Analysis Overview
SHA256
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3
Threat Level: Known bad
The file 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 18:36
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 18:36
Reported
2024-10-13 18:38
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hudim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iffop.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hudim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hudim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hudim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iffop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iffop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iffop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iffop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iffop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iffop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iffop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iffop.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe
"C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"
C:\Users\Admin\AppData\Local\Temp\hudim.exe
"C:\Users\Admin\AppData\Local\Temp\hudim.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe
"C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe" OK
C:\Users\Admin\AppData\Local\Temp\iffop.exe
"C:\Users\Admin\AppData\Local\Temp\iffop.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2576-2-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/2576-20-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/1076-21-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8ec417611ffff405ad120efcc1bf7218 |
| SHA1 | 22ae0bc1858edde9793b1c73e585f5b1ec3bf2ed |
| SHA256 | 4fcb48e19e345e1e27f58607663e7e2783f8688689390f495d4866e300623b8c |
| SHA512 | 105b287ff8a259f25861d2e27ac98db9a554545207437323303c30debeea8aad8e1a40bfd91f8b77fbd476673d1a12416eb4137792393398a0b853f8ff2a5575 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 14a0f7101e3ae9c32c1a731b1ecf75a4 |
| SHA1 | e190c00057aa743d0ef848cee5f7a9884437b40b |
| SHA256 | 72b591dede10dc06d398145163bbb9a8fbe5cbe99e8e3e17b6c5cb02e4224c20 |
| SHA512 | f818dae6733c89359f38d8b8f843d3562534cfd604dd2a82ed29da178709fe1b707be418c4a74e29ef7c294030e0854d0e38fb901247d881481e3f0be936ed70 |
C:\Users\Admin\AppData\Local\Temp\hudim.exe
| MD5 | e769569db4dff88f1c83d85e57055677 |
| SHA1 | 4e91a23ffca7493e5f929510858f8e80cbf049d4 |
| SHA256 | 395efd4dffbd978dd28fa813b8f374eda1ff0b990750875ecc202844a70aa8be |
| SHA512 | 680c959aff8dc3ac16dc20a38d14a492b1ae4618c2c0979731b4e0f102621f9089fd30990b96a9a9f29111fd33fc3725a21e73f749f7512acddc6de7e0365740 |
memory/2832-33-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/1076-32-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/2576-35-0x00000000024E0000-0x00000000025AB000-memory.dmp
memory/2832-36-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 20cac879fc2de119a2729a9777e7aef9 |
| SHA1 | 617311ffe53164445b83fee5f2bdb3b7e58d84f0 |
| SHA256 | 4f68a103e6747c40119b8e1a9f775a5b4573da7b52a330c86054a829314540b2 |
| SHA512 | a82c7e655ac874d515f68b2bb03d6472dba5f589b894842e38ea33e8ceec4a4df912acf5c3aa342bb85f157709b755bcece4bee8c98def02813a4b30034cc29a |
C:\Users\Admin\AppData\Local\Temp\iffop.exe
| MD5 | 2c8e2a49ca0a8521549dddce944a4e52 |
| SHA1 | 9a20ccdfaa15afc406893401b76df72b44e1e27d |
| SHA256 | 617593f75157ca65aab5b704567fbc2527859c4964c0c7a2ccc1bad60f722682 |
| SHA512 | b85a2ca1582dc5c4cc20fecfe9f591f62a0f51247f22da402fa4949adac579b75c1c6213deb1fa0113193bb9a54cad395e895fce3c5530e8f53269b06a2b791e |
memory/2856-57-0x0000000000400000-0x0000000000622000-memory.dmp
memory/2832-55-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/2832-54-0x0000000003DF0000-0x0000000004012000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/2832-61-0x0000000003DF0000-0x0000000004012000-memory.dmp
memory/2856-62-0x0000000000400000-0x0000000000622000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 18:36
Reported
2024-10-13 18:38
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\doefi.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xixole.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\doefi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xixole.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\doefi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xixole.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybzob.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe
"C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"
C:\Users\Admin\AppData\Local\Temp\doefi.exe
"C:\Users\Admin\AppData\Local\Temp\doefi.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\xixole.exe
"C:\Users\Admin\AppData\Local\Temp\xixole.exe" OK
C:\Users\Admin\AppData\Local\Temp\ybzob.exe
"C:\Users\Admin\AppData\Local\Temp\ybzob.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/3280-0-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\doefi.exe
| MD5 | ee2b9d98c25eaad7a432a09b8442b629 |
| SHA1 | ecb4b5153d91b98639ed970f5c2063fd8d7289c1 |
| SHA256 | 75e1b718f3a77bdd9fcafd689f8d6861de98f115519304838be8d23eae4c2ed5 |
| SHA512 | 27091bbaf636f95ff9b420ee7de74e38cd1ac9cfc5b8c88733656ed2e82b9200c89172986b61e1d6e3798d6886eb3c422134c7b9aee2f5d5bc8dbee221f1c832 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ee1a963c736c6de8bc622ff38e8a8476 |
| SHA1 | c590d9023b188881c438a91defea048472a0eb55 |
| SHA256 | 711b83af3ce57268eda9d12b361730306ee880855c881ee4d0b93f2046736ade |
| SHA512 | 867beb41a3746ab4c7e2eafd3f9cd198654dd9ed6c2a25a20ad98191d4726a1b8cd0ec182db4416cce991f821a33d2f41c14eb1515363fa367e55c0308baef5f |
memory/3280-14-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 14a0f7101e3ae9c32c1a731b1ecf75a4 |
| SHA1 | e190c00057aa743d0ef848cee5f7a9884437b40b |
| SHA256 | 72b591dede10dc06d398145163bbb9a8fbe5cbe99e8e3e17b6c5cb02e4224c20 |
| SHA512 | f818dae6733c89359f38d8b8f843d3562534cfd604dd2a82ed29da178709fe1b707be418c4a74e29ef7c294030e0854d0e38fb901247d881481e3f0be936ed70 |
memory/4640-23-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/1060-25-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ybzob.exe
| MD5 | c405e1b0ec8b6d9a99a992153fae45e7 |
| SHA1 | f6fb9e2b1605b95cdb97424337f4cd66d7b2ca8d |
| SHA256 | 5e6c2649024afaaf3bceaf1de7798a6b19d8ae7c41e1b957b71a4290d264e080 |
| SHA512 | 7f5c6fcfe24b6b4d81dc30d3b1512e612cb9c1781e80cf38ad631bc30f8dce7bd9ef23a6c644112447ddbd51ca9a83742e550397e3b3b8f99836f2e7f62c0d06 |
memory/2148-37-0x0000000000400000-0x0000000000622000-memory.dmp
memory/1060-39-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | b6d1c3fa47828a7fedf267f2febbb887 |
| SHA1 | 3a2f8e8afae9baee72e71efbb1bd45fdbd3f858d |
| SHA256 | 3466a0c189f515c14f0ede59be0c53dd23e7e37429dd99b4941f374e1a675589 |
| SHA512 | fd8bd8410b802849ec0fdd71150b0555f45e37c099cb5a2ddac340757fc722e8e3f761ff49042dd4cdf7cc7b3af4877aa69b8263256d046da3692367e0c91976 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/2148-42-0x0000000000400000-0x0000000000622000-memory.dmp