Analysis Overview
SHA256
5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975
Threat Level: Known bad
The file 5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 03:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 03:32
Reported
2024-10-11 03:34
Platform
win7-20240903-en
Max time kernel
119s
Max time network
88s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bujyh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uxopo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bujyh.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bujyh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uxopo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe
"C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe"
C:\Users\Admin\AppData\Local\Temp\bujyh.exe
"C:\Users\Admin\AppData\Local\Temp\bujyh.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\uxopo.exe
"C:\Users\Admin\AppData\Local\Temp\uxopo.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2656-0-0x0000000001250000-0x00000000012D1000-memory.dmp
memory/2656-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\bujyh.exe
| MD5 | 7ec51913f27d2c5025f42ab38b4d9a12 |
| SHA1 | 110df1e2b682cabd31199dbb0b2f6f1527bf7902 |
| SHA256 | 61abbe96c63c307345f00cdac05b01b0161b20f561116c26b97b95d7168926a9 |
| SHA512 | 1c412b25aef76850e05a23ead21a388d3da8fb9df0814f44485d756853b4558fc15452c44b51fb2e18f367963fc784f84d377169c60e498ec8dc3db6bf73b8fd |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | a525ddb2711f59edaea2fbd95843ebe2 |
| SHA1 | b5a810f234b2280aaaa74b1b3e11929ff947ad6a |
| SHA256 | 6a0e0be8fa9590a7624d0bc086c07827ff11f17ca5465c43929dc3119b8d045e |
| SHA512 | d30d621535965a1c92d81790b3234590706be44d6ead32a68cbc38256dd983df8d3074417a88b172c2e5d14a681a8383033aaef43247cfb04f74eaf08443f0d0 |
memory/2588-18-0x0000000001290000-0x0000000001311000-memory.dmp
memory/2588-19-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2656-9-0x0000000000A70000-0x0000000000AF1000-memory.dmp
memory/2656-21-0x0000000001250000-0x00000000012D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 804d59b887d6208dcd5c27cc1802c6ec |
| SHA1 | 4469cce8ee8fa5a98b2f88128db75287f31de0d6 |
| SHA256 | e438e52d800b3e9b4569d7c63a839306c338b18eeebae7fdfeba02fa705c388b |
| SHA512 | b56121485b86e5cfb84338eaa368af4919deb77d6a41daa61feacfb1e7af7d07679ae1d08c20f7bb24f840a9dc157f052dc8dfc7f1e5cd257b4eb6e9614c9859 |
memory/2588-24-0x0000000001290000-0x0000000001311000-memory.dmp
\Users\Admin\AppData\Local\Temp\uxopo.exe
| MD5 | 051aaefa6e5c274e0cd9f2dad2f0621b |
| SHA1 | 384a2f8eb55bce202c18285f64d93f8c7dbcc0fd |
| SHA256 | 37c04a3aea2ad497634f805b56e6d9ec07bc697cb7fae64e2eadf381760edf3a |
| SHA512 | 6f8b53a694438e9ef2530f68a9414248e6ab646a073a08530db3c0f39723692d0df8467b349e792897049f77736df5c7036f621e3a7891a6fedb57e944f54b9c |
memory/1920-42-0x0000000000280000-0x0000000000319000-memory.dmp
memory/2588-40-0x0000000003D90000-0x0000000003E29000-memory.dmp
memory/2588-39-0x0000000001290000-0x0000000001311000-memory.dmp
memory/1920-43-0x0000000000280000-0x0000000000319000-memory.dmp
memory/1920-47-0x0000000000280000-0x0000000000319000-memory.dmp
memory/1920-48-0x0000000000280000-0x0000000000319000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 03:32
Reported
2024-10-11 03:34
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
92s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ciira.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ciira.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gexuc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ciira.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gexuc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe
"C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe"
C:\Users\Admin\AppData\Local\Temp\ciira.exe
"C:\Users\Admin\AppData\Local\Temp\ciira.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\gexuc.exe
"C:\Users\Admin\AppData\Local\Temp\gexuc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4620-0-0x00000000001A0000-0x0000000000221000-memory.dmp
memory/4620-1-0x0000000000F40000-0x0000000000F41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ciira.exe
| MD5 | 8bc9c0f4135dcd0bf3fa445e2468ca6e |
| SHA1 | 640ad0b3c15d9e008592504cfc12c3efeef8e43e |
| SHA256 | 7d69f9aa2bdd1c13268cc410bc8b53c7b32a765f8f65242da37c02c8c500df0c |
| SHA512 | cbb1a745d1d70fe2aaa6fc918770ef858b94baa40733d46ca116d6d047b78dec481382b114d60c4d204eb996f351da04a0a6cec535034c58cc9b7f0b15b610e3 |
memory/1988-14-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/1988-11-0x0000000000400000-0x0000000000481000-memory.dmp
memory/4620-17-0x00000000001A0000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | a525ddb2711f59edaea2fbd95843ebe2 |
| SHA1 | b5a810f234b2280aaaa74b1b3e11929ff947ad6a |
| SHA256 | 6a0e0be8fa9590a7624d0bc086c07827ff11f17ca5465c43929dc3119b8d045e |
| SHA512 | d30d621535965a1c92d81790b3234590706be44d6ead32a68cbc38256dd983df8d3074417a88b172c2e5d14a681a8383033aaef43247cfb04f74eaf08443f0d0 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ee16e87c18533fc6fa82e8f39ea661c9 |
| SHA1 | bbdc87189a78ed8f5f7995bcdeb2e74f11eb3f6b |
| SHA256 | 63c54e626524f22ec19589193347b2803dd6010b92003fe30f07c7fbd3788e65 |
| SHA512 | 07f8585368c10241c3d61984d907137da2bf53f78cc94ad2f203d11c06aa6f1c58badaa50bb81a511732569b853cf9e6fb3caedf86d7a8d13dc6963d342b19a8 |
memory/1988-20-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1988-21-0x00000000003F0000-0x00000000003F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gexuc.exe
| MD5 | 1e30c73428cc27f861380e8d74508085 |
| SHA1 | 1f5ce3f612035488d89d54544a34381d33b26211 |
| SHA256 | 17981b70664630e5eabe3d84193a31ce625a9ee86df6179bd1c448fe62b34805 |
| SHA512 | f37b623a8b84a1b7e3014021c77cb873834d3acba6726148d38a7a6aac032604b5f0bfcd2b67c8c9ff96b24836827fcbabf74c99b0375b463969c3d46cd49d74 |
memory/4764-39-0x00000000007F0000-0x00000000007F2000-memory.dmp
memory/1988-41-0x0000000000400000-0x0000000000481000-memory.dmp
memory/4764-38-0x0000000000DA0000-0x0000000000E39000-memory.dmp
memory/4764-42-0x0000000000DA0000-0x0000000000E39000-memory.dmp
memory/4764-47-0x00000000007F0000-0x00000000007F2000-memory.dmp
memory/4764-46-0x0000000000DA0000-0x0000000000E39000-memory.dmp
memory/4764-48-0x0000000000DA0000-0x0000000000E39000-memory.dmp