Malware Analysis Report

2024-11-16 13:25

Sample ID 241013-xmq5wsserg
Target 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1
SHA256 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1

Threat Level: Known bad

The file 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1 was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas

Urelas family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

ASPack v2.12-2.42

Deletes itself

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 18:58

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 18:58

Reported

2024-10-13 19:01

Platform

win7-20240903-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xigoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xigoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lorua.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Users\Admin\AppData\Local\Temp\xigoe.exe
PID 2280 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Users\Admin\AppData\Local\Temp\xigoe.exe
PID 2280 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Users\Admin\AppData\Local\Temp\xigoe.exe
PID 2280 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Users\Admin\AppData\Local\Temp\xigoe.exe
PID 2280 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\xigoe.exe C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe
PID 2840 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\xigoe.exe C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe
PID 2840 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\xigoe.exe C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe
PID 2840 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\xigoe.exe C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe
PID 2780 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe C:\Users\Admin\AppData\Local\Temp\lorua.exe
PID 2780 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe C:\Users\Admin\AppData\Local\Temp\lorua.exe
PID 2780 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe C:\Users\Admin\AppData\Local\Temp\lorua.exe
PID 2780 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe C:\Users\Admin\AppData\Local\Temp\lorua.exe
PID 2780 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe

"C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"

C:\Users\Admin\AppData\Local\Temp\xigoe.exe

"C:\Users\Admin\AppData\Local\Temp\xigoe.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe

"C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe" OK

C:\Users\Admin\AppData\Local\Temp\lorua.exe

"C:\Users\Admin\AppData\Local\Temp\lorua.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2280-2-0x0000000000400000-0x0000000000458000-memory.dmp

\Users\Admin\AppData\Local\Temp\xigoe.exe

MD5 486b148b753069d1894474f4f75e01c4
SHA1 0e19b78416184de4efe6644c014ba38fe8b25a03
SHA256 993bc8569b4821720a61e3a0cd96e02be3b1b6e9b46f37b4fc106eadfe1e1568
SHA512 b45dbacd60a11725bc94ad8fc489425d05479c3ed9adb4613f262864b5640be69c639b705916c6832fc56f253f5401384913d247c14d2c3a23f8c46c400e61f5

memory/2280-5-0x0000000002AB0000-0x0000000002B08000-memory.dmp

memory/2840-14-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 c6aab2b0ddc6c37775297be3b1e51c45
SHA1 0166a1d9aa16a11af6c8389064288686af62d843
SHA256 e0ba9a98144815c6969cb0c26b1bf089cda1b792adf217eab50b7e77bcc41fa6
SHA512 e3021a9722fae7cbdc9278e71e21d545dca5726b28e7255ffe5ba90169101bc2bcdd9df95caf4604af6d09b810eaa7949572483302720f9dddaddff9c5b1706a

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 770cdab69a28fa9a1cf16240d51f758a
SHA1 164154361f4ccaca43687c1a1f0d9999383ebe4a
SHA256 fbadee865fe00289a978424feccd4db1c1126fbee1b806cf1acfaa8fcb049310
SHA512 225a067a51a6ff2eb827c13c0a6195efd2ec9d76cbb931b2743bb7d3ce4813853c4fc5afb3423b8f28a41bb080fe901cf5d768010bad87254a44dad3166549a7

memory/2280-24-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2840-32-0x0000000002F30000-0x0000000002F88000-memory.dmp

memory/2840-35-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2840-33-0x0000000002F30000-0x0000000002F88000-memory.dmp

memory/2780-37-0x0000000000400000-0x0000000000458000-memory.dmp

\Users\Admin\AppData\Local\Temp\lorua.exe

MD5 1789b8fa0ee06dbc7da2fd7d292c0002
SHA1 5439be5ee772db7263093d39c8cea36836c2aee6
SHA256 5f4691a07dc51e0232ad55b59a225f502348c4df223180aba233518993833429
SHA512 5228f7a95adfb0252d2cc3118068dd1e504b8de78525c804af394a2b6e8e9aa1e841aec9a03c5084144f0f731f11d46afc19e080c9dc29d01aa496c170602f02

memory/2780-42-0x00000000039C0000-0x0000000003A4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 cfe886bc155270c247620b2da2b00020
SHA1 6dbee9bd94b8470fd19b1cce102597511b0256a0
SHA256 6d63c895ded6aa6939f4a9e1511c43c5117f7256ac12a61296a7be342101bcaf
SHA512 3f77ce65f4f582c9741b5f8292daf149615817fcaab6e61f5144dbcc33bd2de945f90114c80f8bc514acc278d7f30385a6a5540265cf8726820ef1a227a49db6

memory/2780-57-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1924-56-0x0000000000960000-0x00000000009EC000-memory.dmp

memory/1924-55-0x0000000000960000-0x00000000009EC000-memory.dmp

memory/1924-54-0x0000000000960000-0x00000000009EC000-memory.dmp

memory/1924-60-0x0000000000960000-0x00000000009EC000-memory.dmp

memory/1924-61-0x0000000000960000-0x00000000009EC000-memory.dmp

memory/1924-62-0x0000000000960000-0x00000000009EC000-memory.dmp

memory/1924-63-0x0000000000960000-0x00000000009EC000-memory.dmp

memory/1924-64-0x0000000000960000-0x00000000009EC000-memory.dmp

memory/1924-65-0x0000000000960000-0x00000000009EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 18:58

Reported

2024-10-13 19:01

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bowuw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\veovce.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bowuw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\veovce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\veovce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bowuw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qohuy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Users\Admin\AppData\Local\Temp\bowuw.exe
PID 2792 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Users\Admin\AppData\Local\Temp\bowuw.exe
PID 2792 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Users\Admin\AppData\Local\Temp\bowuw.exe
PID 2792 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\bowuw.exe C:\Users\Admin\AppData\Local\Temp\veovce.exe
PID 4572 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\bowuw.exe C:\Users\Admin\AppData\Local\Temp\veovce.exe
PID 4572 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\bowuw.exe C:\Users\Admin\AppData\Local\Temp\veovce.exe
PID 2872 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\veovce.exe C:\Users\Admin\AppData\Local\Temp\qohuy.exe
PID 2872 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\veovce.exe C:\Users\Admin\AppData\Local\Temp\qohuy.exe
PID 2872 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\veovce.exe C:\Users\Admin\AppData\Local\Temp\qohuy.exe
PID 2872 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\veovce.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\veovce.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\veovce.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe

"C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"

C:\Users\Admin\AppData\Local\Temp\bowuw.exe

"C:\Users\Admin\AppData\Local\Temp\bowuw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\veovce.exe

"C:\Users\Admin\AppData\Local\Temp\veovce.exe" OK

C:\Users\Admin\AppData\Local\Temp\qohuy.exe

"C:\Users\Admin\AppData\Local\Temp\qohuy.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2792-0-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bowuw.exe

MD5 96f89f8e32e859d09815daf6994ec155
SHA1 42f51d1b677f2e17df7f6c2f7c123ba40d5355d8
SHA256 0f6c49502a84a75ad7885b0ed4bc776695905a2dab4e7d6e3cbc3cf76c9e0e48
SHA512 6cfdd9844ac5061aa10cf8b301a02ce8c1e2e38c4e83e3d013be848e23f414ba341444ac34c68adbf101349561788ac7fc2a14a1683784e25ce789c78456bd92

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 28f1b8a0befd4bfda4e57ea27f84272c
SHA1 d1fb9e812c4f9ddbe00433898d5cbb4a2b4e01e6
SHA256 8560b939c1f554f4c1e099143f1c7c4cdbac8a6cdbd714d743610ac2543da282
SHA512 3108f40caed36ecd1fb37fa8289856a50247ea9af4511ec109aefc7b28ef2f67d2971286c51b925ea6b18c6ad4b945e30f183d1541e32c8fdf614fad86690827

memory/2792-14-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 770cdab69a28fa9a1cf16240d51f758a
SHA1 164154361f4ccaca43687c1a1f0d9999383ebe4a
SHA256 fbadee865fe00289a978424feccd4db1c1126fbee1b806cf1acfaa8fcb049310
SHA512 225a067a51a6ff2eb827c13c0a6195efd2ec9d76cbb931b2743bb7d3ce4813853c4fc5afb3423b8f28a41bb080fe901cf5d768010bad87254a44dad3166549a7

memory/2872-25-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4572-24-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2872-26-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qohuy.exe

MD5 b0a8a1829adc67838d2524944c93f722
SHA1 c47d1212d9973a83d707dc43e96b96f65420dd02
SHA256 a84e17a1e7dd81f657581f6b844ed83162e828d39ca7a9e12702b1a35d7d76b6
SHA512 9743ba4e68940eac91e6b31a61c11f5b3f1cb96dc8aa63825d94a9e434ccad4e076d1c7c9115ffb76fc2769bb2f7e335aff8ae2588858d73f0a34553630c0627

memory/2524-38-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

memory/2524-39-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

memory/2872-43-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2524-41-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

memory/2524-40-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 57bbf78f17b41f19b8de2b566d15b842
SHA1 eba9fcae6d5ddd15d394a3eb9669569f7cd9fb89
SHA256 606faa26d741fb44c7bfecf733c3bd5eee9430cae2bb37cb223a32c3da1cb9f3
SHA512 0cd6e7c29acdd73afe4d3ba223f9d329d16a19d01774a5ebbf41ee38ec4f29c0a5314f04d1d7120ab0621a2d144292a108868e77b498c2ffcc026ae57b211c99

memory/2524-45-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

memory/2524-46-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

memory/2524-47-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

memory/2524-48-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

memory/2524-49-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

memory/2524-50-0x0000000000AC0000-0x0000000000B4C000-memory.dmp