Analysis Overview
SHA256
b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5
Threat Level: Known bad
The file b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5N was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 01:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 01:59
Reported
2024-10-11 02:01
Platform
win7-20240708-en
Max time kernel
120s
Max time network
88s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zebaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eptym.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zebaf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zebaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eptym.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5N.exe
"C:\Users\Admin\AppData\Local\Temp\b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5N.exe"
C:\Users\Admin\AppData\Local\Temp\zebaf.exe
"C:\Users\Admin\AppData\Local\Temp\zebaf.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\eptym.exe
"C:\Users\Admin\AppData\Local\Temp\eptym.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2536-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2536-0-0x0000000001360000-0x00000000013E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zebaf.exe
| MD5 | 55a1e7c031f5c2f0e45b3ffb04f593d8 |
| SHA1 | d0c10c96bb104df82cd5101bca32c4143abead76 |
| SHA256 | f9d3c9f2356930b4aaf884e097b43737512ff650ef510316397697bd78e464aa |
| SHA512 | 04a7d38e53199561d0583edae2f615c378a72ecd09d9d950fdc10314c477210d1871865d1a7230c19599e9fc70566bf01705a01be93724c35a9139844a9c14da |
memory/2536-20-0x0000000001360000-0x00000000013E1000-memory.dmp
memory/2536-16-0x00000000027F0000-0x0000000002871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 2a6e7533db4132bcb791f1745bc0b759 |
| SHA1 | 45159d382dcaceef1adcc70acf1072f10efe97df |
| SHA256 | 9ce86cd21d0374c91c16321655b217c91d9f34571da69e9f1d6fbbaea9e4c2bd |
| SHA512 | ae8d6b8372f09a7f46a48179d0e1333247118b19f2e895fd18905e76c93cf84b478b034efc3466eaed064690bc5f53513b79ab02776a0b2e3ea4150a8312995d |
memory/2124-19-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2124-18-0x0000000000B10000-0x0000000000B91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | cd6b4ab630cf579abb0044d4c3bbf36a |
| SHA1 | 9f977cea1ee649b5f5ba8734789ef68483d6536d |
| SHA256 | 5ab68f3ce129dd4af6ea4008fccccf4ccaf58635eb3fe7420e53ebaa9936b260 |
| SHA512 | d2995e9a21ea459141e539a044ff935f3d9cd7fa9a2c07474a2df89a0712bda9e6012c30f769ba6b3a6e8b091c54047067ac4ca16c7547c82f09b1698d98a0c8 |
memory/2124-23-0x0000000000B10000-0x0000000000B91000-memory.dmp
memory/2124-24-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\eptym.exe
| MD5 | a0ccd0c0ce15e2bf0b526f359d7c9dbd |
| SHA1 | 8a0ce5285c2d69049a62a1fdd5c44198ced862b7 |
| SHA256 | a097b309f57bc80682c9cbd9b8099a1d4c23804c5639d68d2f5a0a6afe75dbf2 |
| SHA512 | 3a5d5c6ecf602baf9cf9ec2e2c3b8ef408f410c33761bf00735cac89ef5867f38e5dd92ddc9ccb70214b3c9e2d7843573a907b81a4b265d5a32de7d3419b9676 |
memory/2124-41-0x0000000000B10000-0x0000000000B91000-memory.dmp
memory/2668-42-0x00000000009F0000-0x0000000000A89000-memory.dmp
memory/2124-39-0x0000000003D70000-0x0000000003E09000-memory.dmp
memory/2668-43-0x00000000009F0000-0x0000000000A89000-memory.dmp
memory/2668-47-0x00000000009F0000-0x0000000000A89000-memory.dmp
memory/2668-48-0x00000000009F0000-0x0000000000A89000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 01:59
Reported
2024-10-11 02:01
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\leyhi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\leyhi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heduz.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\leyhi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\heduz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5N.exe
"C:\Users\Admin\AppData\Local\Temp\b54c05d5802bcb94ba9dab24b0935ae4002e7dc411d0421b5b965d7f80eb1fb5N.exe"
C:\Users\Admin\AppData\Local\Temp\leyhi.exe
"C:\Users\Admin\AppData\Local\Temp\leyhi.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\heduz.exe
"C:\Users\Admin\AppData\Local\Temp\heduz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4720-0-0x0000000000BF0000-0x0000000000C71000-memory.dmp
memory/4720-1-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\leyhi.exe
| MD5 | eeb669eaebdc3be8fd17152aee4be7c1 |
| SHA1 | 17377c0a8dddb11843b0d6734ce7ebe1b3ee5248 |
| SHA256 | 9e39cf963cf46c0f8ced439e5aadf4e8bba329643106c3f167a8314cd452b3a0 |
| SHA512 | 1b02fb0b3c649205c6e3311d60c2dcba524b9c77013a58506d22b8a98a98f0f1ee5eac9018115c814ccb75df5fc03027d2ab6cc0bab01c0c5212798f4734b5ae |
memory/2000-11-0x0000000000BD0000-0x0000000000C51000-memory.dmp
memory/2000-14-0x0000000000510000-0x0000000000511000-memory.dmp
memory/4720-16-0x0000000000BF0000-0x0000000000C71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 2a6e7533db4132bcb791f1745bc0b759 |
| SHA1 | 45159d382dcaceef1adcc70acf1072f10efe97df |
| SHA256 | 9ce86cd21d0374c91c16321655b217c91d9f34571da69e9f1d6fbbaea9e4c2bd |
| SHA512 | ae8d6b8372f09a7f46a48179d0e1333247118b19f2e895fd18905e76c93cf84b478b034efc3466eaed064690bc5f53513b79ab02776a0b2e3ea4150a8312995d |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 803b471c328cb5ea5920c7f1a5583b7b |
| SHA1 | 3cecd00e51269f068e9c2ffa5e9d7ee3df9279de |
| SHA256 | 4dc31da18575a60d0c5698ae0f4e964f249dd5c3f7337edeb9dc278524999510 |
| SHA512 | a20b66f69775c6e3f24c73a38552033af321c8192b6dc6455006ab8b65f11caab2524fbd30090ec613436dab44b306824f379d84f311783da18bce3a69b90ff6 |
memory/2000-19-0x0000000000BD0000-0x0000000000C51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\heduz.exe
| MD5 | cb04a4358f88ad066216b59e970c16da |
| SHA1 | bcdfa8a0af659464b97f788451a4f9f40d8f7064 |
| SHA256 | ecbf8058eec186333b732afbcb52b88151081988c3a29456c0e1329c6ba2452c |
| SHA512 | 8e8f2d445b9a9922aa331c2de8d536860ffa6b4ce86f9181474fb67966157202a6766102fe26620c957706298fb17134b1192ccbfc5563a348c322aa2d4336e5 |
memory/4700-40-0x0000000000500000-0x0000000000599000-memory.dmp
memory/4700-38-0x0000000000500000-0x0000000000599000-memory.dmp
memory/4700-36-0x0000000000500000-0x0000000000599000-memory.dmp
memory/2000-42-0x0000000000BD0000-0x0000000000C51000-memory.dmp
memory/4700-44-0x0000000000500000-0x0000000000599000-memory.dmp
memory/4700-45-0x0000000000500000-0x0000000000599000-memory.dmp
memory/4700-46-0x0000000000500000-0x0000000000599000-memory.dmp