Analysis Overview
SHA256
834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508
Threat Level: Known bad
The file 834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508N was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 07:35
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 07:35
Reported
2024-10-11 07:37
Platform
win7-20240903-en
Max time kernel
119s
Max time network
91s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\evacs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\imycad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cutyt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\evacs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\imycad.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\evacs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\imycad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cutyt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508N.exe
"C:\Users\Admin\AppData\Local\Temp\834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508N.exe"
C:\Users\Admin\AppData\Local\Temp\evacs.exe
"C:\Users\Admin\AppData\Local\Temp\evacs.exe" hi
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\imycad.exe
"C:\Users\Admin\AppData\Local\Temp\imycad.exe" OK
C:\Users\Admin\AppData\Local\Temp\cutyt.exe
"C:\Users\Admin\AppData\Local\Temp\cutyt.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1120-0-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3012-16-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 6b842ac62ff68706874314513524c1d0 |
| SHA1 | 26f6550235ccd1a1164677cc3bae3e811a29c492 |
| SHA256 | 66b7f6951206fea7ef57d35e6748eb50531ea8fad7b3d857661b1368ca347748 |
| SHA512 | 2f1d07c50ffb25b8f39fd2d3edce08aaa4a05363a841e5d17bf8a303fa9ea28f55562a9443f81247d4c2eb5bebd54f0c6366f92236c8ad0f64d24e2a5cc7e22c |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 60d22fbdac85b17fa70c02418746a33a |
| SHA1 | 12bfdb82912799cbf3b43c0175246d32d00f77ef |
| SHA256 | 3a3b46c47ee0cbbc17cce817c04be20c896e447f7ceb57727b4fc061b1ebb52a |
| SHA512 | bd7e5b0fb3d67eab9006f63d326a56c52ecb04d02613503f1ea6fa77c39580e6de8413c5277f011c4733bdd36dc34a451c8e60e902753a9eac64ffefe5420dfa |
C:\Users\Admin\AppData\Local\Temp\evacs.exe
| MD5 | 429fdbee82284484a9900bb2e38fbef7 |
| SHA1 | 872446666dbca663ff1afc080ae592f4fa40acbc |
| SHA256 | 632c8e49b7016656160a99c272341de37c4096d8c9f50454ce13009d272e1fe4 |
| SHA512 | e86aac876a6b3e368b72bc8d6e77a73f59e5583cb3132aed9a1cb3c2bb8c7fdfa33dc0db1cbe9b0bfbd5afb4d9711787991e4e57a9023740358a3149b6116f9f |
C:\Users\Admin\AppData\Local\Temp\imycad.exe
| MD5 | ff5a0ab0a9ae8d097bcb7796f0d70120 |
| SHA1 | d5f62fd70822d435a434c23e77687bd2404fbfaa |
| SHA256 | edd8d2496a03eca5867e770f709c71d5449f4ff0caad18ceeb15a4b6259dc2e0 |
| SHA512 | 23752e30183f257c2dd552224537b27a0a0ae8d10cb59f432edc9c44dde3f3af69cb2ab1f6699cde6f7df4675890028cab38fc39610504fbaa0c1429f16a165e |
memory/1120-20-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3012-27-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3012-26-0x00000000021A0000-0x000000000220E000-memory.dmp
memory/2704-29-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\cutyt.exe
| MD5 | 322a3222dccf623365cc145dcf2ae951 |
| SHA1 | 88de3052bad71be4cb92d6be6d4ddbfb3c50f072 |
| SHA256 | a8b8aad006c35723f2b3eb25166bf1d277717c208a9376f22857845f8bfce921 |
| SHA512 | 41a665b5da1b1de9878da4ae5521b032d95f8fccaaae529a5e393af6748c78149cbd5a088ac847d107bae900e6897d9e6c31a336a1896ca47fe247e28ac7ed53 |
memory/2704-34-0x0000000003000000-0x00000000030A0000-memory.dmp
memory/2532-46-0x0000000000F80000-0x0000000001020000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 8ccab879f2c0f40de22c881a28f99101 |
| SHA1 | e5e36a3f91aeaf8213ea9fd4f0e5b989029d9ed5 |
| SHA256 | 7cb68ddfa07b27e65053a863234a0ca703e9d68b4d6163234bc09f5533b1da46 |
| SHA512 | d3c09028c29040a49e68b74f9285405d3ffcc4db19a373a5b40f0e6ee3daf190dbd1573b12e6ad29932afce908e8db123724d233ea5892b9423261dfb635bde9 |
memory/2704-45-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2532-50-0x0000000000F80000-0x0000000001020000-memory.dmp
memory/2532-51-0x0000000000F80000-0x0000000001020000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 07:35
Reported
2024-10-11 07:37
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wyipg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ohgoim.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wyipg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohgoim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqpou.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ohgoim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eqpou.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wyipg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508N.exe
"C:\Users\Admin\AppData\Local\Temp\834a3acba6dd63ecc433f0a1e529ae92fa298472d74ae74777343041d748c508N.exe"
C:\Users\Admin\AppData\Local\Temp\wyipg.exe
"C:\Users\Admin\AppData\Local\Temp\wyipg.exe" hi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ohgoim.exe
"C:\Users\Admin\AppData\Local\Temp\ohgoim.exe" OK
C:\Users\Admin\AppData\Local\Temp\eqpou.exe
"C:\Users\Admin\AppData\Local\Temp\eqpou.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/1684-0-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wyipg.exe
| MD5 | bc96348fe9669c45eb654d5ce15c4516 |
| SHA1 | 0ee583bbac9dca7d0bc226953d20cfa1db54f788 |
| SHA256 | 7f9eab78fc8da1679b9dfe462b5d086696fbea87d9071775421212dd2340c973 |
| SHA512 | 2c75e71299cc53b5be925bf554f1ac56b0c2615e362ca4976ab9a108b3cf28c1023f4d75de5d09b2e3ec6df82394f4b54582230a00cde89955160fc083983fc7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | da117cd482331d529b6d6f2ea09d0fd8 |
| SHA1 | 00a6017e7312d00c2ca5e4aeac89f1cb3c8884a3 |
| SHA256 | 5cdda221aa128395e472790fd6f686762f16686c5c9af21215f4d0353faa6052 |
| SHA512 | 5f717adc1e3f364b744096b6782cb22b0d566d39b4211c2242bd1fe75f104575f7b1ef022ae81c8f2659b42f203fee99b9d9a2b945855c3fea16eb6d25535b21 |
memory/3092-13-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1684-16-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 6b842ac62ff68706874314513524c1d0 |
| SHA1 | 26f6550235ccd1a1164677cc3bae3e811a29c492 |
| SHA256 | 66b7f6951206fea7ef57d35e6748eb50531ea8fad7b3d857661b1368ca347748 |
| SHA512 | 2f1d07c50ffb25b8f39fd2d3edce08aaa4a05363a841e5d17bf8a303fa9ea28f55562a9443f81247d4c2eb5bebd54f0c6366f92236c8ad0f64d24e2a5cc7e22c |
C:\Users\Admin\AppData\Local\Temp\ohgoim.exe
| MD5 | fec5e1c2c48099ba3aa8881a7a1f89f4 |
| SHA1 | dc182c5038da733e2febffed5747ce13a4cb387f |
| SHA256 | 128e519815dfa350a108f1891f26b053b5d8f4012f6b4c218305101acc9f3d51 |
| SHA512 | 1ebdf1d4b78c1322a557e5304c8b4e63f288134b821dda0d4022d5634973dd14c4ef67cee9b54ec9ae109b44e4983d5e968303b172b71c54d91d8757d07bf782 |
memory/3092-24-0x0000000000400000-0x000000000046E000-memory.dmp
memory/228-26-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eqpou.exe
| MD5 | c6de1ed20163655825a4294c923f0244 |
| SHA1 | 3d47ac1f440a7bf5e86614f0e3ade5aeacca2b42 |
| SHA256 | b63e405794c2098751362e7b57a2b62ba11d68b6af739c45e44c927d1e081ff0 |
| SHA512 | 53c19b24d0f1a39874101c7aab0da41abdc9b0cbbd575377bb33006c6f917587feeb46358a9d59df431b507f0018633fd32df281aa33f305c07ba05e7e5cf0d6 |
memory/3444-37-0x00000000003F0000-0x0000000000490000-memory.dmp
memory/228-39-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 7c1e919e0820d6608e4fb31c65b980aa |
| SHA1 | 0fbe84d06672c2273839f3b7d98e14adc7297030 |
| SHA256 | f28c6cdecca7332bdb3879cc480d404fbb2b3053235c2a8d9a35753218d7ac7a |
| SHA512 | 749d1ccf14ef47744b320f558f9f956b6d8e4d72ecd55e731e22a87dcff283bb0abbfcad17cc951a27c27827f86ff1dba7856b6571baa0346313471ce954a6dc |
memory/3444-42-0x00000000003F0000-0x0000000000490000-memory.dmp
memory/3444-43-0x00000000003F0000-0x0000000000490000-memory.dmp