Analysis Overview
SHA256
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633f
Threat Level: Known bad
The file 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 15:52
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 15:52
Reported
2024-10-14 15:55
Platform
win7-20241010-en
Max time kernel
150s
Max time network
82s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tenon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kopuc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tenon.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tenon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kopuc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
"C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"
C:\Users\Admin\AppData\Local\Temp\tenon.exe
"C:\Users\Admin\AppData\Local\Temp\tenon.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\kopuc.exe
"C:\Users\Admin\AppData\Local\Temp\kopuc.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2792-0-0x00000000002F0000-0x0000000000371000-memory.dmp
\Users\Admin\AppData\Local\Temp\tenon.exe
| MD5 | 92bdbe9fe5c9c357dcd3a27ad4d15c5b |
| SHA1 | 846c098065b2a9f8f5966d3e3a6b720e99c01a77 |
| SHA256 | 5311ccad453085276a05869bf1cf546e35235e9b3610230608d33539f380a471 |
| SHA512 | 753d6ded65c8986d713082462ffd308025dc5395d94f68e7b3ab5bde2231e9b041a4eb678961c11e0eff54d93db23134cc5bbfa5a426f9abe54ba89de45dba92 |
memory/2792-6-0x0000000001EC0000-0x0000000001F41000-memory.dmp
memory/2144-10-0x0000000000CD0000-0x0000000000D51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d940b8bc54d0ba3abac442d2f7d1fcdb |
| SHA1 | 47e0d5e4566da280d4b36363b8a4b51c0a8a83e4 |
| SHA256 | df9f78b31a8c9eef7ce3d9c65855649386885b783073431425b13b39f6f84555 |
| SHA512 | 4bc26b9765e24a16ae61d0cdfd4231c156202d40f8b774ab8d6aefd8e01136655e1c8547c3de082ec3f1457f0596ecca2aef9ef79fb097ad5c4b50cf1f946335 |
memory/2792-18-0x00000000002F0000-0x0000000000371000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f5a2ae1158ba093458ab508a06a68f13 |
| SHA1 | 68f4f1e8f13d56a34553619dc12e346f4c9cb426 |
| SHA256 | 80e11d758a8ddb0975489b6b2a2146220226be13ca96fb432c607fc8f58b58cf |
| SHA512 | 22e08b9977334796bc3fc89285dfa5ef35d053944f153c5db06104ff095ce3650bc8c2cebf1400438fa116ce96070a96f8244951f6af335596eae4526bcee5ab |
memory/2144-21-0x0000000000CD0000-0x0000000000D51000-memory.dmp
\Users\Admin\AppData\Local\Temp\kopuc.exe
| MD5 | 48dcecc11cf8d90543c7cada995af499 |
| SHA1 | 4558227db1866a1257c6af19d69ed74c9bf6deec |
| SHA256 | 7aaf1e15f23fa21aa02d15f418608b62d7f652cb522bf2427928b07eb6787923 |
| SHA512 | 991c1a8add28bca4e993568140c013aa142e153e98998ea69dc0f5eb44539c9e08a33584a19c103c59e5e532c57a70f05f06980aa12da34445045d7f54dc32ec |
memory/2144-26-0x00000000036E0000-0x0000000003779000-memory.dmp
memory/2144-29-0x0000000000CD0000-0x0000000000D51000-memory.dmp
memory/1100-31-0x0000000001000000-0x0000000001099000-memory.dmp
memory/1100-30-0x0000000000020000-0x0000000000022000-memory.dmp
memory/1100-32-0x0000000001000000-0x0000000001099000-memory.dmp
memory/1100-36-0x0000000000020000-0x0000000000022000-memory.dmp
memory/1100-37-0x0000000001000000-0x0000000001099000-memory.dmp
memory/1100-38-0x0000000001000000-0x0000000001099000-memory.dmp
memory/1100-39-0x0000000001000000-0x0000000001099000-memory.dmp
memory/1100-40-0x0000000001000000-0x0000000001099000-memory.dmp
memory/1100-41-0x0000000001000000-0x0000000001099000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 15:52
Reported
2024-10-14 15:55
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ipjov.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ipjov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ziuwh.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ipjov.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ziuwh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
"C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"
C:\Users\Admin\AppData\Local\Temp\ipjov.exe
"C:\Users\Admin\AppData\Local\Temp\ipjov.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ziuwh.exe
"C:\Users\Admin\AppData\Local\Temp\ziuwh.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2412-0-0x0000000000ED0000-0x0000000000F51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ipjov.exe
| MD5 | aa995e5eefbbac4450133d14e9aa11fd |
| SHA1 | 62fe8d25a5e2c531480a1d7ff71fd63d26ea92a8 |
| SHA256 | 7db5e0a778644590ea4488cdd9f91651f131dd737622151d2b4eeb6380962d4d |
| SHA512 | a7a230b208731873cdfe8cd61707eafd5c24655963ee4fcce48cfb0899cf6b7a0d104d0fc26599b9aa23056278b26ca37eab6566c21e4fa1f9089c1f4215d8b8 |
memory/2412-14-0x0000000000ED0000-0x0000000000F51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | d940b8bc54d0ba3abac442d2f7d1fcdb |
| SHA1 | 47e0d5e4566da280d4b36363b8a4b51c0a8a83e4 |
| SHA256 | df9f78b31a8c9eef7ce3d9c65855649386885b783073431425b13b39f6f84555 |
| SHA512 | 4bc26b9765e24a16ae61d0cdfd4231c156202d40f8b774ab8d6aefd8e01136655e1c8547c3de082ec3f1457f0596ecca2aef9ef79fb097ad5c4b50cf1f946335 |
memory/2012-11-0x0000000000090000-0x0000000000111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | fe7ce443befc2eaa86d618664da5253b |
| SHA1 | c6d82a8dff0f42b249ff48a63fe47d4b4fd8cd0b |
| SHA256 | f57ac5055a41ce6e13bd7acde8465447f66519d524b412105583348e82543a7e |
| SHA512 | 286bb206f8b6f60101d51ccbc79f0ccf2604ff0ae1f839fe11ac7a065919f72b3c1d8f884ba89fc34e66d951f98db0888dfdbc1d05f53c84ac32f0d9b73c0c2e |
memory/2012-17-0x0000000000090000-0x0000000000111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ziuwh.exe
| MD5 | 06040250b0854d5050cb7c9e13a7d280 |
| SHA1 | ffbbc16fe5af41bb0258490f8d554dc12ad5d167 |
| SHA256 | 4fdc6b12411605d84b6a0cf55f6b8baca63bae6670b22db7d6b280418874e1fe |
| SHA512 | 20069e30ce95e5f76fec24042d4b497572be45549f365b2dc12f40866010ea911bf45b8bd73f5915c6e6db092234a60378c93ab1a9fa80b5288756f49e2d623a |
memory/2092-26-0x0000000000AC0000-0x0000000000B59000-memory.dmp
memory/2092-28-0x00000000007D0000-0x00000000007D2000-memory.dmp
memory/2012-27-0x0000000000090000-0x0000000000111000-memory.dmp
memory/2092-29-0x0000000000AC0000-0x0000000000B59000-memory.dmp
memory/2092-34-0x00000000007D0000-0x00000000007D2000-memory.dmp
memory/2092-33-0x0000000000AC0000-0x0000000000B59000-memory.dmp
memory/2092-35-0x0000000000AC0000-0x0000000000B59000-memory.dmp
memory/2092-36-0x0000000000AC0000-0x0000000000B59000-memory.dmp
memory/2092-37-0x0000000000AC0000-0x0000000000B59000-memory.dmp
memory/2092-38-0x0000000000AC0000-0x0000000000B59000-memory.dmp