Analysis Overview
SHA256
4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00
Threat Level: Known bad
The file 4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 00:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 00:52
Reported
2024-10-11 00:54
Platform
win7-20240729-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ypjok.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cojoj.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ypjok.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ypjok.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cojoj.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe
"C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe"
C:\Users\Admin\AppData\Local\Temp\ypjok.exe
"C:\Users\Admin\AppData\Local\Temp\ypjok.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\cojoj.exe
"C:\Users\Admin\AppData\Local\Temp\cojoj.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1740-0-0x0000000000040000-0x00000000000C1000-memory.dmp
memory/1740-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\ypjok.exe
| MD5 | 61efa5b9bcb2ee71638f81404e2b9da0 |
| SHA1 | 812faed39d9fee0aabc6d302dd1a4150c5774b11 |
| SHA256 | 3abbbe265cd0737340a5e7ef753b4e8855f1ad10b2581dd4593626b279a31160 |
| SHA512 | d1c11a4fdee9cad2ef0d02974eebf5223a99547e501009a61df220536fe8210661005fd21dbfe287ac3524bdc7a93fcfbe5f3acc82346b334a4e0fa5e8084807 |
memory/1740-6-0x0000000002410000-0x0000000002491000-memory.dmp
memory/2152-11-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1575c0d839d8f493079f52053e2e63cd |
| SHA1 | 3d418dc24207bbd39d54e2e52f0ea5055864702e |
| SHA256 | 3ab9485ed5cfaadb6cbfbf03fca3c958fb316d96c9edf242a1572e53e23b5774 |
| SHA512 | 264e492cae806433d038bc9c03d75f37bfa904b5526d45e367be0cadb67f468f35e851fd80f02b733951ea85654242f3f5fcd9444415d91d3badc7c59c275272 |
memory/1740-19-0x0000000000040000-0x00000000000C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e451c65416f8ef6f60a843bf5e9a077a |
| SHA1 | 4eb17df22d5e0c1243f27f6a089a0e538a2c89fb |
| SHA256 | 443bc05e656495c4e11c0a07057bbd3f8af583e06b59ee102e73aed3c52fda01 |
| SHA512 | 26888856657d2ab724434d0f031601d89872b3a332bf316b9b3111a0700e5c0342c3d5f6c24d24bce1e0076604a3a5ffffafc24c2de76a900a1facf8e5a32d68 |
memory/2152-23-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2152-22-0x00000000010B0000-0x0000000001131000-memory.dmp
\Users\Admin\AppData\Local\Temp\cojoj.exe
| MD5 | 7fa8764e46edef3db88e75bc320761e8 |
| SHA1 | f3977aafa374784328056a77aa6f252b877e50f6 |
| SHA256 | 866cb624d2bedea50289ba3f324c5d4b5caee6b0c4061a390a829b4a43e8d6a9 |
| SHA512 | f665f903ec218d1134c14a6764a031861f0d9df25129ca3e4187a0103910625004a4c522624c05dd7d965c7f98c187f0ee64e58ca03caff6f35add9d288a2ef2 |
memory/2152-37-0x0000000003630000-0x00000000036C9000-memory.dmp
memory/2152-44-0x00000000010B0000-0x0000000001131000-memory.dmp
memory/1968-42-0x0000000001140000-0x00000000011D9000-memory.dmp
memory/1968-39-0x0000000001140000-0x00000000011D9000-memory.dmp
memory/1968-46-0x0000000001140000-0x00000000011D9000-memory.dmp
memory/1968-47-0x0000000001140000-0x00000000011D9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 00:52
Reported
2024-10-11 00:54
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\jyqof.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jyqof.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nowue.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jyqof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nowue.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe
"C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe"
C:\Users\Admin\AppData\Local\Temp\jyqof.exe
"C:\Users\Admin\AppData\Local\Temp\jyqof.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\nowue.exe
"C:\Users\Admin\AppData\Local\Temp\nowue.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2300-0-0x0000000000EA0000-0x0000000000F21000-memory.dmp
memory/2300-1-0x00000000001E0000-0x00000000001E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jyqof.exe
| MD5 | c326491d572f0bee5ca4e570a76b55d0 |
| SHA1 | eb79843cb2a2d8cfecad748b8f81edfec2d3ef25 |
| SHA256 | d4ecabb4c7f7214f19f53f8defc2c9235e33d9a6f4b05928e0ba91d534be7e1f |
| SHA512 | 48ebf5b52c80ca9d5d2c625f27d9d9bf8882c5e14ddda399b2505eea797b25a01c36b30f73491a1d385a772433f4a6b30a9f54a3b6fee76b327742290119eab8 |
memory/1796-13-0x0000000000740000-0x0000000000741000-memory.dmp
memory/1796-12-0x0000000000CE0000-0x0000000000D61000-memory.dmp
memory/2300-17-0x0000000000EA0000-0x0000000000F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 1575c0d839d8f493079f52053e2e63cd |
| SHA1 | 3d418dc24207bbd39d54e2e52f0ea5055864702e |
| SHA256 | 3ab9485ed5cfaadb6cbfbf03fca3c958fb316d96c9edf242a1572e53e23b5774 |
| SHA512 | 264e492cae806433d038bc9c03d75f37bfa904b5526d45e367be0cadb67f468f35e851fd80f02b733951ea85654242f3f5fcd9444415d91d3badc7c59c275272 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ae91de910d4205d6fdc04a63db04c00a |
| SHA1 | acdfc98391b1866cda6acffc4b794e57bd68a2af |
| SHA256 | 9037f86405435262aa434b3422e202669dc0cb93bd68c7a7e207103bc22e9c51 |
| SHA512 | e43c1cb6c1a7ac9659cfa6086bda3c3e746e20e9aaf86511da165951564f141fe32c22df9d8c148c56f4b6ed85cd2132284b414ca8454345b81af636a7186fc0 |
memory/1796-20-0x0000000000CE0000-0x0000000000D61000-memory.dmp
memory/1796-21-0x0000000000740000-0x0000000000741000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nowue.exe
| MD5 | 29d994d67b6a5347e4dd236687c10792 |
| SHA1 | 9ffb2e0d7a651b6427ca0c7737861e035bcfe545 |
| SHA256 | 2c2356064f0e3478e936906e7c34da976ece9984336ee5bca66a783a27c502e0 |
| SHA512 | 0cc047be4a2c05741243eccb89a5db65759258db47968ba77ffe653a667e01acdd14529c951a64b2e7f284ed1882bc31202c9b583202424becb67db3ab92e10f |
memory/1796-41-0x0000000000CE0000-0x0000000000D61000-memory.dmp
memory/1952-39-0x0000000000FB0000-0x0000000000FB2000-memory.dmp
memory/1952-38-0x00000000008C0000-0x0000000000959000-memory.dmp
memory/1952-42-0x00000000008C0000-0x0000000000959000-memory.dmp
memory/1952-47-0x0000000000FB0000-0x0000000000FB2000-memory.dmp
memory/1952-46-0x00000000008C0000-0x0000000000959000-memory.dmp
memory/1952-48-0x00000000008C0000-0x0000000000959000-memory.dmp