Analysis Overview
SHA256
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1cc
Threat Level: Known bad
The file fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 13:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 13:45
Reported
2024-10-14 13:47
Platform
win7-20240729-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dowaj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buavn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dowaj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dowaj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\buavn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe
"C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"
C:\Users\Admin\AppData\Local\Temp\dowaj.exe
"C:\Users\Admin\AppData\Local\Temp\dowaj.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\buavn.exe
"C:\Users\Admin\AppData\Local\Temp\buavn.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2532-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2532-0-0x0000000000100000-0x0000000000181000-memory.dmp
\Users\Admin\AppData\Local\Temp\dowaj.exe
| MD5 | 30bd55c13cb99c809549d8f348fcde10 |
| SHA1 | 8e6301976adc559c45b1a7d33b3dd794cfb8c120 |
| SHA256 | e5172814f8f5ee0477cf7637b929ba8285781c5cf0b7a7fb371ce8daa425c2f8 |
| SHA512 | f45ebd4b6f6dd94b1e39fd6aa3645617a60815dddee8c58e0f555a63afc6ab81c1a4e6a6bbb3fd82865cd2179f3b19119a4103ad121d7fdf28b9f7e6c30164aa |
memory/2532-9-0x0000000002530000-0x00000000025B1000-memory.dmp
memory/2944-18-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 46f754e37aed4155b704844ac14dde1b |
| SHA1 | 39ba3199c5734d7d2c9d9b7475526e8c06146ffe |
| SHA256 | e137a91ddc3844d3f273edf27fa13093274d6ea601263be48f42585844712a4c |
| SHA512 | bd5bbfacd8e5d254deff9f1735e652946ed1aba345ff4ec83ca0e1d5f25bafcf34a24d8eaf90b673ea43b4aa3872696afa93992517ea727d9652e716eb9d4e20 |
memory/2944-12-0x0000000000370000-0x00000000003F1000-memory.dmp
memory/2532-21-0x0000000000100000-0x0000000000181000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 16ab143ed7dd398a20dc775e3091f8e9 |
| SHA1 | 8ad1becf8c6221d2ca7ee7746afecc5f881ed852 |
| SHA256 | 6e0d46da33c958c91d4d381a04b29e89ec5b2a4353e774c3fbe5e03632b3e046 |
| SHA512 | affcaa5d3c4070ec9bce17daba3060ae8ab6d1da595cf9c650681274530d0135e8ff66283031f4b00d9e4e22b514b74dff1d180aa7aad11297aa23b8522169ee |
memory/2944-24-0x0000000000370000-0x00000000003F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\buavn.exe
| MD5 | 1203e18f7af9de1d2ebb7b09e32a36c5 |
| SHA1 | a7a94447bd0b9cc055b3406f94343ada2cd221da |
| SHA256 | 9b77026b87f1a10132df14cd55547a3546447d7640fcf88b486c0d0ed5d5c04f |
| SHA512 | 18c62a418a23641dc2db80dc5e848ce672a0de02202ede9799143ac3bf396064e79c5515b12097abdb37b220f13ef87e9be668052b811f1d22eda29b327d3034 |
memory/2944-38-0x0000000004230000-0x00000000042C9000-memory.dmp
memory/2944-42-0x0000000000370000-0x00000000003F1000-memory.dmp
memory/2876-40-0x0000000001380000-0x0000000001419000-memory.dmp
memory/2876-43-0x0000000001380000-0x0000000001419000-memory.dmp
memory/2876-47-0x0000000001380000-0x0000000001419000-memory.dmp
memory/2876-48-0x0000000001380000-0x0000000001419000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 13:45
Reported
2024-10-14 13:47
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gohuc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gohuc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sopok.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gohuc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sopok.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe
"C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"
C:\Users\Admin\AppData\Local\Temp\gohuc.exe
"C:\Users\Admin\AppData\Local\Temp\gohuc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\sopok.exe
"C:\Users\Admin\AppData\Local\Temp\sopok.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/4244-0-0x0000000000DE0000-0x0000000000E61000-memory.dmp
memory/4244-1-0x0000000000DC0000-0x0000000000DC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gohuc.exe
| MD5 | b3fe83129e5e09a5f64fa12afdaf8a41 |
| SHA1 | 35fb58cbc11838e1740e0ea0516c9d46cb0298e7 |
| SHA256 | 43d5750fe26407e0b622f5068f5caa4951dc96f2c4b116512247c296470be9e3 |
| SHA512 | cd1693d992c0401bdc76b04b319d1901da162884c2cfdfadd80861fb1094905d9d60c24ea13ab9f936c41a3a13c6ec062699e22f0f01e8f1b71a71e3943e7b05 |
memory/1832-11-0x0000000000260000-0x00000000002E1000-memory.dmp
memory/1832-14-0x0000000001310000-0x0000000001311000-memory.dmp
memory/4244-17-0x0000000000DE0000-0x0000000000E61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 46f754e37aed4155b704844ac14dde1b |
| SHA1 | 39ba3199c5734d7d2c9d9b7475526e8c06146ffe |
| SHA256 | e137a91ddc3844d3f273edf27fa13093274d6ea601263be48f42585844712a4c |
| SHA512 | bd5bbfacd8e5d254deff9f1735e652946ed1aba345ff4ec83ca0e1d5f25bafcf34a24d8eaf90b673ea43b4aa3872696afa93992517ea727d9652e716eb9d4e20 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 47269b675bccf3b135256f651d8841d9 |
| SHA1 | 99e6619106a13a811151c58ca69da78437cb9ffc |
| SHA256 | d5d47d78a44814bba4c9e8f34a5d001929c44bff2f6c0db60ffb9eccf0923e35 |
| SHA512 | 288b2743a02898fbfec1cfd6dd3c14b5b497681d5370f193f956a43a346643be37cf811fe67e670cc0fcaaf2271f6be3207c29ba6d7a3f584a53513f003b4ceb |
memory/1832-21-0x0000000001310000-0x0000000001311000-memory.dmp
memory/1832-20-0x0000000000260000-0x00000000002E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sopok.exe
| MD5 | 0b908004debbda24e0a6707b2f27844b |
| SHA1 | 8dd70fd7e665b75eeb223658cbfa16749037b370 |
| SHA256 | 84cdf43d3be720a60b1af2d52d4db76e36625cd661b98907f8fab3c979eb2e19 |
| SHA512 | 6594d49cb0b3dee7d4cb5c251651e1b9493fa70e2810ba5c3dfec4cbb2a5ab4416d933ef63b785e36605bb9d2612d42413ed398b8c5b12856f8f3ddb2d524c67 |
memory/2136-39-0x00000000009A0000-0x00000000009A2000-memory.dmp
memory/2136-38-0x0000000000D20000-0x0000000000DB9000-memory.dmp
memory/1832-41-0x0000000000260000-0x00000000002E1000-memory.dmp
memory/2136-42-0x0000000000D20000-0x0000000000DB9000-memory.dmp
memory/2136-46-0x00000000009A0000-0x00000000009A2000-memory.dmp
memory/2136-47-0x0000000000D20000-0x0000000000DB9000-memory.dmp
memory/2136-48-0x0000000000D20000-0x0000000000DB9000-memory.dmp