Malware Analysis Report

2024-11-16 13:25

Sample ID 241012-mmkyrs1aqk
Target b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN
SHA256 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfc
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfc

Threat Level: Known bad

The file b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas family

Urelas

ASPack v2.12-2.42

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 10:34

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 10:34

Reported

2024-10-12 10:37

Platform

win7-20240903-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iryhc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cumofu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iryhc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cumofu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\riynh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Users\Admin\AppData\Local\Temp\iryhc.exe
PID 2072 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Users\Admin\AppData\Local\Temp\iryhc.exe
PID 2072 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Users\Admin\AppData\Local\Temp\iryhc.exe
PID 2072 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Users\Admin\AppData\Local\Temp\iryhc.exe
PID 2072 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\iryhc.exe C:\Users\Admin\AppData\Local\Temp\cumofu.exe
PID 1732 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\iryhc.exe C:\Users\Admin\AppData\Local\Temp\cumofu.exe
PID 1732 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\iryhc.exe C:\Users\Admin\AppData\Local\Temp\cumofu.exe
PID 1732 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\iryhc.exe C:\Users\Admin\AppData\Local\Temp\cumofu.exe
PID 2824 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cumofu.exe C:\Users\Admin\AppData\Local\Temp\riynh.exe
PID 2824 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cumofu.exe C:\Users\Admin\AppData\Local\Temp\riynh.exe
PID 2824 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cumofu.exe C:\Users\Admin\AppData\Local\Temp\riynh.exe
PID 2824 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cumofu.exe C:\Users\Admin\AppData\Local\Temp\riynh.exe
PID 2824 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\cumofu.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\cumofu.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\cumofu.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\cumofu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe

"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"

C:\Users\Admin\AppData\Local\Temp\iryhc.exe

"C:\Users\Admin\AppData\Local\Temp\iryhc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\cumofu.exe

"C:\Users\Admin\AppData\Local\Temp\cumofu.exe" OK

C:\Users\Admin\AppData\Local\Temp\riynh.exe

"C:\Users\Admin\AppData\Local\Temp\riynh.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2072-2-0x0000000000400000-0x0000000000458000-memory.dmp

\Users\Admin\AppData\Local\Temp\iryhc.exe

MD5 46f413075c84c55a39d66d938c4ba9cb
SHA1 4b374a6de0f61bc8c8a27f2f8ad267adc552b77b
SHA256 fb13c894edcbc253abcdfd9d38f4fe74bd909d82a2b1826aee965e8bdb36917d
SHA512 720978a7e629dca5f24381aae98f6778f564815d340d0f2cb52052a2431e83445c95753ccaf66d14e00dbb0634d09d1ab2c9c8d4b26c3c56618ef636a7c6c71a

memory/1732-21-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2072-20-0x0000000002460000-0x00000000024B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 db530785ddab2262c4b5581640b46cb2
SHA1 663b49c33e19a146389ca6d2e693c0408d764954
SHA256 dc4caff8b354ad6a56b0a8f9198240022c7113f18187cc4fb502645c920c5827
SHA512 5eb24c783f8890eba38164aed7c54ac2affc27cd766a016e45baec1e10e5f4f6f5751d430ab1e3b3120d46d2245e53e8ddc951c0d0222624b7f1ef47c0229edd

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 fa649011c7c129d5e61a6f5be829707b
SHA1 c7d75eb625844f05414fec651a0f73e7107fa791
SHA256 7157c01a114c378a2742456d0f698037249528d97ed3d7de597d08c880d2ee39
SHA512 04b77b25a3010e4444d0dd7f7e50cd713959c1f2d29ba69872f685256748a8e21d4997dc442c1baf9c51d7a16d227e2e600b62d070218b66481d066342e22f97

memory/2072-24-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1732-32-0x0000000003660000-0x00000000036B8000-memory.dmp

memory/1732-35-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2824-36-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2956-57-0x0000000000E20000-0x0000000000EAC000-memory.dmp

memory/2956-55-0x0000000000E20000-0x0000000000EAC000-memory.dmp

memory/2956-54-0x0000000000E20000-0x0000000000EAC000-memory.dmp

memory/2956-53-0x0000000000E20000-0x0000000000EAC000-memory.dmp

memory/2824-56-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 3e9bdcf230aa6e2bf9c7e9022d12840c
SHA1 61a96b367dccc480c3837e44ad81880483199500
SHA256 ed5b36f1d0599768c02291a0576b0c2c540098a9965a32138b6f62503067dbfa
SHA512 4ebbb3a74ec2243086e0c2b081d30f83944a906779205ba79d6a49ee4db1539c42e5a9a45642fd35640f7c1e7a94b30217a4395fab57411cb5c4fdfebbe9b30e

memory/2824-44-0x0000000003870000-0x00000000038FC000-memory.dmp

\Users\Admin\AppData\Local\Temp\riynh.exe

MD5 9421367ae9462fd6407cfe2cd484a0c4
SHA1 2ff547346280ca952e28fdd1314f9a0958b93b66
SHA256 1e854aac28b9f2f26a28d0fdf5f41527c9216560577d45f157c0f0b0094fcd61
SHA512 1c77c04b7ac602bd0b326118dae3c64eac02872fa530a8a7d15ec68b52dff0799e37a9993a1eb0a401159a1486feecaaf4a1b3d8e160e6bb1a3b00af246aaab0

memory/2956-60-0x0000000000E20000-0x0000000000EAC000-memory.dmp

memory/2956-61-0x0000000000E20000-0x0000000000EAC000-memory.dmp

memory/2956-62-0x0000000000E20000-0x0000000000EAC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 10:34

Reported

2024-10-12 10:37

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\todute.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qutef.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qutef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\todute.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qutef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\todute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mogoe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Users\Admin\AppData\Local\Temp\qutef.exe
PID 2876 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Users\Admin\AppData\Local\Temp\qutef.exe
PID 2876 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Users\Admin\AppData\Local\Temp\qutef.exe
PID 2876 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\qutef.exe C:\Users\Admin\AppData\Local\Temp\todute.exe
PID 2192 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\qutef.exe C:\Users\Admin\AppData\Local\Temp\todute.exe
PID 2192 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\qutef.exe C:\Users\Admin\AppData\Local\Temp\todute.exe
PID 1084 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\todute.exe C:\Users\Admin\AppData\Local\Temp\mogoe.exe
PID 1084 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\todute.exe C:\Users\Admin\AppData\Local\Temp\mogoe.exe
PID 1084 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\todute.exe C:\Users\Admin\AppData\Local\Temp\mogoe.exe
PID 1084 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\todute.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\todute.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\todute.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe

"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"

C:\Users\Admin\AppData\Local\Temp\qutef.exe

"C:\Users\Admin\AppData\Local\Temp\qutef.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\todute.exe

"C:\Users\Admin\AppData\Local\Temp\todute.exe" OK

C:\Users\Admin\AppData\Local\Temp\mogoe.exe

"C:\Users\Admin\AppData\Local\Temp\mogoe.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2876-0-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qutef.exe

MD5 8b04d1a48eb3921ef0a0cf1fa705d89e
SHA1 5211d69351227caa5c26e857d1f4ae276e4b0f88
SHA256 006d49bb0674584e14ac70bf30df37afc0a540371565aa9f9a56a49ca56882dc
SHA512 550bb0b37e699d93c0e2f0c49b3fab139758ca1c86d68c166daf0e8a83506f042f7ba23eeebf2983f78d6f4b4325c809b6955d562f06a66985caf31220de78d4

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 6be4f0ec451ceb33cba5b90c14332bd8
SHA1 7d4049e6bc68856244592fe27646feeb4e16ac82
SHA256 747a690dbe806fb478e3dfca7eb0b7c10d4a3b1e94ac7b7235fe13066645c33a
SHA512 73ab9d15b9244b67d6662138964413002b2056d062892fa9a0cb24f697186fa50f7896a8f21fe2aaa6de32e0bc0a8089315222df6e0e430859897c24054af86e

memory/2876-15-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 db530785ddab2262c4b5581640b46cb2
SHA1 663b49c33e19a146389ca6d2e693c0408d764954
SHA256 dc4caff8b354ad6a56b0a8f9198240022c7113f18187cc4fb502645c920c5827
SHA512 5eb24c783f8890eba38164aed7c54ac2affc27cd766a016e45baec1e10e5f4f6f5751d430ab1e3b3120d46d2245e53e8ddc951c0d0222624b7f1ef47c0229edd

memory/2192-24-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1084-25-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mogoe.exe

MD5 767ab3b03753317366e7a8fa5f4ddf37
SHA1 6934ac2dba9d989b9096d9024a83b34f2b24c8dd
SHA256 e0fc194ac09db7d5a9fcc69034e72e685d13bfef757716842fb4dd5a0458025b
SHA512 c7e01d90f4088e25b7603ed36a15065632e09d6f739b94449937f38ec362b2ceb5cfcc54d48445a3e7625ec91212492c72f66ece3009c783f830e3125d6e7f86

memory/4484-37-0x00000000003A0000-0x000000000042C000-memory.dmp

memory/4484-41-0x00000000003A0000-0x000000000042C000-memory.dmp

memory/1084-42-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4484-39-0x00000000003A0000-0x000000000042C000-memory.dmp

memory/4484-40-0x00000000003A0000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0326c66ef3f645c841ef91e7a9cfe041
SHA1 cd2b6d5a77f60ff06cb77d3f4d0da6384f82eba6
SHA256 7b864ba99c88bda89889d279281814e18eea1a40a03c232d8f8775edf215251a
SHA512 e665a6bc9ec659fd662d2fee18000b3c7229bd8b0f1d5fb15431493dd6917da6bb36f7eaa96f9a21a999388a7902fb7fe9afc0a54ecdb0ce149848791ca83619

memory/4484-44-0x00000000003A0000-0x000000000042C000-memory.dmp

memory/4484-45-0x00000000003A0000-0x000000000042C000-memory.dmp

memory/4484-46-0x00000000003A0000-0x000000000042C000-memory.dmp