e915789eb352dfa686d4b83486082429d4b42d4f9d2ccf262489fb6123966cbc8d6b4c3f3a07e66f0f02309b613ca469a1ab3b9812f9d1b4e |
memory/2844-39-0x00000000003E0000-0x0000000000461000-memory.dmp
memory/1740-45-0x00000000003D0000-0x0000000000469000-memory.dmp
memory/1740-42-0x00000000003D0000-0x0000000000469000-memory.dmp
memory/2844-40-0x0000000003320000-0x00000000033B9000-memory.dmp
memory/1740-47-0x00000000003D0000-0x0000000000469000-memory.dmp
memory/1740-48-0x00000000003D0000-0x0000000000469000-memory.dmp
memory/1740-49-0x00000000003D0000-0x0000000000469000-memory.dmp
memory/1740-50-0x00000000003D0000-0x0000000000469000-memory.dmp
memory/1740-51-0x00000000003D0000-0x0000000000469000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 20:38
Reported
2024-10-10 20:40
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
92s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cyfyx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cyfyx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\igobj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\igobj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cyfyx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe
"C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe"
C:\Users\Admin\AppData\Local\Temp\cyfyx.exe
"C:\Users\Admin\AppData\Local\Temp\cyfyx.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\igobj.exe
"C:\Users\Admin\AppData\Local\Temp\igobj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4420-0-0x00000000001F0000-0x0000000000271000-memory.dmp
memory/4420-1-0x00000000003D0000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cyfyx.exe
| MD5 | 0cdfa64579de4d57343646d6d9fccce9 |
| SHA1 | 9f18796cfb5fde912158adcbdbd296ed97bd5039 |
| SHA256 | 7ba8e062a1b5f4b0647e5ce44d423c592e47d5edc6c70160d435bc2849a3146b |
| SHA512 | 6e8d23fc11eff28f72d86357cb9e93cefc425d8138c68d74be114004a13f0b1f1a431d82f8050747d9eb4aaca0f1aea727420622338849af06acde25aa6fe92b |
memory/2424-14-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/2424-11-0x0000000000560000-0x00000000005E1000-memory.dmp
memory/4420-17-0x00000000001F0000-0x0000000000271000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | a27a922692b7d4485229662ab39e7e74 |
| SHA1 | dfe150c52526d71e825f960b646b0bef0c93338d |
| SHA256 | 5a2a5afcaf74cf2788c9a60a1aa1fefe2e06f587f3648d1d3cc20e5220ceef21 |
| SHA512 | 6e4cb42e3addb318af4d24743ed151e0dc2bcc01440247efdf460e9e080ae233e55b736ad8fc28d02b1078d5fb43a3d9c23a556c3aa5a8cea90fc62ad4c50637 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 399a70637a7ea42a3b5a7f83247fccb8 |
| SHA1 | e820369397f6c79322c0999a46530ce710dbd2f6 |
| SHA256 | 26eaeac30045ed1c2f6ec789c8b15948c06331757fb913b39a0e161d8c03a08a |
| SHA512 | a43851948537ac5422b240fcc53967f58c593e7beddde99b4668b49630168e912b62fa521249f565a7f7f9a716740ce995fb90d10e6f133ec4f1c2dfd8b72979 |
memory/2424-20-0x0000000000560000-0x00000000005E1000-memory.dmp
memory/2424-21-0x0000000000D60000-0x0000000000D61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\igobj.exe
| MD5 | 51cdb47157c7dabaf7394d5ef7e452c4 |
| SHA1 | f663ad84d9dee3534b1f62cfaef100369fbc982f |
| SHA256 | 41599b936ff263dc2e707638cb310b341f36db8cbffcd2810430f7445627964d |
| SHA512 | 61c3114ba9f1a3bd4009fd4e007fad2ba15d38de2a3de77fdc92c5baab3f1f6d4e0a44eae082616e084c75d3fc5bfb6fec10695660b96af56ba121faa032ef78 |
memory/436-39-0x0000000001000000-0x0000000001002000-memory.dmp
memory/2424-41-0x0000000000560000-0x00000000005E1000-memory.dmp
memory/436-38-0x00000000007F0000-0x0000000000889000-memory.dmp
memory/436-42-0x00000000007F0000-0x0000000000889000-memory.dmp
memory/436-47-0x0000000001000000-0x0000000001002000-memory.dmp
memory/436-46-0x00000000007F0000-0x0000000000889000-memory.dmp
memory/436-48-0x00000000007F0000-0x0000000000889000-memory.dmp
memory/436-49-0x00000000007F0000-0x0000000000889000-memory.dmp
memory/436-50-0x00000000007F0000-0x0000000000889000-memory.dmp
memory/436-51-0x00000000007F0000-0x0000000000889000-memory.dmp