Analysis Overview
SHA256
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633f
Threat Level: Known bad
The file 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 15:47
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 15:47
Reported
2024-10-14 15:49
Platform
win7-20240903-en
Max time kernel
119s
Max time network
89s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tacyp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sudok.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tacyp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sudok.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tacyp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
"C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"
C:\Users\Admin\AppData\Local\Temp\tacyp.exe
"C:\Users\Admin\AppData\Local\Temp\tacyp.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\sudok.exe
"C:\Users\Admin\AppData\Local\Temp\sudok.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1812-0-0x0000000000DD0000-0x0000000000E51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d940b8bc54d0ba3abac442d2f7d1fcdb |
| SHA1 | 47e0d5e4566da280d4b36363b8a4b51c0a8a83e4 |
| SHA256 | df9f78b31a8c9eef7ce3d9c65855649386885b783073431425b13b39f6f84555 |
| SHA512 | 4bc26b9765e24a16ae61d0cdfd4231c156202d40f8b774ab8d6aefd8e01136655e1c8547c3de082ec3f1457f0596ecca2aef9ef79fb097ad5c4b50cf1f946335 |
memory/1812-18-0x0000000000DD0000-0x0000000000E51000-memory.dmp
memory/1812-16-0x00000000004A0000-0x0000000000521000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tacyp.exe
| MD5 | c876a0975449818dad1032175469b796 |
| SHA1 | eba9fee9ec23e9b94ffb7d0581dd3f10288c287c |
| SHA256 | 32667c0a99729e9e41a2d623ddeac468da02c8b54db4d93d54bf2281ed06f62c |
| SHA512 | 538fefe93d6f0e4cb1f700a794de81a7fe8967c0db859ca0978d4b235d81e73f042749d96f769581ef094af9ebe013f107c22eef70173890574b06a789d616a5 |
memory/2660-17-0x00000000010D0000-0x0000000001151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 97620a2735046c3a905c7794fe6095c9 |
| SHA1 | 112def136c555906593a8a3aad81adb895a0000f |
| SHA256 | 042d2e630c029d4e1c940c1d7d7ec5355046cb214f8b57c44f0c9eb13e9d8f01 |
| SHA512 | 92a1c2efbdb9c63eec2ae618d23ae173d365e6a09fa8822c1c6f743689ad95c926af347c3ac95ed9e22abbe1dfb67f4678d3d0f40de91aa46c82d978f781b3b6 |
memory/2660-21-0x00000000010D0000-0x0000000001151000-memory.dmp
\Users\Admin\AppData\Local\Temp\sudok.exe
| MD5 | 3aa86058bb7a8c0f438c9a2788da41e8 |
| SHA1 | 18c86abc26e19bb54280a8e0ba6da05305297ecc |
| SHA256 | 8a185d883482c1b70638957f32024ce775141c2c826561a7a3fe6e5f511d1894 |
| SHA512 | 298ebf77d268ae521dd97eae6e4f56408103d20a2c6968fc094cbee7b142ca9daca20d433cdfff903da23c6d90ff127b89cb900c292120292f45557dba8b23f3 |
memory/2660-27-0x0000000000CD0000-0x0000000000D69000-memory.dmp
memory/2764-31-0x0000000000020000-0x0000000000022000-memory.dmp
memory/2764-30-0x0000000001100000-0x0000000001199000-memory.dmp
memory/2660-29-0x00000000010D0000-0x0000000001151000-memory.dmp
memory/2764-32-0x0000000001100000-0x0000000001199000-memory.dmp
memory/2764-37-0x0000000000020000-0x0000000000022000-memory.dmp
memory/2764-36-0x0000000001100000-0x0000000001199000-memory.dmp
memory/2764-38-0x0000000001100000-0x0000000001199000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 15:47
Reported
2024-10-14 15:49
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\konoc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\konoc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yzvog.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\konoc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yzvog.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
"C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"
C:\Users\Admin\AppData\Local\Temp\konoc.exe
"C:\Users\Admin\AppData\Local\Temp\konoc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\yzvog.exe
"C:\Users\Admin\AppData\Local\Temp\yzvog.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 241.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4164-0-0x00000000006C0000-0x0000000000741000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\konoc.exe
| MD5 | 37c44701517a3b6d26b1ed1ead8b5b00 |
| SHA1 | ced7449308cffd2140676ccf80ea82dd772bb843 |
| SHA256 | b0752f6eb53164325a85d32374acaf4e946a83c6cd96ae5f90956e2fb9602ac7 |
| SHA512 | 35231c881f49fabc5d8f8470c0e01df71c56cc179c362c07c519b1e67347d746fa3672849a457441e0e0a3fa7d5159bb0bc47650ee85295f6afeacc4e632b0fe |
memory/4408-10-0x0000000000760000-0x00000000007E1000-memory.dmp
memory/4164-14-0x00000000006C0000-0x0000000000741000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d940b8bc54d0ba3abac442d2f7d1fcdb |
| SHA1 | 47e0d5e4566da280d4b36363b8a4b51c0a8a83e4 |
| SHA256 | df9f78b31a8c9eef7ce3d9c65855649386885b783073431425b13b39f6f84555 |
| SHA512 | 4bc26b9765e24a16ae61d0cdfd4231c156202d40f8b774ab8d6aefd8e01136655e1c8547c3de082ec3f1457f0596ecca2aef9ef79fb097ad5c4b50cf1f946335 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 731f9ac9560aa1c8a847ac43ff9bb2b8 |
| SHA1 | 6acc745e22a1573668a18f5d580624a394c987af |
| SHA256 | 6760a141febb47fa49d216effff8f549c26334d126cda500200b4beec2bd695e |
| SHA512 | 95af312f698e0462a975f32d05c458644a9b7ab49ab79832fda36774815fcf5da41897ac5ee41c92e0baa534905132c098aee1cc0ce5b69821d42a38d96ed1c2 |
memory/4408-17-0x0000000000760000-0x00000000007E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yzvog.exe
| MD5 | c6cbe1c597da1c5def2e6738f8da608d |
| SHA1 | ad5198d65022ab08f0260c107c0696d8187c16a3 |
| SHA256 | b8b87c9e2d9321a98f830abf52a479528b8cd07c3139be7495b8f6ad3f399694 |
| SHA512 | 64e0e2fb1b26932bcd373f9e94b35f87a425b40f15541dab51e69bb04d19d391a4c239a4855b69ca73bb46bd82a402baeb4ba8f6daac72ea2d8b2941bfce85a2 |
memory/4408-27-0x0000000000760000-0x00000000007E1000-memory.dmp
memory/2248-28-0x00000000007D0000-0x00000000007D2000-memory.dmp
memory/2248-25-0x0000000000EC0000-0x0000000000F59000-memory.dmp
memory/2248-29-0x0000000000EC0000-0x0000000000F59000-memory.dmp
memory/2248-34-0x00000000007D0000-0x00000000007D2000-memory.dmp
memory/2248-33-0x0000000000EC0000-0x0000000000F59000-memory.dmp
memory/2248-35-0x0000000000EC0000-0x0000000000F59000-memory.dmp