Analysis Overview
SHA256
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1
Threat Level: Known bad
The file 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1 was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
ASPack v2.12-2.42
Deletes itself
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 18:58
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 18:58
Reported
2024-10-13 19:01
Platform
win7-20240903-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xigoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lorua.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xigoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xigoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xigoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lorua.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe
"C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"
C:\Users\Admin\AppData\Local\Temp\xigoe.exe
"C:\Users\Admin\AppData\Local\Temp\xigoe.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe
"C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe" OK
C:\Users\Admin\AppData\Local\Temp\lorua.exe
"C:\Users\Admin\AppData\Local\Temp\lorua.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2280-2-0x0000000000400000-0x0000000000458000-memory.dmp
\Users\Admin\AppData\Local\Temp\xigoe.exe
| MD5 | 486b148b753069d1894474f4f75e01c4 |
| SHA1 | 0e19b78416184de4efe6644c014ba38fe8b25a03 |
| SHA256 | 993bc8569b4821720a61e3a0cd96e02be3b1b6e9b46f37b4fc106eadfe1e1568 |
| SHA512 | b45dbacd60a11725bc94ad8fc489425d05479c3ed9adb4613f262864b5640be69c639b705916c6832fc56f253f5401384913d247c14d2c3a23f8c46c400e61f5 |
memory/2280-5-0x0000000002AB0000-0x0000000002B08000-memory.dmp
memory/2840-14-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | c6aab2b0ddc6c37775297be3b1e51c45 |
| SHA1 | 0166a1d9aa16a11af6c8389064288686af62d843 |
| SHA256 | e0ba9a98144815c6969cb0c26b1bf089cda1b792adf217eab50b7e77bcc41fa6 |
| SHA512 | e3021a9722fae7cbdc9278e71e21d545dca5726b28e7255ffe5ba90169101bc2bcdd9df95caf4604af6d09b810eaa7949572483302720f9dddaddff9c5b1706a |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 770cdab69a28fa9a1cf16240d51f758a |
| SHA1 | 164154361f4ccaca43687c1a1f0d9999383ebe4a |
| SHA256 | fbadee865fe00289a978424feccd4db1c1126fbee1b806cf1acfaa8fcb049310 |
| SHA512 | 225a067a51a6ff2eb827c13c0a6195efd2ec9d76cbb931b2743bb7d3ce4813853c4fc5afb3423b8f28a41bb080fe901cf5d768010bad87254a44dad3166549a7 |
memory/2280-24-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2840-32-0x0000000002F30000-0x0000000002F88000-memory.dmp
memory/2840-35-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2840-33-0x0000000002F30000-0x0000000002F88000-memory.dmp
memory/2780-37-0x0000000000400000-0x0000000000458000-memory.dmp
\Users\Admin\AppData\Local\Temp\lorua.exe
| MD5 | 1789b8fa0ee06dbc7da2fd7d292c0002 |
| SHA1 | 5439be5ee772db7263093d39c8cea36836c2aee6 |
| SHA256 | 5f4691a07dc51e0232ad55b59a225f502348c4df223180aba233518993833429 |
| SHA512 | 5228f7a95adfb0252d2cc3118068dd1e504b8de78525c804af394a2b6e8e9aa1e841aec9a03c5084144f0f731f11d46afc19e080c9dc29d01aa496c170602f02 |
memory/2780-42-0x00000000039C0000-0x0000000003A4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | cfe886bc155270c247620b2da2b00020 |
| SHA1 | 6dbee9bd94b8470fd19b1cce102597511b0256a0 |
| SHA256 | 6d63c895ded6aa6939f4a9e1511c43c5117f7256ac12a61296a7be342101bcaf |
| SHA512 | 3f77ce65f4f582c9741b5f8292daf149615817fcaab6e61f5144dbcc33bd2de945f90114c80f8bc514acc278d7f30385a6a5540265cf8726820ef1a227a49db6 |
memory/2780-57-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1924-56-0x0000000000960000-0x00000000009EC000-memory.dmp
memory/1924-55-0x0000000000960000-0x00000000009EC000-memory.dmp
memory/1924-54-0x0000000000960000-0x00000000009EC000-memory.dmp
memory/1924-60-0x0000000000960000-0x00000000009EC000-memory.dmp
memory/1924-61-0x0000000000960000-0x00000000009EC000-memory.dmp
memory/1924-62-0x0000000000960000-0x00000000009EC000-memory.dmp
memory/1924-63-0x0000000000960000-0x00000000009EC000-memory.dmp
memory/1924-64-0x0000000000960000-0x00000000009EC000-memory.dmp
memory/1924-65-0x0000000000960000-0x00000000009EC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 18:58
Reported
2024-10-13 19:01
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bowuw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\veovce.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bowuw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\veovce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qohuy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\veovce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qohuy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bowuw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe
"C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"
C:\Users\Admin\AppData\Local\Temp\bowuw.exe
"C:\Users\Admin\AppData\Local\Temp\bowuw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\veovce.exe
"C:\Users\Admin\AppData\Local\Temp\veovce.exe" OK
C:\Users\Admin\AppData\Local\Temp\qohuy.exe
"C:\Users\Admin\AppData\Local\Temp\qohuy.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2792-0-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bowuw.exe
| MD5 | 96f89f8e32e859d09815daf6994ec155 |
| SHA1 | 42f51d1b677f2e17df7f6c2f7c123ba40d5355d8 |
| SHA256 | 0f6c49502a84a75ad7885b0ed4bc776695905a2dab4e7d6e3cbc3cf76c9e0e48 |
| SHA512 | 6cfdd9844ac5061aa10cf8b301a02ce8c1e2e38c4e83e3d013be848e23f414ba341444ac34c68adbf101349561788ac7fc2a14a1683784e25ce789c78456bd92 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 28f1b8a0befd4bfda4e57ea27f84272c |
| SHA1 | d1fb9e812c4f9ddbe00433898d5cbb4a2b4e01e6 |
| SHA256 | 8560b939c1f554f4c1e099143f1c7c4cdbac8a6cdbd714d743610ac2543da282 |
| SHA512 | 3108f40caed36ecd1fb37fa8289856a50247ea9af4511ec109aefc7b28ef2f67d2971286c51b925ea6b18c6ad4b945e30f183d1541e32c8fdf614fad86690827 |
memory/2792-14-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 770cdab69a28fa9a1cf16240d51f758a |
| SHA1 | 164154361f4ccaca43687c1a1f0d9999383ebe4a |
| SHA256 | fbadee865fe00289a978424feccd4db1c1126fbee1b806cf1acfaa8fcb049310 |
| SHA512 | 225a067a51a6ff2eb827c13c0a6195efd2ec9d76cbb931b2743bb7d3ce4813853c4fc5afb3423b8f28a41bb080fe901cf5d768010bad87254a44dad3166549a7 |
memory/2872-25-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4572-24-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2872-26-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qohuy.exe
| MD5 | b0a8a1829adc67838d2524944c93f722 |
| SHA1 | c47d1212d9973a83d707dc43e96b96f65420dd02 |
| SHA256 | a84e17a1e7dd81f657581f6b844ed83162e828d39ca7a9e12702b1a35d7d76b6 |
| SHA512 | 9743ba4e68940eac91e6b31a61c11f5b3f1cb96dc8aa63825d94a9e434ccad4e076d1c7c9115ffb76fc2769bb2f7e335aff8ae2588858d73f0a34553630c0627 |
memory/2524-38-0x0000000000AC0000-0x0000000000B4C000-memory.dmp
memory/2524-39-0x0000000000AC0000-0x0000000000B4C000-memory.dmp
memory/2872-43-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2524-41-0x0000000000AC0000-0x0000000000B4C000-memory.dmp
memory/2524-40-0x0000000000AC0000-0x0000000000B4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 57bbf78f17b41f19b8de2b566d15b842 |
| SHA1 | eba9fcae6d5ddd15d394a3eb9669569f7cd9fb89 |
| SHA256 | 606faa26d741fb44c7bfecf733c3bd5eee9430cae2bb37cb223a32c3da1cb9f3 |
| SHA512 | 0cd6e7c29acdd73afe4d3ba223f9d329d16a19d01774a5ebbf41ee38ec4f29c0a5314f04d1d7120ab0621a2d144292a108868e77b498c2ffcc026ae57b211c99 |
memory/2524-45-0x0000000000AC0000-0x0000000000B4C000-memory.dmp
memory/2524-46-0x0000000000AC0000-0x0000000000B4C000-memory.dmp
memory/2524-47-0x0000000000AC0000-0x0000000000B4C000-memory.dmp
memory/2524-48-0x0000000000AC0000-0x0000000000B4C000-memory.dmp
memory/2524-49-0x0000000000AC0000-0x0000000000B4C000-memory.dmp
memory/2524-50-0x0000000000AC0000-0x0000000000B4C000-memory.dmp