Analysis Overview
SHA256
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1
Threat Level: Known bad
The file 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Deletes itself
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 00:48
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 00:48
Reported
2024-10-13 00:51
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\juizf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ozkeby.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulhux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\juizf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\juizf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ozkeby.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ozkeby.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ozkeby.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ulhux.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\juizf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe
"C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"
C:\Users\Admin\AppData\Local\Temp\juizf.exe
"C:\Users\Admin\AppData\Local\Temp\juizf.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ozkeby.exe
"C:\Users\Admin\AppData\Local\Temp\ozkeby.exe" OK
C:\Users\Admin\AppData\Local\Temp\ulhux.exe
"C:\Users\Admin\AppData\Local\Temp\ulhux.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2708-0-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2708-19-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 40c0cecdb6095e9022f9b96cd55f10a3 |
| SHA1 | b5be5385481f9373aa7bcc2fed4e21d5c0cf79da |
| SHA256 | a0cdb22e6cbadeaf877aba273d6fa7b5c5162fa0a8671207364ac7607ddf5d24 |
| SHA512 | 759cba8c297f7a1e2b0f9e4467fe9f27236eb41ecb99cf37d90828e03d2462949f7280a8a2c36b2067af3a803a8b6986bedf9144602e7cfbbbaef4e5f5b41e73 |
memory/2804-21-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | eb88c82179968983af11c18f0b4eda60 |
| SHA1 | 00123a5a438fe3a0945b112f4e5ddbd5451421f0 |
| SHA256 | 20d3b3d70781db72ffa70dcb3c75ec7d48b09092ea203f19738c9fe11894e7b7 |
| SHA512 | b8fb7919c4207fb9279c9ba5f4f5d6bc8327eae21992ad61a242f24ebf763cb2aecbac14bf635405b8904e7decc0449563a354865f44fdb0042d0b46254903a9 |
C:\Users\Admin\AppData\Local\Temp\juizf.exe
| MD5 | d52b544e2e688291a7122e835e9bc700 |
| SHA1 | 9fd04f03c31f443f96ad2bb30e8ebf70f1cf168f |
| SHA256 | 064cb57860b4e10de57e3e443f023bf5eda64d7078eb51cf4eeffbc79d737cb8 |
| SHA512 | 0dbb2823a90d5c17377189e1043c43b7f46984a19c9bd110aed20e81eeb63ad9380d52fa7d4bdcc2cc328b4d1df8ee3592157d80f2803a8d18859f6e6df30a39 |
memory/3040-35-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2804-34-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2804-32-0x00000000036C0000-0x000000000371C000-memory.dmp
memory/2708-36-0x00000000024D0000-0x000000000252C000-memory.dmp
memory/3040-37-0x0000000000400000-0x000000000045C000-memory.dmp
memory/1752-57-0x00000000009F0000-0x0000000000A72000-memory.dmp
memory/3040-56-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ulhux.exe
| MD5 | c47b79ccba0bcd28795d8f5c4bf797fe |
| SHA1 | 965a69ac90fb806c45bc673500e8be2ccb472288 |
| SHA256 | 4a66b16bba7e0b8d4dea5bb649df355758133b5d00d8aab2f8ed6d142bf33121 |
| SHA512 | 64812c0027111ef235ac55bc9a39086daa6d08a01650252a9d886777edc7da03c2665a795588101928e1f4d5de9c68217949814a97b65a20db8a0b43f6c9cb46 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 37bba20cb649bd8ad7f6a39610fe9e57 |
| SHA1 | a1d019f4e2b5044fa7b45f2463fd4d9ca2e96b76 |
| SHA256 | 415e8629e0827c7a5c5a9d2c738a35722525f239dea3893fb1a73f8a7bd9b056 |
| SHA512 | fb9d4e36cd2e6e46d9bb97b88bddb6f19394291b5b3e0652d792110a3779bfaf187808450cf3fc889342ffd72920c5a77bd7a5592c89b287527b18dfd7025dc1 |
memory/1752-60-0x00000000009F0000-0x0000000000A72000-memory.dmp
memory/1752-61-0x00000000009F0000-0x0000000000A72000-memory.dmp
memory/1752-62-0x00000000009F0000-0x0000000000A72000-memory.dmp
memory/1752-63-0x00000000009F0000-0x0000000000A72000-memory.dmp
memory/1752-64-0x00000000009F0000-0x0000000000A72000-memory.dmp
memory/1752-65-0x00000000009F0000-0x0000000000A72000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 00:48
Reported
2024-10-13 00:51
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
97s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\lexuym.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ovofl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ovofl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lexuym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\veguj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\veguj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ovofl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lexuym.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe
"C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"
C:\Users\Admin\AppData\Local\Temp\ovofl.exe
"C:\Users\Admin\AppData\Local\Temp\ovofl.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\lexuym.exe
"C:\Users\Admin\AppData\Local\Temp\lexuym.exe" OK
C:\Users\Admin\AppData\Local\Temp\veguj.exe
"C:\Users\Admin\AppData\Local\Temp\veguj.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2764-0-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ovofl.exe
| MD5 | ac835dc370e67bfe6d7896b7d1772b53 |
| SHA1 | 8ed7bb949143be3b36482916cf8cfaeee32572b5 |
| SHA256 | f2063a8870521aef3eb2c13a5cd13615292ac64532e44179f333d15daaec4a2b |
| SHA512 | 66871d8362015dc56bc9628b5d5d66acc393e2f0f6a166289a055a795bbc948c090dde57bac5535503154a888ca104584f2a967e8131eb7d80c50b2ae4cf9f45 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a5254c72e0444330ef741c3be17c6a86 |
| SHA1 | 4bf91b592b1e4877d3e1c15f07a4b20b239eadae |
| SHA256 | f960bbc15defa3c448f96588f708de3d4b970bb0c3fc5ca9ddea18a763835c7c |
| SHA512 | ab6ac3f705a2189fb9e5c976a6b43336e36d788c74a9fe5801f986abfcfcdd9cb4205d1cca3e74d520ac0c7de33bde52f8dcbab7469363ed43265f93a7b89fb1 |
memory/2764-14-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 40c0cecdb6095e9022f9b96cd55f10a3 |
| SHA1 | b5be5385481f9373aa7bcc2fed4e21d5c0cf79da |
| SHA256 | a0cdb22e6cbadeaf877aba273d6fa7b5c5162fa0a8671207364ac7607ddf5d24 |
| SHA512 | 759cba8c297f7a1e2b0f9e4467fe9f27236eb41ecb99cf37d90828e03d2462949f7280a8a2c36b2067af3a803a8b6986bedf9144602e7cfbbbaef4e5f5b41e73 |
memory/1728-24-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4712-25-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\veguj.exe
| MD5 | 9d27b50a0db2a28a8ee253e15d4f3765 |
| SHA1 | 8779848bd5850c22585a1dcf6625d450e621ff3e |
| SHA256 | 35b11e97f06e8d95070d28c85e7a5709e26c62add5a9699bdd9558de4a2b80ed |
| SHA512 | 993ac62e6bcefd8afa4b4927f1501a8f326c2bcc1062def8c11ec9ffef14d0924add8f228549133968936932613d54add81dcfd490d1839d3b20cf5eca343857 |
memory/816-37-0x0000000000510000-0x0000000000592000-memory.dmp
memory/4712-39-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 8ebc735d89a847088117dc9afe7520f6 |
| SHA1 | e8a915304c7e92f71070666025adee72efb06977 |
| SHA256 | ad194d0f56b74f783d169a08bb75861ef5aabc190efc3b9e8ce13219da393eeb |
| SHA512 | f3d504776495ced3f0e67b2a1efe2c4d104016f73aaa6b24ec67136206357b2e46381051a8875a8384b23ceeae8d2b0e4ac4b5c69186908b5d4eac158ef89c30 |
memory/816-41-0x0000000000510000-0x0000000000592000-memory.dmp
memory/816-42-0x0000000000510000-0x0000000000592000-memory.dmp
memory/816-43-0x0000000000510000-0x0000000000592000-memory.dmp
memory/816-44-0x0000000000510000-0x0000000000592000-memory.dmp
memory/816-45-0x0000000000510000-0x0000000000592000-memory.dmp
memory/816-46-0x0000000000510000-0x0000000000592000-memory.dmp