Analysis Overview
SHA256
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46b
Threat Level: Known bad
The file 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 11:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 11:52
Reported
2024-10-12 11:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ujqoa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujqoa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nuzuy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nuzuy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ujqoa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"
C:\Users\Admin\AppData\Local\Temp\ujqoa.exe
"C:\Users\Admin\AppData\Local\Temp\ujqoa.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\nuzuy.exe
"C:\Users\Admin\AppData\Local\Temp\nuzuy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/404-0-0x00000000001E0000-0x0000000000261000-memory.dmp
memory/404-1-0x0000000001110000-0x0000000001111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ujqoa.exe
| MD5 | e6d9541b402f61ca688a3a4cbbdc1ed1 |
| SHA1 | 97e5971a7827a89e0b1a6a611c1ca13c9735b9cd |
| SHA256 | 5c43d27da8d5361c7eb38180d428f94ce323ed0321231cc54ede12dba54015f4 |
| SHA512 | 9d88390bdc1d6f3c6e405a5581dd713649cfaecdcb47e258359ace15a5d94290ddf0a571dec73d240483e8b566a2b6c323a1b01654bede4b3f3fe91ac88508b0 |
memory/628-14-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/628-11-0x00000000000B0000-0x0000000000131000-memory.dmp
memory/404-17-0x00000000001E0000-0x0000000000261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 4f237e2fc86c1f1f2b92b627c68ffafb |
| SHA1 | c0d7607700d7804b07de537051e7fe2ca95d3a3c |
| SHA256 | e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2 |
| SHA512 | 4b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b66922e07df073c93a644e5ca075827f |
| SHA1 | cac1cc430e92dd90eb355b97cbfd880b6d8b8171 |
| SHA256 | 5adfcb39a77b2361dbe9ef25811cc51f9ccd9f906fe6c7f162af09891336c78e |
| SHA512 | 95ea7279f524e9d9550683b125b8d41c5cca8dcf03f7f7a0e7385c87981235a11b3161e9e995d07b6b4e59db963995b6f4e553816e663d6dc6bd4f2fd5eb45a0 |
memory/628-20-0x00000000000B0000-0x0000000000131000-memory.dmp
memory/628-21-0x00000000005E0000-0x00000000005E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nuzuy.exe
| MD5 | ca9b8f1aeb4ecb5a604f5a3bbf38fb59 |
| SHA1 | 34395139279f52805df07434aca840821a29fb8b |
| SHA256 | 9314175d4bf7f3f56ff2b0380752942ce58a480e16915ffea70a6f03cc7fd37e |
| SHA512 | 2b5b63074a651213a98223621f1986301834441a82ff0b2d4993d6294a29fc251db6e1594e8b465ce5400537ffd88b5b36504c3f924ed302c776908898a15220 |
memory/5080-39-0x00000000005F0000-0x00000000005F2000-memory.dmp
memory/628-41-0x00000000000B0000-0x0000000000131000-memory.dmp
memory/5080-38-0x00000000004F0000-0x0000000000589000-memory.dmp
memory/5080-42-0x00000000004F0000-0x0000000000589000-memory.dmp
memory/5080-47-0x00000000005F0000-0x00000000005F2000-memory.dmp
memory/5080-46-0x00000000004F0000-0x0000000000589000-memory.dmp
memory/5080-48-0x00000000004F0000-0x0000000000589000-memory.dmp
memory/5080-49-0x00000000004F0000-0x0000000000589000-memory.dmp
memory/5080-50-0x00000000004F0000-0x0000000000589000-memory.dmp
memory/5080-51-0x00000000004F0000-0x0000000000589000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 11:52
Reported
2024-10-12 11:54
Platform
win7-20240729-en
Max time kernel
149s
Max time network
76s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loaxu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\awujx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loaxu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\loaxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\awujx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"
C:\Users\Admin\AppData\Local\Temp\loaxu.exe
"C:\Users\Admin\AppData\Local\Temp\loaxu.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\awujx.exe
"C:\Users\Admin\AppData\Local\Temp\awujx.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2296-0-0x00000000002D0000-0x0000000000351000-memory.dmp
memory/2296-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\loaxu.exe
| MD5 | 403e0aa177f509f25090c542ca0767eb |
| SHA1 | 0d20f6e4df03f1553c3debea32d8a80871a04d77 |
| SHA256 | 8a93073a1783a2cabf29d7b11964660fba85be90bde5e52175097482b39da79e |
| SHA512 | 576d3afe18395cf948501d922cb42d07154917396101e3dce0755373c2c7d8501ef19c574482530674084a6b09880bc720848a391a3843d508e4219457e12d52 |
memory/1748-11-0x0000000000E80000-0x0000000000F01000-memory.dmp
memory/2296-9-0x0000000001DF0000-0x0000000001E71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 4f237e2fc86c1f1f2b92b627c68ffafb |
| SHA1 | c0d7607700d7804b07de537051e7fe2ca95d3a3c |
| SHA256 | e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2 |
| SHA512 | 4b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7 |
memory/1748-21-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2296-20-0x00000000002D0000-0x0000000000351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1528cb2dbf1e7e03ec96f5aeb6fee5f6 |
| SHA1 | 9117d274e63ad1fdeebdd966b5331d83471eb7b1 |
| SHA256 | 2255a0548e70b8d750b14e89ad07f0fcb09dbbf7b83568a660e8ddcb340a36f6 |
| SHA512 | d3f032f1a8192e6c14e8e06afb918710568f49336d934e96aeafadf5bb5d8b5e350c40db31b1d827d89bfaba5979c2cb69ba3c656174aca782551cc856f0be18 |
memory/1748-24-0x0000000000E80000-0x0000000000F01000-memory.dmp
memory/1748-25-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\awujx.exe
| MD5 | 76cd1fcdb6d5878c4af057641d093fc7 |
| SHA1 | 954a523d6723ecbcec808c38cb13122b0c619daa |
| SHA256 | 44d7adae420055b55a7be2533caee02910f43cc9b10bc1547770700d2c85b371 |
| SHA512 | 4046612c5417581ef66bb3de8fd78c22e507df4bf30471c2c9b3c3dcad74702da8401770ebf7ca60e83e2991b3169d6f212a3a726966118bf6f7d7bed9996c99 |
memory/1748-38-0x0000000003710000-0x00000000037A9000-memory.dmp
memory/2868-46-0x0000000000E90000-0x0000000000F29000-memory.dmp
memory/2868-43-0x0000000000E90000-0x0000000000F29000-memory.dmp
memory/1748-42-0x0000000000E80000-0x0000000000F01000-memory.dmp
memory/2868-48-0x0000000000E90000-0x0000000000F29000-memory.dmp
memory/2868-49-0x0000000000E90000-0x0000000000F29000-memory.dmp
memory/2868-50-0x0000000000E90000-0x0000000000F29000-memory.dmp
memory/2868-51-0x0000000000E90000-0x0000000000F29000-memory.dmp
memory/2868-52-0x0000000000E90000-0x0000000000F29000-memory.dmp