Analysis Overview
SHA256
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46b
Threat Level: Known bad
The file 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 11:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 11:43
Reported
2024-10-12 11:45
Platform
win7-20240903-en
Max time kernel
120s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gexyf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyyrw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gexyf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyyrw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gexyf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"
C:\Users\Admin\AppData\Local\Temp\gexyf.exe
"C:\Users\Admin\AppData\Local\Temp\gexyf.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\kyyrw.exe
"C:\Users\Admin\AppData\Local\Temp\kyyrw.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1672-0-0x00000000003D0000-0x0000000000451000-memory.dmp
memory/1672-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\gexyf.exe
| MD5 | 79f89251ec745bab62418bc86edeaab1 |
| SHA1 | 9d3fd1a7081a94549a4489a89bfcee66dbffb1c6 |
| SHA256 | 4e242188113a137c65182a557f15921d794d390f62247dc60630f541c5294642 |
| SHA512 | cc0a13f56d814db47881ac3fd3133fd85a7ef50f43f92608b8882619c207a3190a6cae946c10e7082fbacbca526a046b922579ea94bfd9a04061facdecae185d |
memory/1672-7-0x0000000002930000-0x00000000029B1000-memory.dmp
memory/1936-15-0x0000000000CB0000-0x0000000000D31000-memory.dmp
memory/1936-18-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 4f237e2fc86c1f1f2b92b627c68ffafb |
| SHA1 | c0d7607700d7804b07de537051e7fe2ca95d3a3c |
| SHA256 | e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2 |
| SHA512 | 4b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7 |
memory/1672-21-0x00000000003D0000-0x0000000000451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8ced0a00d161490632ae8cf130fae02a |
| SHA1 | 3c101c6569a1453d31b46101e13e16220022f090 |
| SHA256 | 16e8cec5e64f147b329089fb28e4902c979b2f24bf2d853205be8c2265503afb |
| SHA512 | d16ddde4b700b9399161b26acbb5a8f254905ed2308700124832db651fc2a2cfdefc7667b0ab4f66a527135ed3fc05d9480cabe9e08215bdd4a91179586a94f6 |
memory/1936-24-0x0000000000CB0000-0x0000000000D31000-memory.dmp
\Users\Admin\AppData\Local\Temp\kyyrw.exe
| MD5 | b6f99e80c0e2f1086d8852e39027f70b |
| SHA1 | d8226562a2a065e8a847cf36bf4469aab894fe44 |
| SHA256 | b5231256720f22bf065497679030016d527d1a6a7376455c6f23c037366c6d92 |
| SHA512 | 7551780e7583bfe55d93f6f32ae89357980c94664d2b55c56f0aac9057d17574ef98c5553e503af9286becb2517b51b383f08c25c882e3ed65b28ca03ba20a83 |
memory/2560-42-0x0000000000F50000-0x0000000000FE9000-memory.dmp
memory/1936-41-0x00000000032E0000-0x0000000003379000-memory.dmp
memory/1936-40-0x0000000000CB0000-0x0000000000D31000-memory.dmp
memory/2560-43-0x0000000000F50000-0x0000000000FE9000-memory.dmp
memory/2560-47-0x0000000000F50000-0x0000000000FE9000-memory.dmp
memory/2560-48-0x0000000000F50000-0x0000000000FE9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 11:43
Reported
2024-10-12 11:45
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\miqii.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miqii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ewibb.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\miqii.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ewibb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"
C:\Users\Admin\AppData\Local\Temp\miqii.exe
"C:\Users\Admin\AppData\Local\Temp\miqii.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ewibb.exe
"C:\Users\Admin\AppData\Local\Temp\ewibb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3840-0-0x00000000007C0000-0x0000000000841000-memory.dmp
memory/3840-1-0x0000000001260000-0x0000000001261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\miqii.exe
| MD5 | 148f955838033c67950c35572b9ebd7c |
| SHA1 | e2456e9e12202615e09f2f0cddc44b742c5b7b8d |
| SHA256 | 9cf9548a9e05b5e5c0f8cad676c0a8a2a4110d59bd1259713dd777d9178a5dd0 |
| SHA512 | 510b0593b2c5ca1286597b92eb2b0a26b7ddd80e5e2d1f31a11103bffa715c2ac3f89fd94bf2fd542ed0ecf223cc3b4be87f8a5e869ab31bfcc298ab093da27c |
memory/1560-13-0x0000000000370000-0x00000000003F1000-memory.dmp
memory/1560-14-0x0000000000760000-0x0000000000761000-memory.dmp
memory/3840-17-0x00000000007C0000-0x0000000000841000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 4f237e2fc86c1f1f2b92b627c68ffafb |
| SHA1 | c0d7607700d7804b07de537051e7fe2ca95d3a3c |
| SHA256 | e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2 |
| SHA512 | 4b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | cac73a1cd89444e0f194e80e585c2ca6 |
| SHA1 | b2c3d8e1c6e59e26894cecb7617cbede0b2dc33e |
| SHA256 | a7e643841aad90cec99196ab073d3a9647ef19f76ec8f374c23154ee44be9955 |
| SHA512 | d763a4ff2e0b51e415e842b363dd0ef7f0faa2b7dbd0584d1fdb25151615bd750015d0b0abfa7588600f6f3126ed8bdf36ec4f8de7dc0e1c73f6de12a46454ae |
memory/1560-20-0x0000000000370000-0x00000000003F1000-memory.dmp
memory/1560-21-0x0000000000760000-0x0000000000761000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ewibb.exe
| MD5 | 0ce30a64deaada51a8bcb3194c452f4b |
| SHA1 | b722d4a4456af763432d00aab93e58f84b2a7ded |
| SHA256 | 8d79a8e1a8b41ff881b1fda67117f5a413b6c8ab788a24382fd80d21d5371396 |
| SHA512 | a0d61f34359e98ea180bef7b3e023753797d587ba57b8bd4d44158f4a205729c52578a7792ab7f38c92d9ddf92b26c1294cff46d181f83fa94913b6eee123b8a |
memory/676-41-0x0000000001340000-0x0000000001342000-memory.dmp
memory/1560-40-0x0000000000370000-0x00000000003F1000-memory.dmp
memory/676-37-0x0000000000420000-0x00000000004B9000-memory.dmp
memory/676-42-0x0000000000420000-0x00000000004B9000-memory.dmp
memory/676-47-0x0000000001340000-0x0000000001342000-memory.dmp
memory/676-46-0x0000000000420000-0x00000000004B9000-memory.dmp
memory/676-48-0x0000000000420000-0x00000000004B9000-memory.dmp