Analysis Overview
SHA256
f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7d
Threat Level: Known bad
The file f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 01:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 01:53
Reported
2024-10-15 01:55
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\guliz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uzbar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\guliz.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\guliz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uzbar.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe
"C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe"
C:\Users\Admin\AppData\Local\Temp\guliz.exe
"C:\Users\Admin\AppData\Local\Temp\guliz.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\uzbar.exe
"C:\Users\Admin\AppData\Local\Temp\uzbar.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/2528-0-0x0000000001000000-0x0000000001081000-memory.dmp
memory/2528-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\guliz.exe
| MD5 | be687615ed51c250dd4e4228a6ac7bd4 |
| SHA1 | 00e955fb2454d26e1115f3eb4c1fddd8e8a31aed |
| SHA256 | 0996a11dda52c7be96d1575339ed3612adb5d3279638bd278c2fe231e21c8141 |
| SHA512 | 1c9eaca13e139f7b486f20cbee66d9368a54308360b931dceb04cb034f781272c16b85b977bf69b00f00ac53b136b09f7c6160989469f30b8d24803cb6480488 |
memory/2340-18-0x0000000000F20000-0x0000000000FA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9aa697a51fdea1d66b8c6ae525f43c07 |
| SHA1 | 28b8563321bae665b0b7cc1b67bb64a2f00949ad |
| SHA256 | 8c1227dd84ae0ba73ba27efe08233beb3617c909e014ef6a08e0180664bb3247 |
| SHA512 | fd3e84e4bd4ca2e5e5c5a47034f96c4ebe0e10e0f1e6ac1e2f2551e3d6e6e47f491e8b6f4728ec48cd468c41fa64b89ab33890c22a9f2ab401437ca0ff4c135c |
memory/2340-19-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2528-9-0x0000000000AB0000-0x0000000000B31000-memory.dmp
memory/2528-21-0x0000000001000000-0x0000000001081000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 37f1696fd13182061762d9a8f348dbab |
| SHA1 | 85605938db8267c976df45ad56a40a294579a899 |
| SHA256 | d9287ac9ea7a2e08cec3aa01f0a38db863fa0f5a47c5e1a4b521e899f5f5ea3a |
| SHA512 | ecd96245d941b9ec74acc10ad394be9105bbedceebc16b0ed36c627f1babf32c4023fa4cb0b5e120225e944805062236a98d7d7665b781efc1de388353a2c3b1 |
memory/2340-24-0x0000000000F20000-0x0000000000FA1000-memory.dmp
memory/1800-44-0x0000000001320000-0x00000000013B9000-memory.dmp
memory/1800-41-0x0000000001320000-0x00000000013B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uzbar.exe
| MD5 | 824c4a9d2a75e00b0fe5c61dea47ba0e |
| SHA1 | f7d164c60dd9b8b4ee9b321a719d668cec24fedf |
| SHA256 | eaea9f65a8050edbb975688fc6df16d9bd8b30cff181146b5c656a6bb855df22 |
| SHA512 | 9e740b480dfd3626b6c9b618e3a3d9042eb8e69482f185ac6601eb253dcfb8a915e21c5d1bf94a70187f6790192129d036ece4920dcf8c311fbbd0ee0d3ce5ea |
memory/2340-39-0x0000000000F20000-0x0000000000FA1000-memory.dmp
memory/1800-46-0x0000000001320000-0x00000000013B9000-memory.dmp
memory/1800-47-0x0000000001320000-0x00000000013B9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 01:53
Reported
2024-10-15 01:55
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
101s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sigui.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sigui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sigui.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xerer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe
"C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe"
C:\Users\Admin\AppData\Local\Temp\sigui.exe
"C:\Users\Admin\AppData\Local\Temp\sigui.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\xerer.exe
"C:\Users\Admin\AppData\Local\Temp\xerer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/2368-0-0x0000000000440000-0x00000000004C1000-memory.dmp
memory/2368-1-0x0000000001030000-0x0000000001031000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sigui.exe
| MD5 | 1dbd323238d3fb7df27e9d08a2664668 |
| SHA1 | a0b89a3e74ed254a4d8c2bc1dce3c7b29a583045 |
| SHA256 | 082a993ec593c2f8e78f3af3261b3f0d4d2b38fc318d7a781f9477f3295056a4 |
| SHA512 | a46aba88e662f20d9ef1171b665535ea9b2e9370a1b8521ab1e087495ef1a82f00a587de731cfed9f22ee1ecfa832d350fa1b2a5778b0786fcb7bd057869e2f4 |
memory/4544-14-0x0000000000E60000-0x0000000000E61000-memory.dmp
memory/4544-13-0x0000000000500000-0x0000000000581000-memory.dmp
memory/2368-16-0x0000000000440000-0x00000000004C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 9aa697a51fdea1d66b8c6ae525f43c07 |
| SHA1 | 28b8563321bae665b0b7cc1b67bb64a2f00949ad |
| SHA256 | 8c1227dd84ae0ba73ba27efe08233beb3617c909e014ef6a08e0180664bb3247 |
| SHA512 | fd3e84e4bd4ca2e5e5c5a47034f96c4ebe0e10e0f1e6ac1e2f2551e3d6e6e47f491e8b6f4728ec48cd468c41fa64b89ab33890c22a9f2ab401437ca0ff4c135c |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | d5bdb0d99a15f96e8b89de97fd952cf3 |
| SHA1 | 5f7b78bd1d8cbf9b190584dcfd49b887fd2ee672 |
| SHA256 | 0b5bbf40e1c6ccfc12aead3baa7c2438acb7127a12998733015cb5436840864d |
| SHA512 | b3b8293589de85aac0dfe27646f6b450031425a354c8ec3b6af6760e37add1328545703e031d7736a5cb5c9453b616833864059685939e5148f8e4442aedca9c |
memory/4544-19-0x0000000000500000-0x0000000000581000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xerer.exe
| MD5 | b4eedfa3baa4680c157eaa7999eda368 |
| SHA1 | 74e7df654780045144055c1ae3bae192edc06f8a |
| SHA256 | 71547e24af536c5729f8e2a5fad184b870608a89a2f4dc48393230b6439ef66c |
| SHA512 | 045a06088cc283dd0f63705b44202d92643b97d19195b08531bdb2a642f2db2afd0e12dcdf3c156fe4378f2f01379ec221172236b72e9cf665091b51c9cabedc |
memory/3388-36-0x00000000002E0000-0x0000000000379000-memory.dmp
memory/4544-38-0x0000000000500000-0x0000000000581000-memory.dmp
memory/3388-42-0x0000000000260000-0x0000000000262000-memory.dmp
memory/3388-39-0x00000000002E0000-0x0000000000379000-memory.dmp
memory/3388-44-0x00000000002E0000-0x0000000000379000-memory.dmp
memory/3388-45-0x00000000002E0000-0x0000000000379000-memory.dmp