Malware Analysis Report

2024-11-16 13:25

Sample ID 241013-a551favcmr
Target 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1
SHA256 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1

Threat Level: Known bad

The file 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Deletes itself

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 00:48

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 00:48

Reported

2024-10-13 00:51

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\juizf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozkeby.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ozkeby.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\juizf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulhux.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Users\Admin\AppData\Local\Temp\juizf.exe
PID 2708 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Users\Admin\AppData\Local\Temp\juizf.exe
PID 2708 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Users\Admin\AppData\Local\Temp\juizf.exe
PID 2708 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Users\Admin\AppData\Local\Temp\juizf.exe
PID 2708 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\juizf.exe C:\Users\Admin\AppData\Local\Temp\ozkeby.exe
PID 2804 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\juizf.exe C:\Users\Admin\AppData\Local\Temp\ozkeby.exe
PID 2804 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\juizf.exe C:\Users\Admin\AppData\Local\Temp\ozkeby.exe
PID 2804 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\juizf.exe C:\Users\Admin\AppData\Local\Temp\ozkeby.exe
PID 3040 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ozkeby.exe C:\Users\Admin\AppData\Local\Temp\ulhux.exe
PID 3040 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ozkeby.exe C:\Users\Admin\AppData\Local\Temp\ulhux.exe
PID 3040 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ozkeby.exe C:\Users\Admin\AppData\Local\Temp\ulhux.exe
PID 3040 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ozkeby.exe C:\Users\Admin\AppData\Local\Temp\ulhux.exe
PID 3040 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\ozkeby.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\ozkeby.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\ozkeby.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\ozkeby.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe

"C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"

C:\Users\Admin\AppData\Local\Temp\juizf.exe

"C:\Users\Admin\AppData\Local\Temp\juizf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\ozkeby.exe

"C:\Users\Admin\AppData\Local\Temp\ozkeby.exe" OK

C:\Users\Admin\AppData\Local\Temp\ulhux.exe

"C:\Users\Admin\AppData\Local\Temp\ulhux.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2708-0-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2708-19-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 40c0cecdb6095e9022f9b96cd55f10a3
SHA1 b5be5385481f9373aa7bcc2fed4e21d5c0cf79da
SHA256 a0cdb22e6cbadeaf877aba273d6fa7b5c5162fa0a8671207364ac7607ddf5d24
SHA512 759cba8c297f7a1e2b0f9e4467fe9f27236eb41ecb99cf37d90828e03d2462949f7280a8a2c36b2067af3a803a8b6986bedf9144602e7cfbbbaef4e5f5b41e73

memory/2804-21-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 eb88c82179968983af11c18f0b4eda60
SHA1 00123a5a438fe3a0945b112f4e5ddbd5451421f0
SHA256 20d3b3d70781db72ffa70dcb3c75ec7d48b09092ea203f19738c9fe11894e7b7
SHA512 b8fb7919c4207fb9279c9ba5f4f5d6bc8327eae21992ad61a242f24ebf763cb2aecbac14bf635405b8904e7decc0449563a354865f44fdb0042d0b46254903a9

C:\Users\Admin\AppData\Local\Temp\juizf.exe

MD5 d52b544e2e688291a7122e835e9bc700
SHA1 9fd04f03c31f443f96ad2bb30e8ebf70f1cf168f
SHA256 064cb57860b4e10de57e3e443f023bf5eda64d7078eb51cf4eeffbc79d737cb8
SHA512 0dbb2823a90d5c17377189e1043c43b7f46984a19c9bd110aed20e81eeb63ad9380d52fa7d4bdcc2cc328b4d1df8ee3592157d80f2803a8d18859f6e6df30a39

memory/3040-35-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2804-34-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2804-32-0x00000000036C0000-0x000000000371C000-memory.dmp

memory/2708-36-0x00000000024D0000-0x000000000252C000-memory.dmp

memory/3040-37-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1752-57-0x00000000009F0000-0x0000000000A72000-memory.dmp

memory/3040-56-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ulhux.exe

MD5 c47b79ccba0bcd28795d8f5c4bf797fe
SHA1 965a69ac90fb806c45bc673500e8be2ccb472288
SHA256 4a66b16bba7e0b8d4dea5bb649df355758133b5d00d8aab2f8ed6d142bf33121
SHA512 64812c0027111ef235ac55bc9a39086daa6d08a01650252a9d886777edc7da03c2665a795588101928e1f4d5de9c68217949814a97b65a20db8a0b43f6c9cb46

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 37bba20cb649bd8ad7f6a39610fe9e57
SHA1 a1d019f4e2b5044fa7b45f2463fd4d9ca2e96b76
SHA256 415e8629e0827c7a5c5a9d2c738a35722525f239dea3893fb1a73f8a7bd9b056
SHA512 fb9d4e36cd2e6e46d9bb97b88bddb6f19394291b5b3e0652d792110a3779bfaf187808450cf3fc889342ffd72920c5a77bd7a5592c89b287527b18dfd7025dc1

memory/1752-60-0x00000000009F0000-0x0000000000A72000-memory.dmp

memory/1752-61-0x00000000009F0000-0x0000000000A72000-memory.dmp

memory/1752-62-0x00000000009F0000-0x0000000000A72000-memory.dmp

memory/1752-63-0x00000000009F0000-0x0000000000A72000-memory.dmp

memory/1752-64-0x00000000009F0000-0x0000000000A72000-memory.dmp

memory/1752-65-0x00000000009F0000-0x0000000000A72000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 00:48

Reported

2024-10-13 00:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\lexuym.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ovofl.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ovofl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lexuym.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ovofl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lexuym.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veguj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Users\Admin\AppData\Local\Temp\ovofl.exe
PID 2764 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Users\Admin\AppData\Local\Temp\ovofl.exe
PID 2764 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Users\Admin\AppData\Local\Temp\ovofl.exe
PID 2764 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\ovofl.exe C:\Users\Admin\AppData\Local\Temp\lexuym.exe
PID 1728 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\ovofl.exe C:\Users\Admin\AppData\Local\Temp\lexuym.exe
PID 1728 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\ovofl.exe C:\Users\Admin\AppData\Local\Temp\lexuym.exe
PID 4712 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\lexuym.exe C:\Users\Admin\AppData\Local\Temp\veguj.exe
PID 4712 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\lexuym.exe C:\Users\Admin\AppData\Local\Temp\veguj.exe
PID 4712 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\lexuym.exe C:\Users\Admin\AppData\Local\Temp\veguj.exe
PID 4712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\lexuym.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\lexuym.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\lexuym.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe

"C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"

C:\Users\Admin\AppData\Local\Temp\ovofl.exe

"C:\Users\Admin\AppData\Local\Temp\ovofl.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\lexuym.exe

"C:\Users\Admin\AppData\Local\Temp\lexuym.exe" OK

C:\Users\Admin\AppData\Local\Temp\veguj.exe

"C:\Users\Admin\AppData\Local\Temp\veguj.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2764-0-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ovofl.exe

MD5 ac835dc370e67bfe6d7896b7d1772b53
SHA1 8ed7bb949143be3b36482916cf8cfaeee32572b5
SHA256 f2063a8870521aef3eb2c13a5cd13615292ac64532e44179f333d15daaec4a2b
SHA512 66871d8362015dc56bc9628b5d5d66acc393e2f0f6a166289a055a795bbc948c090dde57bac5535503154a888ca104584f2a967e8131eb7d80c50b2ae4cf9f45

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a5254c72e0444330ef741c3be17c6a86
SHA1 4bf91b592b1e4877d3e1c15f07a4b20b239eadae
SHA256 f960bbc15defa3c448f96588f708de3d4b970bb0c3fc5ca9ddea18a763835c7c
SHA512 ab6ac3f705a2189fb9e5c976a6b43336e36d788c74a9fe5801f986abfcfcdd9cb4205d1cca3e74d520ac0c7de33bde52f8dcbab7469363ed43265f93a7b89fb1

memory/2764-14-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 40c0cecdb6095e9022f9b96cd55f10a3
SHA1 b5be5385481f9373aa7bcc2fed4e21d5c0cf79da
SHA256 a0cdb22e6cbadeaf877aba273d6fa7b5c5162fa0a8671207364ac7607ddf5d24
SHA512 759cba8c297f7a1e2b0f9e4467fe9f27236eb41ecb99cf37d90828e03d2462949f7280a8a2c36b2067af3a803a8b6986bedf9144602e7cfbbbaef4e5f5b41e73

memory/1728-24-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4712-25-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\veguj.exe

MD5 9d27b50a0db2a28a8ee253e15d4f3765
SHA1 8779848bd5850c22585a1dcf6625d450e621ff3e
SHA256 35b11e97f06e8d95070d28c85e7a5709e26c62add5a9699bdd9558de4a2b80ed
SHA512 993ac62e6bcefd8afa4b4927f1501a8f326c2bcc1062def8c11ec9ffef14d0924add8f228549133968936932613d54add81dcfd490d1839d3b20cf5eca343857

memory/816-37-0x0000000000510000-0x0000000000592000-memory.dmp

memory/4712-39-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 8ebc735d89a847088117dc9afe7520f6
SHA1 e8a915304c7e92f71070666025adee72efb06977
SHA256 ad194d0f56b74f783d169a08bb75861ef5aabc190efc3b9e8ce13219da393eeb
SHA512 f3d504776495ced3f0e67b2a1efe2c4d104016f73aaa6b24ec67136206357b2e46381051a8875a8384b23ceeae8d2b0e4ac4b5c69186908b5d4eac158ef89c30

memory/816-41-0x0000000000510000-0x0000000000592000-memory.dmp

memory/816-42-0x0000000000510000-0x0000000000592000-memory.dmp

memory/816-43-0x0000000000510000-0x0000000000592000-memory.dmp

memory/816-44-0x0000000000510000-0x0000000000592000-memory.dmp

memory/816-45-0x0000000000510000-0x0000000000592000-memory.dmp

memory/816-46-0x0000000000510000-0x0000000000592000-memory.dmp