Analysis Overview
SHA256
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b
Threat Level: Known bad
The file 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 23:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 23:13
Reported
2024-10-12 23:15
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hohab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fuqic.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hohab.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fuqic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hohab.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe
"C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"
C:\Users\Admin\AppData\Local\Temp\hohab.exe
"C:\Users\Admin\AppData\Local\Temp\hohab.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\fuqic.exe
"C:\Users\Admin\AppData\Local\Temp\fuqic.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2656-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2656-0-0x0000000000870000-0x00000000008F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\hohab.exe
| MD5 | 9941d977f3f363bdcf6b0e61cb6da44d |
| SHA1 | 1946600e6bf1b10c469e47066bd50f8ae6cb3bff |
| SHA256 | 944dc36c1191e53f4a2d237d8029f84ef08c59dcbe748a651f348443095dc90c |
| SHA512 | a3b3be23db0331b8a5696673d40834a3c4c598d02d0b5f9ea0ed607d255b0599dc913d33a5dfa287ec093155613616416ee2c445a7d3a5cb0e8b2357532c5ecf |
memory/2588-11-0x0000000000970000-0x00000000009F1000-memory.dmp
memory/2656-7-0x00000000026B0000-0x0000000002731000-memory.dmp
memory/2588-12-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 061e1a7b6dd73689632ea9992e4df62f |
| SHA1 | e30e7d684cb4a1d70e86c807f21d2a75c2bd4650 |
| SHA256 | 7d46766c246f029c69281803481caa3628f96ede69e2b9c8988007228bd5486c |
| SHA512 | 62e339e31fc5b10b14b844fc251077549066f03b415867a9bc2a984f768e69e3f544d900e1e956757d52a07427074cb4d14cc3a65c8215944d3119e05493e2e5 |
memory/2656-21-0x0000000000870000-0x00000000008F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 711c59f36f3a5ded3a8a23b87ad57524 |
| SHA1 | 48308d26c085a048c8a387524f0f854233ca1ae8 |
| SHA256 | 7f8387f94d7102d587de3e0f07c59ac43ea1bf2a398fc6fa914e8108db9dc236 |
| SHA512 | a4929ed98abf4b6624fcf7245ef183cce2ef89e4c63a47a4dca060f77c10c22d24d924c541edaf3cb7303e27cd54f7940db1df9ec80a99fc267165a9e43b99c7 |
memory/2588-24-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2588-25-0x0000000000970000-0x00000000009F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\fuqic.exe
| MD5 | d2821f8b9da182be09677bafb56e92ba |
| SHA1 | 37ebca909fc2fe945f803618e61eb1fe10932068 |
| SHA256 | 2df885d307cf14d137b9f5a24783ef1877ec42d06b502ab85a9344a37a6463a7 |
| SHA512 | 389b607b2937499409b8f7f87f6cfe94ebdc795ea733f228e9a7c9a9409d7e61de7b64d3aa2577de1829a6191da3fc26fdb844eb3c712b0f54c417bd128df9d5 |
memory/1920-43-0x00000000003B0000-0x0000000000449000-memory.dmp
memory/2588-41-0x0000000004010000-0x00000000040A9000-memory.dmp
memory/2588-40-0x0000000000970000-0x00000000009F1000-memory.dmp
memory/1920-44-0x00000000003B0000-0x0000000000449000-memory.dmp
memory/1920-48-0x00000000003B0000-0x0000000000449000-memory.dmp
memory/1920-49-0x00000000003B0000-0x0000000000449000-memory.dmp
memory/1920-50-0x00000000003B0000-0x0000000000449000-memory.dmp
memory/1920-51-0x00000000003B0000-0x0000000000449000-memory.dmp
memory/1920-52-0x00000000003B0000-0x0000000000449000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 23:13
Reported
2024-10-12 23:15
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hitoc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hitoc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\weybw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hitoc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\weybw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe
"C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"
C:\Users\Admin\AppData\Local\Temp\hitoc.exe
"C:\Users\Admin\AppData\Local\Temp\hitoc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\weybw.exe
"C:\Users\Admin\AppData\Local\Temp\weybw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/2204-0-0x00000000001A0000-0x0000000000221000-memory.dmp
memory/2204-1-0x00000000010D0000-0x00000000010D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hitoc.exe
| MD5 | 9ab6980564e7d735e8e1b28856aca443 |
| SHA1 | 4bf9d6777a47adbefc60b71c2c6786ad4babfd0d |
| SHA256 | 08d0844c74dc10be43c22853d09f68d05b02e603e6c244ecf5fa6af6a2a33a5a |
| SHA512 | ea3747a81d18ff6da6faf8897f97d8c077dce954a8adbf3228abf3fd20d53b6210d9d37307441aabc052971e4adb5c829215f62992275801060eb31cee9d94b3 |
memory/1520-14-0x0000000001460000-0x0000000001461000-memory.dmp
memory/1520-13-0x0000000000A90000-0x0000000000B11000-memory.dmp
memory/2204-16-0x00000000001A0000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 061e1a7b6dd73689632ea9992e4df62f |
| SHA1 | e30e7d684cb4a1d70e86c807f21d2a75c2bd4650 |
| SHA256 | 7d46766c246f029c69281803481caa3628f96ede69e2b9c8988007228bd5486c |
| SHA512 | 62e339e31fc5b10b14b844fc251077549066f03b415867a9bc2a984f768e69e3f544d900e1e956757d52a07427074cb4d14cc3a65c8215944d3119e05493e2e5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | bc419d2d468f8008aa9d944c24f8aad9 |
| SHA1 | e47aa37b355deb18941c4cabbbf81602a2ceb629 |
| SHA256 | 8ecbf27be9a3b09041ffa3f7fb4a013c327daee37b251c2d54c3580b56556a19 |
| SHA512 | 54f1533731d355e1ddd5cbd2aa83b3941fd97ab8be0e42e251a79f13051baab2c6c7a80fb43825c192e1a835bec5076cb72940afa4f2a1983893a2ea8fc3075a |
memory/1520-20-0x0000000001460000-0x0000000001461000-memory.dmp
memory/1520-19-0x0000000000A90000-0x0000000000B11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\weybw.exe
| MD5 | 48a5bf97c43bef50a63c2e6a572d6a37 |
| SHA1 | c60dc436e5773857bba41ade8e12cb77b3e8d946 |
| SHA256 | 24f798f430539d5d34c28ec655c4cd5d71c77ef09bc4a8e907614857dd9df194 |
| SHA512 | df209b8c945d7cc72588d2777676596755f2809caa20e4bb26f97b24448ee7ab40f4ec8e8b7e79e4bff08f84460350ee417d6d344de8ec8984479b7fa19c3169 |
memory/5052-36-0x0000000000C10000-0x0000000000CA9000-memory.dmp
memory/5052-38-0x0000000000C10000-0x0000000000CA9000-memory.dmp
memory/1520-43-0x0000000000A90000-0x0000000000B11000-memory.dmp
memory/5052-42-0x0000000000ED0000-0x0000000000ED2000-memory.dmp
memory/5052-45-0x0000000000C10000-0x0000000000CA9000-memory.dmp
memory/5052-46-0x0000000000C10000-0x0000000000CA9000-memory.dmp
memory/5052-47-0x0000000000C10000-0x0000000000CA9000-memory.dmp
memory/5052-48-0x0000000000C10000-0x0000000000CA9000-memory.dmp
memory/5052-49-0x0000000000C10000-0x0000000000CA9000-memory.dmp