Analysis Overview
SHA256
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeeba
Threat Level: Known bad
The file d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 04:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 04:34
Reported
2024-10-15 04:36
Platform
win7-20240903-en
Max time kernel
119s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zuwon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zygaz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zuwon.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zuwon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zygaz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe
"C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe"
C:\Users\Admin\AppData\Local\Temp\zuwon.exe
"C:\Users\Admin\AppData\Local\Temp\zuwon.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\zygaz.exe
"C:\Users\Admin\AppData\Local\Temp\zygaz.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11300 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.166:11300 | tcp | |
| JP | 133.242.129.155:11300 | tcp |
Files
memory/1964-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1964-0-0x00000000001C0000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\zuwon.exe
| MD5 | 10b434fb7baa1cf69519cec71c26e910 |
| SHA1 | 00ffd9a8554d227e1d4fab7901b59f8a1171faaa |
| SHA256 | c03c6446e65436ff1f9e51defd35ebbbf9374016a1366b0c85b63e00c8a73ffb |
| SHA512 | e95b8d9fd93151afcba927e227a0e41186f70c6be0acdbd2f97ec8fea95f08df5927a9426affbc25e0db15a9c221d1a6e9fc36ce8b41046853385d9a6b57b0c6 |
memory/1964-9-0x0000000002540000-0x00000000025C1000-memory.dmp
memory/2736-11-0x0000000000990000-0x0000000000A11000-memory.dmp
memory/2736-12-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | da67e38d5dde136007137b726aea20fb |
| SHA1 | d4df79c1e92552e1fb2244efd1acba9731b402eb |
| SHA256 | 5ce46a0acdf39622c6c874b2580ccdf85aed56aa5498ec2dba7238f015be6a17 |
| SHA512 | 618703f129df422bdce0a30089884973ffbff5d192dca50e476629b4749feb50e8e843b9a4a3b2219a6c53d8d29fcfa2ff78be8ede1194544a9fe1b690d7c036 |
memory/1964-21-0x00000000001C0000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 81a181f86df76b2707c359ff0dc28df4 |
| SHA1 | 3385c0dd7b8d429a8b5530c354c91fcb01a290a1 |
| SHA256 | 4bab111ecac852b15f7ffc0349b158347265a47b611ffad464c30d43e965b8b4 |
| SHA512 | b17c43170f12f9437dbf5a43d5cabb3ef6e141a3b141c3930b5390e984e00ecdab43b530cd705ab306ddc2bca84b7393874ab72bd6241f9197ed5f9801f58b89 |
memory/2736-24-0x0000000000990000-0x0000000000A11000-memory.dmp
memory/2736-25-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\zygaz.exe
| MD5 | 5c77cb8b05a5444b2757c5a190a9fb4a |
| SHA1 | 3b3ad302a55aa74c69b08846a367aa51f63c5ccc |
| SHA256 | 962e90cb9fa730bd4d9d615ef4cd8e6e91b85bd89e5fe348c333183b2aeeccb4 |
| SHA512 | d2acc2a958661c70695919fb9e7ce230a0e82c8fe12d16e98ca4161cc13dedf92ad880af1360d2b356b8a1822aca50a75395a518e4a29f4fca0f062daa44153f |
memory/2708-42-0x0000000000350000-0x00000000003E9000-memory.dmp
memory/2708-45-0x0000000000350000-0x00000000003E9000-memory.dmp
memory/2736-40-0x0000000000990000-0x0000000000A11000-memory.dmp
memory/2708-47-0x0000000000350000-0x00000000003E9000-memory.dmp
memory/2708-48-0x0000000000350000-0x00000000003E9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 04:34
Reported
2024-10-15 04:36
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
101s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xavyp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xavyp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mupyj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xavyp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mupyj.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe
"C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe"
C:\Users\Admin\AppData\Local\Temp\xavyp.exe
"C:\Users\Admin\AppData\Local\Temp\xavyp.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\mupyj.exe
"C:\Users\Admin\AppData\Local\Temp\mupyj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11300 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| KR | 218.54.31.166:11300 | tcp | |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11300 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/1284-0-0x00000000007D0000-0x0000000000851000-memory.dmp
memory/1284-1-0x0000000001350000-0x0000000001351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xavyp.exe
| MD5 | 9f570a371a01cf5ade01a5318db2f11c |
| SHA1 | 1aa15d4809fa44fb80f3fb6d3a1d770cc1759b48 |
| SHA256 | c43a06ab673be40b5825733ffc3528566a29dee4cc0ba4015fced2720e72d269 |
| SHA512 | 00737eb0eafe66ca355cb27df6a16fc82a023e9d1c75a70d22b18a448e38d21139deceaece3dab2c4af48e21aa1055d3b40c34bddf6fabeb420a0bd56cc3ec46 |
memory/3052-14-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
memory/3052-11-0x00000000006C0000-0x0000000000741000-memory.dmp
memory/1284-17-0x00000000007D0000-0x0000000000851000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | da67e38d5dde136007137b726aea20fb |
| SHA1 | d4df79c1e92552e1fb2244efd1acba9731b402eb |
| SHA256 | 5ce46a0acdf39622c6c874b2580ccdf85aed56aa5498ec2dba7238f015be6a17 |
| SHA512 | 618703f129df422bdce0a30089884973ffbff5d192dca50e476629b4749feb50e8e843b9a4a3b2219a6c53d8d29fcfa2ff78be8ede1194544a9fe1b690d7c036 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | c72d799b536feb60481c828c776285e8 |
| SHA1 | e22ab4ef3a83548d7fca6231a0eb1c35276afb15 |
| SHA256 | 09216808139e926a13ca7736fcf38660be341b874e7813983c8e6ef4065e6d49 |
| SHA512 | 8ca393ae45eb4775bc7c09ebe53f2f1b174e3ed36b29893693e9e2b1267c8cfd9bb7d2f6ee419f7cfafb319f44599384d2d7da711dd45455c51983157b0786c5 |
memory/3052-20-0x00000000006C0000-0x0000000000741000-memory.dmp
memory/3052-21-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mupyj.exe
| MD5 | bb294fb1dc008f41c789e020928efcfc |
| SHA1 | b940bdb6a9fff67f1ac31ad712a53378e3bf79dc |
| SHA256 | bcc60988b1533a885dcf9c54d14bc39b5b9ec1edc0b721149fd30ad733ec9498 |
| SHA512 | 41ef6586f3c5cf535cb1ed00546138b3c4d8892313ef4a7f6ef11855c5590df66a1c3957f1c8dc65d101cbb499ae8d8f3e35a2a35f6d0ee7b1b948423b4c36a6 |
memory/5008-38-0x0000000000A80000-0x0000000000B19000-memory.dmp
memory/5008-39-0x00000000004D0000-0x00000000004D2000-memory.dmp
memory/5008-40-0x0000000000A80000-0x0000000000B19000-memory.dmp
memory/3052-44-0x00000000006C0000-0x0000000000741000-memory.dmp
memory/5008-47-0x00000000004D0000-0x00000000004D2000-memory.dmp
memory/5008-46-0x0000000000A80000-0x0000000000B19000-memory.dmp
memory/5008-48-0x0000000000A80000-0x0000000000B19000-memory.dmp