Analysis Overview
SHA256
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06
Threat Level: Known bad
The file 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 16:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 16:19
Reported
2024-10-14 16:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xevyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sogeo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xevyq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sogeo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xevyq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe
"C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe"
C:\Users\Admin\AppData\Local\Temp\xevyq.exe
"C:\Users\Admin\AppData\Local\Temp\xevyq.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\sogeo.exe
"C:\Users\Admin\AppData\Local\Temp\sogeo.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2696-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2696-0-0x00000000012C0000-0x0000000001341000-memory.dmp
\Users\Admin\AppData\Local\Temp\xevyq.exe
| MD5 | e761b50497ccd57444cc309efd34050b |
| SHA1 | 7e95f0cd9f4b8f6e143b967eda84b14a300ec8f0 |
| SHA256 | 842b7961eaa158a83c10f9d905d7aa56f76fa077cfd57a08f1dddfdaa00c7ef7 |
| SHA512 | 9a0361574178a534c38833d7736d03b839d0e40c47fac06883b882a74e900a37f3a49d4fdea7058c4440764a657c3f81a660301e161f220af9c485bb283d5473 |
memory/2696-19-0x00000000012C0000-0x0000000001341000-memory.dmp
memory/2696-16-0x0000000001180000-0x0000000001201000-memory.dmp
memory/2204-21-0x00000000002B0000-0x0000000000331000-memory.dmp
memory/2204-20-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 430e98dab996ed2cb464865e806b08a3 |
| SHA1 | e00ca96407b820ffd7c622ecd23ee9da27c20a4a |
| SHA256 | 2fe43b6833cdbee5978204411cb477658513bb1a7db9f043bb19d1e2036ebc40 |
| SHA512 | 537057245f4f43db2089a90bf63f4fd2e4ddf759c8efc6b6c942e55892dcde284904a39abfef55b2353cc22079f1d8791f305cf55a445d55f28e442b20fac5f3 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a32060dcb043346efad76720f5b4ea96 |
| SHA1 | e9eb83e4721b264800b0e3c63c3f56f9714a8dd4 |
| SHA256 | d3e9df22b8a23743c302c0f567a429286ae49a910c36dcdcc9ed079f68ec0e8d |
| SHA512 | 31bf44dc1dd0c460d1afa05a939335bd0b693bcc74e188690c1936cc2ee071153874e15545137f3266c31997e2b9f63de695bdf57e44700b4e6f48673a334b04 |
memory/2204-24-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2204-25-0x00000000002B0000-0x0000000000331000-memory.dmp
\Users\Admin\AppData\Local\Temp\sogeo.exe
| MD5 | dc83d80eb20d4f869d44a1c255b391be |
| SHA1 | f7655aa69b389e4020be71fc1dc8a0fa39f02686 |
| SHA256 | 2eb3d753eed71aada3dd412946e41f865b2097c51f80c00f27fb564bcdea561e |
| SHA512 | f305258e1ea2ae9a36de7f387a6e13fa9c5f6d5245e07b1da4aa4e76171a290f6450146c4a0a234d9da3b98935963370eb0cca617726d2113442f5eecaf158ef |
memory/2204-39-0x0000000003490000-0x0000000003529000-memory.dmp
memory/1220-43-0x0000000000880000-0x0000000000919000-memory.dmp
memory/2204-42-0x00000000002B0000-0x0000000000331000-memory.dmp
memory/1220-44-0x0000000000880000-0x0000000000919000-memory.dmp
memory/1220-48-0x0000000000880000-0x0000000000919000-memory.dmp
memory/1220-49-0x0000000000880000-0x0000000000919000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 16:19
Reported
2024-10-14 16:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rykyb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rykyb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wyfop.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rykyb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wyfop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe
"C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe"
C:\Users\Admin\AppData\Local\Temp\rykyb.exe
"C:\Users\Admin\AppData\Local\Temp\rykyb.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\wyfop.exe
"C:\Users\Admin\AppData\Local\Temp\wyfop.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3452-0-0x00000000008C0000-0x0000000000941000-memory.dmp
memory/3452-1-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rykyb.exe
| MD5 | d509bd65b98a43019139f2d2d2b7de3c |
| SHA1 | 8644b9208b1602bc5d59f4c90fe9fff436b0451f |
| SHA256 | 468a8282ec4d2bcf6ee2c8507a8eb5d99fad11211752faee9a07585f79572893 |
| SHA512 | 8f958d2bdb34b04fb05530de4743c12f7bb7e1e4c76bda9bff240c9b6bbca5fc8b6cc9956e65413f8c971d08c74955ffab1e6b6a70e22f990eb0859206c06ac6 |
memory/536-11-0x0000000000D80000-0x0000000000E01000-memory.dmp
memory/536-14-0x0000000000D80000-0x0000000000E01000-memory.dmp
memory/3452-17-0x00000000008C0000-0x0000000000941000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 430e98dab996ed2cb464865e806b08a3 |
| SHA1 | e00ca96407b820ffd7c622ecd23ee9da27c20a4a |
| SHA256 | 2fe43b6833cdbee5978204411cb477658513bb1a7db9f043bb19d1e2036ebc40 |
| SHA512 | 537057245f4f43db2089a90bf63f4fd2e4ddf759c8efc6b6c942e55892dcde284904a39abfef55b2353cc22079f1d8791f305cf55a445d55f28e442b20fac5f3 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e989d87a66ef2a69056d1c9a32df0040 |
| SHA1 | cfb965201c6847f87c63805f0c6f4e9a5d025985 |
| SHA256 | f88fe34c6a7036fe244d8e0650f7c2e6c8791586a305fb61982dbbe8c575e66c |
| SHA512 | 7394b6b1c4ab496c79be754bd018f31ca9baf233d87ac0cdfee1e5d650732ea0a902290bf30ffb5228f1ce7187dcbaee2e46511d03edd6da33270df34c5e6dda |
memory/536-20-0x0000000000D80000-0x0000000000E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wyfop.exe
| MD5 | d69ab04fa2d8f73775c360ac3fb70848 |
| SHA1 | 15a5850ff9b9b75f7f13c3a5ba0142aeb36bee7b |
| SHA256 | da35bc28f55dda903ed40260006a0781ff078e00e638cdb2ba0d256ecb8dfe35 |
| SHA512 | 8dfb2838e0cdba6ec3497c415885d144ec61f035f400cd8e14e44be3bc143eb48c1aa17d3a3e96fb10e7522d48350f9e61053d214eb8fe57ec248b081f5f7742 |
memory/4784-37-0x0000000000F30000-0x0000000000FC9000-memory.dmp
memory/4784-40-0x0000000000F30000-0x0000000000FC9000-memory.dmp
memory/536-39-0x0000000000D80000-0x0000000000E01000-memory.dmp
memory/4784-38-0x0000000000BF0000-0x0000000000BF2000-memory.dmp
memory/4784-45-0x0000000000BF0000-0x0000000000BF2000-memory.dmp
memory/4784-44-0x0000000000F30000-0x0000000000FC9000-memory.dmp
memory/4784-46-0x0000000000F30000-0x0000000000FC9000-memory.dmp