Analysis Overview
SHA256
e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23c
Threat Level: Known bad
The file e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23cN was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 03:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 03:06
Reported
2024-10-11 03:08
Platform
win7-20241010-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tiijk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\futox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tiijk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\futox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tiijk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23cN.exe
"C:\Users\Admin\AppData\Local\Temp\e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23cN.exe"
C:\Users\Admin\AppData\Local\Temp\tiijk.exe
"C:\Users\Admin\AppData\Local\Temp\tiijk.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\futox.exe
"C:\Users\Admin\AppData\Local\Temp\futox.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1656-0-0x0000000000220000-0x00000000002A1000-memory.dmp
memory/1656-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\tiijk.exe
| MD5 | b4e0e9ed824012d45bdeb0e722b832f7 |
| SHA1 | e0e27dc1adeb810861331fe01b8646277a1e6ccb |
| SHA256 | 49a77b3de70fa3bc3a736527eba5d45803b0a247eb56bc499bf5c95371ca934c |
| SHA512 | 01967488e4849b0f73128b54b2cb9945b0b5623e7cf6b044121e39c4ff86a4b076d1502efdfb313ccccca59a9c5bb4f9baad146499d0971d530a1fca7ab7ddfa |
memory/2488-13-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2488-11-0x0000000001230000-0x00000000012B1000-memory.dmp
memory/1656-9-0x0000000001F90000-0x0000000002011000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | e6817e5036c2c0670d5f65dc3bd8f8b1 |
| SHA1 | dc401fdfd12796ceba25c579a1b6f05214a6aa90 |
| SHA256 | 81f02e4f82b32dbd7014b3b95cf1af0e2f8d67bf0e73a42bd0c613154ee53a4e |
| SHA512 | 9f675e0b701ce8509a763894c9ccccab2aa5a5c023087167433f96557a033d0bf7c5909308844bf6924618d8d4327a1d3c94467743702bfafff55277745947fb |
memory/1656-21-0x0000000000220000-0x00000000002A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 9cb77ccf9da3f7ade9ce76e307bb0432 |
| SHA1 | d51050c98aa5fe6f6ba34cff64b553d09e1149dc |
| SHA256 | 4fc5a21d26fc95e74b19cd460e6a5fed89bbaeb2b8dbdd58305c690849a811d6 |
| SHA512 | 30aee98ca0f58e652f65d9fae446334f7a8976bff153554dfeed37294ad5e01284537ccca67e00e5dd24b1f79f10b154564f884ed0db4539ed5e19431829dc66 |
memory/2488-25-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2488-24-0x0000000001230000-0x00000000012B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\futox.exe
| MD5 | d33a8da366a9897a7582079d7e55ee21 |
| SHA1 | 02243181929cf4b4956692df0a3c4b5dfb0321cf |
| SHA256 | 36ce6b3202ae4fa214e2dcb15a18b680030925ad76ed4d6b0b59a0140fdebd91 |
| SHA512 | 925132781fceb176ec9485c75b8de4d7c7523cbc901c37847d1e2854283638e6a010662f17dab2f7b31ed6526fb140bf1465f6aead5c8c98c7e776a36fa95fc4 |
memory/2488-38-0x0000000003E40000-0x0000000003ED9000-memory.dmp
memory/1556-43-0x0000000000C30000-0x0000000000CC9000-memory.dmp
memory/2488-42-0x0000000001230000-0x00000000012B1000-memory.dmp
memory/1556-47-0x0000000000C30000-0x0000000000CC9000-memory.dmp
memory/1556-48-0x0000000000C30000-0x0000000000CC9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 03:06
Reported
2024-10-11 03:08
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23cN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\lokug.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lokug.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujxig.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lokug.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ujxig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23cN.exe
"C:\Users\Admin\AppData\Local\Temp\e16676727383facf51b3f6e36b543bb72402db8ebb765435cf981ea690d9e23cN.exe"
C:\Users\Admin\AppData\Local\Temp\lokug.exe
"C:\Users\Admin\AppData\Local\Temp\lokug.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ujxig.exe
"C:\Users\Admin\AppData\Local\Temp\ujxig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/424-0-0x00000000005F0000-0x0000000000671000-memory.dmp
memory/424-1-0x0000000000410000-0x0000000000411000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lokug.exe
| MD5 | 17ced36282059418e02d52d2e583a5a3 |
| SHA1 | e56b04666af5b1fbfb9c3ec27f9287dfc311a838 |
| SHA256 | 5db74f818308788f4adf0419d68cd877f8e5b68d6272dffbc54a3016e0b2662a |
| SHA512 | a788f045f80d32532bdef1c1d36e6d872b9237129350361c9e534b8d0707a62330e43233a8dda9a8168f1eaad88d72ae301f606b6bb52b401dc863b189c7902f |
memory/952-11-0x00000000002A0000-0x0000000000321000-memory.dmp
memory/952-13-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
memory/424-17-0x00000000005F0000-0x0000000000671000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | e6817e5036c2c0670d5f65dc3bd8f8b1 |
| SHA1 | dc401fdfd12796ceba25c579a1b6f05214a6aa90 |
| SHA256 | 81f02e4f82b32dbd7014b3b95cf1af0e2f8d67bf0e73a42bd0c613154ee53a4e |
| SHA512 | 9f675e0b701ce8509a763894c9ccccab2aa5a5c023087167433f96557a033d0bf7c5909308844bf6924618d8d4327a1d3c94467743702bfafff55277745947fb |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b549c9b51113743f500fd8d73c5a95a9 |
| SHA1 | b4d21dcbe0da2721e8500c335949a1d1dab0904d |
| SHA256 | 1ac3d7d5e1e8ab72fe1e574e7fb817ce1131f99ceeeb3bc1a6257b924aa06962 |
| SHA512 | 39078d2b97533d26de3948782fc07009f5ab452fe188e28c82be04e558a74369860ec554e5ed972977d31051d68ff20bbf60d8de038ede86fe729ec2ccbef524 |
memory/952-21-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
memory/952-20-0x00000000002A0000-0x0000000000321000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ujxig.exe
| MD5 | 6f71a3d0ef263b444d2da993a031caa3 |
| SHA1 | ec1eb08e8a0a67ae9f627ca8c843b59bdf9800d1 |
| SHA256 | f6da5af0e2ace357f5c8b2d5ddd4ebefe157a7879133b44150c4617c74842af2 |
| SHA512 | 308bd961b387e548ac08c769d3adc8319e1a219d4e3e833ffb107519ddd0796bebfb1aaf38e6d53162282675a1363d818a61f9ca39fde5a5c39d1176e7d264ab |
memory/888-40-0x0000000000580000-0x0000000000619000-memory.dmp
memory/888-39-0x0000000000B00000-0x0000000000B02000-memory.dmp
memory/888-38-0x0000000000580000-0x0000000000619000-memory.dmp
memory/952-44-0x00000000002A0000-0x0000000000321000-memory.dmp
memory/888-46-0x0000000000B00000-0x0000000000B02000-memory.dmp
memory/888-47-0x0000000000580000-0x0000000000619000-memory.dmp
memory/888-48-0x0000000000580000-0x0000000000619000-memory.dmp