Analysis Overview
SHA256
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfc
Threat Level: Known bad
The file b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
ASPack v2.12-2.42
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 10:34
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 10:34
Reported
2024-10-12 10:37
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iryhc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cumofu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\riynh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iryhc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iryhc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cumofu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iryhc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cumofu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\riynh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"
C:\Users\Admin\AppData\Local\Temp\iryhc.exe
"C:\Users\Admin\AppData\Local\Temp\iryhc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\cumofu.exe
"C:\Users\Admin\AppData\Local\Temp\cumofu.exe" OK
C:\Users\Admin\AppData\Local\Temp\riynh.exe
"C:\Users\Admin\AppData\Local\Temp\riynh.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2072-2-0x0000000000400000-0x0000000000458000-memory.dmp
\Users\Admin\AppData\Local\Temp\iryhc.exe
| MD5 | 46f413075c84c55a39d66d938c4ba9cb |
| SHA1 | 4b374a6de0f61bc8c8a27f2f8ad267adc552b77b |
| SHA256 | fb13c894edcbc253abcdfd9d38f4fe74bd909d82a2b1826aee965e8bdb36917d |
| SHA512 | 720978a7e629dca5f24381aae98f6778f564815d340d0f2cb52052a2431e83445c95753ccaf66d14e00dbb0634d09d1ab2c9c8d4b26c3c56618ef636a7c6c71a |
memory/1732-21-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2072-20-0x0000000002460000-0x00000000024B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | db530785ddab2262c4b5581640b46cb2 |
| SHA1 | 663b49c33e19a146389ca6d2e693c0408d764954 |
| SHA256 | dc4caff8b354ad6a56b0a8f9198240022c7113f18187cc4fb502645c920c5827 |
| SHA512 | 5eb24c783f8890eba38164aed7c54ac2affc27cd766a016e45baec1e10e5f4f6f5751d430ab1e3b3120d46d2245e53e8ddc951c0d0222624b7f1ef47c0229edd |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | fa649011c7c129d5e61a6f5be829707b |
| SHA1 | c7d75eb625844f05414fec651a0f73e7107fa791 |
| SHA256 | 7157c01a114c378a2742456d0f698037249528d97ed3d7de597d08c880d2ee39 |
| SHA512 | 04b77b25a3010e4444d0dd7f7e50cd713959c1f2d29ba69872f685256748a8e21d4997dc442c1baf9c51d7a16d227e2e600b62d070218b66481d066342e22f97 |
memory/2072-24-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1732-32-0x0000000003660000-0x00000000036B8000-memory.dmp
memory/1732-35-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2824-36-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2956-57-0x0000000000E20000-0x0000000000EAC000-memory.dmp
memory/2956-55-0x0000000000E20000-0x0000000000EAC000-memory.dmp
memory/2956-54-0x0000000000E20000-0x0000000000EAC000-memory.dmp
memory/2956-53-0x0000000000E20000-0x0000000000EAC000-memory.dmp
memory/2824-56-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 3e9bdcf230aa6e2bf9c7e9022d12840c |
| SHA1 | 61a96b367dccc480c3837e44ad81880483199500 |
| SHA256 | ed5b36f1d0599768c02291a0576b0c2c540098a9965a32138b6f62503067dbfa |
| SHA512 | 4ebbb3a74ec2243086e0c2b081d30f83944a906779205ba79d6a49ee4db1539c42e5a9a45642fd35640f7c1e7a94b30217a4395fab57411cb5c4fdfebbe9b30e |
memory/2824-44-0x0000000003870000-0x00000000038FC000-memory.dmp
\Users\Admin\AppData\Local\Temp\riynh.exe
| MD5 | 9421367ae9462fd6407cfe2cd484a0c4 |
| SHA1 | 2ff547346280ca952e28fdd1314f9a0958b93b66 |
| SHA256 | 1e854aac28b9f2f26a28d0fdf5f41527c9216560577d45f157c0f0b0094fcd61 |
| SHA512 | 1c77c04b7ac602bd0b326118dae3c64eac02872fa530a8a7d15ec68b52dff0799e37a9993a1eb0a401159a1486feecaaf4a1b3d8e160e6bb1a3b00af246aaab0 |
memory/2956-60-0x0000000000E20000-0x0000000000EAC000-memory.dmp
memory/2956-61-0x0000000000E20000-0x0000000000EAC000-memory.dmp
memory/2956-62-0x0000000000E20000-0x0000000000EAC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 10:34
Reported
2024-10-12 10:37
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\todute.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qutef.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qutef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\todute.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mogoe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mogoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qutef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\todute.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"
C:\Users\Admin\AppData\Local\Temp\qutef.exe
"C:\Users\Admin\AppData\Local\Temp\qutef.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\todute.exe
"C:\Users\Admin\AppData\Local\Temp\todute.exe" OK
C:\Users\Admin\AppData\Local\Temp\mogoe.exe
"C:\Users\Admin\AppData\Local\Temp\mogoe.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2876-0-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qutef.exe
| MD5 | 8b04d1a48eb3921ef0a0cf1fa705d89e |
| SHA1 | 5211d69351227caa5c26e857d1f4ae276e4b0f88 |
| SHA256 | 006d49bb0674584e14ac70bf30df37afc0a540371565aa9f9a56a49ca56882dc |
| SHA512 | 550bb0b37e699d93c0e2f0c49b3fab139758ca1c86d68c166daf0e8a83506f042f7ba23eeebf2983f78d6f4b4325c809b6955d562f06a66985caf31220de78d4 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6be4f0ec451ceb33cba5b90c14332bd8 |
| SHA1 | 7d4049e6bc68856244592fe27646feeb4e16ac82 |
| SHA256 | 747a690dbe806fb478e3dfca7eb0b7c10d4a3b1e94ac7b7235fe13066645c33a |
| SHA512 | 73ab9d15b9244b67d6662138964413002b2056d062892fa9a0cb24f697186fa50f7896a8f21fe2aaa6de32e0bc0a8089315222df6e0e430859897c24054af86e |
memory/2876-15-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | db530785ddab2262c4b5581640b46cb2 |
| SHA1 | 663b49c33e19a146389ca6d2e693c0408d764954 |
| SHA256 | dc4caff8b354ad6a56b0a8f9198240022c7113f18187cc4fb502645c920c5827 |
| SHA512 | 5eb24c783f8890eba38164aed7c54ac2affc27cd766a016e45baec1e10e5f4f6f5751d430ab1e3b3120d46d2245e53e8ddc951c0d0222624b7f1ef47c0229edd |
memory/2192-24-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1084-25-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mogoe.exe
| MD5 | 767ab3b03753317366e7a8fa5f4ddf37 |
| SHA1 | 6934ac2dba9d989b9096d9024a83b34f2b24c8dd |
| SHA256 | e0fc194ac09db7d5a9fcc69034e72e685d13bfef757716842fb4dd5a0458025b |
| SHA512 | c7e01d90f4088e25b7603ed36a15065632e09d6f739b94449937f38ec362b2ceb5cfcc54d48445a3e7625ec91212492c72f66ece3009c783f830e3125d6e7f86 |
memory/4484-37-0x00000000003A0000-0x000000000042C000-memory.dmp
memory/4484-41-0x00000000003A0000-0x000000000042C000-memory.dmp
memory/1084-42-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4484-39-0x00000000003A0000-0x000000000042C000-memory.dmp
memory/4484-40-0x00000000003A0000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0326c66ef3f645c841ef91e7a9cfe041 |
| SHA1 | cd2b6d5a77f60ff06cb77d3f4d0da6384f82eba6 |
| SHA256 | 7b864ba99c88bda89889d279281814e18eea1a40a03c232d8f8775edf215251a |
| SHA512 | e665a6bc9ec659fd662d2fee18000b3c7229bd8b0f1d5fb15431493dd6917da6bb36f7eaa96f9a21a999388a7902fb7fe9afc0a54ecdb0ce149848791ca83619 |
memory/4484-44-0x00000000003A0000-0x000000000042C000-memory.dmp
memory/4484-45-0x00000000003A0000-0x000000000042C000-memory.dmp
memory/4484-46-0x00000000003A0000-0x000000000042C000-memory.dmp