Analysis Overview
SHA256
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49
Threat Level: Known bad
The file 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 05:15
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 05:15
Reported
2024-10-14 05:17
Platform
win7-20240903-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toecc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\poajt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toecc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\toecc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\poajt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe
"C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"
C:\Users\Admin\AppData\Local\Temp\toecc.exe
"C:\Users\Admin\AppData\Local\Temp\toecc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\poajt.exe
"C:\Users\Admin\AppData\Local\Temp\poajt.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1204-0-0x0000000000220000-0x00000000002A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\toecc.exe
| MD5 | 0ea1b6d3c820a18e714c1e04ff5e3665 |
| SHA1 | 2a1a81a7f5f2c4565a401b1b7a7a19fc30f8176b |
| SHA256 | 21946eb3050e7557b6eff371759d1c8027e339ca1364a2b72d95f3945d03d1bb |
| SHA512 | 88f302348fa618ad49b33ea1922ec7fc9130957daf5de4853d47fd00b5d1f3e15f5d8e04f3224f68a062a9ef8904316d27f0be8ce0a0b5be7e028bde40106d9f |
memory/1204-17-0x0000000000220000-0x00000000002A1000-memory.dmp
memory/1204-15-0x0000000002450000-0x00000000024D1000-memory.dmp
memory/2704-18-0x0000000000B50000-0x0000000000BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 130d92eaa9d32bcef99a054df40b4433 |
| SHA1 | 4dafd76248f909e1529854f17d8949454502f2a7 |
| SHA256 | 37d3dd052dc0165b2bbf944179407d4288d6116990ed20201816ddabb7daa579 |
| SHA512 | 15fbf2cface17eaf09d2b7b35d9308bf974296bd761aa1008623174222e5caf2c86bae3495a9b968d26c6c9a364acb60b3df5153a46fd4ba648d3d7c4f06b9fa |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 635e7fbeffbda923036f5e3117f42dde |
| SHA1 | 82949ddad4a3e19141d6689c11307f3f9fca2c4e |
| SHA256 | b284e1c4a708d3fa26a2539fd9bdf407ef868d7dbc3391018b7d8fa75a25e3b7 |
| SHA512 | 4c33d21543ba792ec56b3010f4e492d53501df094e0987934f24b191ba6c00b620e42a2a633dfdc12c5fea6dfcdb3f3191354d1f3a095ad0b40f3c9d4bc54e60 |
memory/2704-21-0x0000000000B50000-0x0000000000BD1000-memory.dmp
\Users\Admin\AppData\Local\Temp\poajt.exe
| MD5 | ce078a712d38c78b54e349c3261ced4b |
| SHA1 | 4d615a6dcc7025535d0e9f0720de9f993b644f39 |
| SHA256 | 0112d97a93db770f735e459e60e2d1f0a091a81adaec8c2d00098e1d72ee4b3f |
| SHA512 | 8ba8c01f4a4ba2af336f6c5b25619ca62b368d0d8421f49b08f908fb69f6fba3c0f4e6fbb32b58d93c0bd39f832c0428daa2e66ea3ad6399bfe7ad60bb49b8ed |
memory/2704-26-0x00000000036A0000-0x0000000003739000-memory.dmp
memory/764-31-0x0000000000020000-0x0000000000022000-memory.dmp
memory/2704-30-0x0000000000B50000-0x0000000000BD1000-memory.dmp
memory/764-29-0x0000000001250000-0x00000000012E9000-memory.dmp
memory/764-32-0x0000000001250000-0x00000000012E9000-memory.dmp
memory/764-37-0x0000000000020000-0x0000000000022000-memory.dmp
memory/764-36-0x0000000001250000-0x00000000012E9000-memory.dmp
memory/764-38-0x0000000001250000-0x00000000012E9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 05:15
Reported
2024-10-14 05:17
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sacya.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sacya.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tokur.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sacya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tokur.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe
"C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"
C:\Users\Admin\AppData\Local\Temp\sacya.exe
"C:\Users\Admin\AppData\Local\Temp\sacya.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\tokur.exe
"C:\Users\Admin\AppData\Local\Temp\tokur.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/2800-0-0x00000000005F0000-0x0000000000671000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sacya.exe
| MD5 | d17fe14b083357ca12e750f799e0b329 |
| SHA1 | f3de432d9ec2ef5043c3603d588c1e4f9f60d350 |
| SHA256 | 49b02d9946698c8dde1d17201227669e3af2adaee350f761e971922fc65c1449 |
| SHA512 | 348c4bc67f58afdaee0fba0d5a87b69855931082c0c015284dfae17b68fed5d840566da2f804ec2683ba24dbce55b9c753b7297cc0ece09ca73830fc6093c7c6 |
memory/4008-12-0x0000000000620000-0x00000000006A1000-memory.dmp
memory/2800-14-0x00000000005F0000-0x0000000000671000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 130d92eaa9d32bcef99a054df40b4433 |
| SHA1 | 4dafd76248f909e1529854f17d8949454502f2a7 |
| SHA256 | 37d3dd052dc0165b2bbf944179407d4288d6116990ed20201816ddabb7daa579 |
| SHA512 | 15fbf2cface17eaf09d2b7b35d9308bf974296bd761aa1008623174222e5caf2c86bae3495a9b968d26c6c9a364acb60b3df5153a46fd4ba648d3d7c4f06b9fa |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 25467732c72f33e143df206864ac2161 |
| SHA1 | a2464b36df9ba8f5ce3a7c8e9c7212a0d023267a |
| SHA256 | 666279b0bcdada79551effcbf5266a7bec4d7f674defcf24d68b10a250f320df |
| SHA512 | 4337d776138e05d35eac45b42e0e89f3afaf107a4ec554cdd0a2f8cc46c7747167e8d150c8a18a8ce368148816bdac21b3365e1184815033aa811ac30197e498 |
memory/4008-17-0x0000000000620000-0x00000000006A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tokur.exe
| MD5 | 377d84de4be1f811d454271b6c81afb0 |
| SHA1 | 8f07a26c12d8fbc1714d119a3a8b647433b86d40 |
| SHA256 | 0e86b712170338e3fca626e186e3f78602ec38c2f0785cbe8a631ccc8fa6312f |
| SHA512 | 59e3f7b2badd4706424cfb8159b20bd2f82c73112894cbf562da6a9b9c92a2b08fe3503cb3f48dc07d5d86a8c48168faa9cec6377c3717fa01157be6e242ab88 |
memory/1040-27-0x0000000000170000-0x0000000000172000-memory.dmp
memory/1040-26-0x0000000000820000-0x00000000008B9000-memory.dmp
memory/1040-28-0x0000000000820000-0x00000000008B9000-memory.dmp
memory/4008-31-0x0000000000620000-0x00000000006A1000-memory.dmp
memory/1040-34-0x0000000000170000-0x0000000000172000-memory.dmp
memory/1040-33-0x0000000000820000-0x00000000008B9000-memory.dmp
memory/1040-35-0x0000000000820000-0x00000000008B9000-memory.dmp