Analysis Overview
SHA256
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288a
Threat Level: Known bad
The file 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Deletes itself
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 15:36
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 15:36
Reported
2024-10-13 15:38
Platform
win7-20240729-en
Max time kernel
120s
Max time network
77s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fulaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tobeo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fulaq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fulaq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tobeo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"
C:\Users\Admin\AppData\Local\Temp\fulaq.exe
"C:\Users\Admin\AppData\Local\Temp\fulaq.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\tobeo.exe
"C:\Users\Admin\AppData\Local\Temp\tobeo.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/588-0-0x0000000000400000-0x0000000000465000-memory.dmp
\Users\Admin\AppData\Local\Temp\fulaq.exe
| MD5 | 08adffe2aabfef6fce9d1f68e2d03f0e |
| SHA1 | 37810e61a918c5bda4b2cc8e1304d5d28b9e5258 |
| SHA256 | 9fdd5c77d66e3640295496ed4e6919662462267a47056a75dfa44c00152ebb77 |
| SHA512 | 64e8101110be6b5f36134590de16e9d3963320843596fe3fcc8b818f427beed518e9e6946e61c20f864f434fab4923946077db713f35d5e00c34c57d11b1514f |
memory/1192-13-0x0000000000400000-0x0000000000465000-memory.dmp
memory/588-11-0x0000000002530000-0x0000000002595000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7b005e68ba608bed0f82bca950281e7f |
| SHA1 | d8aa71bb2248e59685668514c773d382d9c711bd |
| SHA256 | 63c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c |
| SHA512 | c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7 |
memory/588-21-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 456598d98a5e0e49002099a2ea4d88d2 |
| SHA1 | be400359ae3cf48df86d24cc798a6716a8422fb9 |
| SHA256 | 687a63cc1b85b104faebfa540b34ae5d961efec099c1f4d915d813cd27c20bfe |
| SHA512 | 682a186572a8d7188a8a2996fca0132cfd391f89447da19f3a047794fc729169e595f7c1a26ccf309d9e1dbac5bde38fd29b49729eafdb5794d6d8fc8d1caf10 |
memory/1192-24-0x0000000000400000-0x0000000000465000-memory.dmp
\Users\Admin\AppData\Local\Temp\tobeo.exe
| MD5 | dce35959000225209be8645511d6add2 |
| SHA1 | 31324e1b76c71fdcc9880f09aff5a8fb60878a1f |
| SHA256 | 04a7d017da8d38c02d748461d175df169955a005d8959ee006fa6965c8892a77 |
| SHA512 | bc446377c6395ef38bedeea8ce1728584bee985910ee7e3a62f06595acdd62501a3dfd2169a35fe7c120ffa8cd1fcaf83d9aa2358d2e5c28af0703abe34b7a87 |
memory/1192-29-0x0000000003DA0000-0x0000000003E34000-memory.dmp
memory/2144-33-0x0000000000890000-0x0000000000924000-memory.dmp
memory/1192-31-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2144-36-0x0000000000890000-0x0000000000924000-memory.dmp
memory/2144-35-0x0000000000890000-0x0000000000924000-memory.dmp
memory/2144-34-0x0000000000890000-0x0000000000924000-memory.dmp
memory/2144-38-0x0000000000890000-0x0000000000924000-memory.dmp
memory/2144-39-0x0000000000890000-0x0000000000924000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 15:36
Reported
2024-10-13 15:38
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\foibm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\foibm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loupi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\loupi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\foibm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"
C:\Users\Admin\AppData\Local\Temp\foibm.exe
"C:\Users\Admin\AppData\Local\Temp\foibm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\loupi.exe
"C:\Users\Admin\AppData\Local\Temp\loupi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1540-0-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\foibm.exe
| MD5 | c49b5a7941e0bf83ae27639f59ca9e23 |
| SHA1 | 6794615e0c92e9e64aa13597eba6d23bf45c8075 |
| SHA256 | 7a02f6d44d607fb5e33f8e69070cad4435ca98e421bf99ef6dd7c6ce303afa30 |
| SHA512 | a65c03386a3cef9b15dd445153f5ab2068ff1f2a95235e97643aaac12db224851ff058ef65dd67bb2692df6a405fff3b2b90c2d056c1c58e3ae86f558547b88f |
memory/1540-13-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 7b005e68ba608bed0f82bca950281e7f |
| SHA1 | d8aa71bb2248e59685668514c773d382d9c711bd |
| SHA256 | 63c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c |
| SHA512 | c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f91b982d6f50ea89b4e170ab5c39854b |
| SHA1 | 1b28a7ca5d52be9883b4cb067a9ebb69988406ea |
| SHA256 | 361e7527c45278fc944c3bd41ef8a8ef8847a7b03ad3b8ccb3a25788e05979df |
| SHA512 | 07368b730618a8e36730dd66743be3496d2e58f1d9057b2fabe5ad4e60da4a4ebe25be831e746731c241de07e83678029fc924a5088767e63dbd8706ec95960b |
memory/1960-16-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\loupi.exe
| MD5 | 76f224a80b09e3ca6c00422b31cffc8a |
| SHA1 | 7bf2e32a2aec28ade0edd245526b326f1ffa4191 |
| SHA256 | 9ff0e43f349b8e780fb1bccdbc3cd511c8fe353d5405c7f3fdabcbb591bdb437 |
| SHA512 | 3e20c65b10e2f0a2ca4dcf52d9eb96215e5db94cbee6b829e4cbce877e4f1cdd93c8a16901a4ab64fb015e42104b0dd762d624639f0551187913c61c899e4709 |
memory/4036-25-0x0000000000470000-0x0000000000504000-memory.dmp
memory/1960-26-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4036-27-0x0000000000470000-0x0000000000504000-memory.dmp
memory/4036-29-0x0000000000470000-0x0000000000504000-memory.dmp
memory/4036-28-0x0000000000470000-0x0000000000504000-memory.dmp
memory/4036-31-0x0000000000470000-0x0000000000504000-memory.dmp
memory/4036-32-0x0000000000470000-0x0000000000504000-memory.dmp