Analysis Overview
SHA256
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fb
Threat Level: Known bad
The file 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Loads dropped DLL
Deletes itself
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 05:35
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 05:35
Reported
2024-10-15 05:37
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulivd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ejybsy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xibyn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulivd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulivd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ejybsy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ejybsy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ulivd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ejybsy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xibyn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xibyn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xibyn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xibyn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xibyn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xibyn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xibyn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xibyn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe
"C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe"
C:\Users\Admin\AppData\Local\Temp\ulivd.exe
"C:\Users\Admin\AppData\Local\Temp\ulivd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ejybsy.exe
"C:\Users\Admin\AppData\Local\Temp\ejybsy.exe" OK
C:\Users\Admin\AppData\Local\Temp\xibyn.exe
"C:\Users\Admin\AppData\Local\Temp\xibyn.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2424-2-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ulivd.exe
| MD5 | 0e5ebdecce3fcf71c5e2b661e1840d5f |
| SHA1 | ba08fb754255461d7be72633df4b6d5e9d3baf11 |
| SHA256 | 2e6e18618b09643ba4e55c40d64787075191c4414a0c25eae9418e13f8f1d7af |
| SHA512 | 31b37f4eac98fb8c3134ddb9adff2219e8476035b8be53a3ee90a75886b481be6cbb56b93c5f510b70b58f73e64e25a01d7dfdd1a4dd2e152c0b7c33a7c814a8 |
memory/2704-23-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4f7e485eb3a526a5fc929dc4c2daba40 |
| SHA1 | 3389a96f9cdabf278502d868460db9c98a465612 |
| SHA256 | 12a59fc22caec1578f2d07e64f5bb70e66a37b86bab832c44ffa90058bf5ae65 |
| SHA512 | 557a0fed9a86ba2f8f0706da0bc839dafa1f7a59a2ed6a653dcd434fc9c76f0a1287802365172758125c22962cc866ebfbeca4c05b527c38cbdae2cb07b4da39 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | ddb2edd44c8d44abfb991002fe5ac5fe |
| SHA1 | fbc860bbc9bdddbef3f61a01640fbaa092cf270d |
| SHA256 | 25c5bc5b3294ba67c4c27ba2d441644703e67263f0f9227e91cefd24e4ed42e0 |
| SHA512 | b28e88ec6dbdf7a7133f5f80db3ab25df0588e006a91c0794ffa36db32138be667a6e4e7c1274b3f987e1f0c4a13d371877b9c5bfc5ea284b74c8d8d0e3a5151 |
memory/2588-34-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/2704-33-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/2704-32-0x0000000003070000-0x000000000313B000-memory.dmp
memory/2424-20-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/2588-36-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xibyn.exe
| MD5 | 7b5fb7bf7f4432bda4ac14bcfa589154 |
| SHA1 | 640523aeaff36b9181301193524e5dc3815d74a9 |
| SHA256 | a3513722861ef2a811cb22b78e4122331011765ba76862b56511b0d673b6b41d |
| SHA512 | d695ab1f4832542a1b3ba7ed66044fd75b3fa0c8f66463750ff3da925a01f36f656052cf7e9218699e8643fe3255ef21891764b6b4664b9e9198db585b7c2d25 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | acf4781aea83478d31fadedae742c8a5 |
| SHA1 | aafb140829c092829e21dae165b1938f0cae6929 |
| SHA256 | 55321fbe33216c1687ae756983afbdae782d01109ab2a2c553ea52adb544dea2 |
| SHA512 | 6ec2920ae45deb28d9f5ae2fd70d1b3f0088f3398302e441df2e2ef2fd9889eba79617e627548ccc45080728ecb4385d1fc40c18d16eb9a88050e2ca5936e937 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/2868-58-0x0000000000400000-0x0000000000622000-memory.dmp
memory/2588-57-0x0000000003D40000-0x0000000003F62000-memory.dmp
memory/2588-56-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/2868-61-0x0000000000400000-0x0000000000622000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 05:35
Reported
2024-10-15 05:37
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
107s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zewup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ovqegu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zewup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ovqegu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zewup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ovqegu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vexoe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe
"C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe"
C:\Users\Admin\AppData\Local\Temp\zewup.exe
"C:\Users\Admin\AppData\Local\Temp\zewup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ovqegu.exe
"C:\Users\Admin\AppData\Local\Temp\ovqegu.exe" OK
C:\Users\Admin\AppData\Local\Temp\vexoe.exe
"C:\Users\Admin\AppData\Local\Temp\vexoe.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/5080-0-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zewup.exe
| MD5 | d59b6f8b64079407e87c7ed868e1c8b4 |
| SHA1 | b648bcca9aab2cf0662af9c37a8f0f0b0ba471c6 |
| SHA256 | 93b7c231264a83113db87753f444822e5fdfff4de39eab959ad54c9d6414a9a2 |
| SHA512 | edc161c2aaf947ac62c97b63b37daded1a930d6f9631dbfc762d7402c8f244f5b0af744217428e54065e34571610af5fdb8c61b1cd9d8176e247520f58a40ec7 |
memory/5080-15-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/700-14-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | dd05ca74f2a91a37ab5333be43307556 |
| SHA1 | 86cbb23ff4e13050eb640c1d5c83f344c1c04a93 |
| SHA256 | bd9c529232f392fdbbfa328b732c473e1d27456299d55c1d08ccae5971556629 |
| SHA512 | b37ee8343791145b3c3e3160fda26fba5e35c67454fa3cd92a059e15c2321303adab94b9ec7453921b67552a985754532507d4d1dadcc6e9a0691d1fde2a4ec1 |
memory/3232-24-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | ddb2edd44c8d44abfb991002fe5ac5fe |
| SHA1 | fbc860bbc9bdddbef3f61a01640fbaa092cf270d |
| SHA256 | 25c5bc5b3294ba67c4c27ba2d441644703e67263f0f9227e91cefd24e4ed42e0 |
| SHA512 | b28e88ec6dbdf7a7133f5f80db3ab25df0588e006a91c0794ffa36db32138be667a6e4e7c1274b3f987e1f0c4a13d371877b9c5bfc5ea284b74c8d8d0e3a5151 |
memory/700-26-0x0000000000400000-0x00000000004CB000-memory.dmp
memory/3232-27-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vexoe.exe
| MD5 | e40791d8a688b84d0d4fcaee0526cebf |
| SHA1 | 69348622eda724acd94f1bc07eb8a854adbc4a87 |
| SHA256 | 31dd9a78b360275e435acd53b73d6c8595187e52e595b97f19d0bf6af1be417e |
| SHA512 | a7b6d75b008511fefbfbc2fa942daca0e64db51cb4c144131e8dd2c0042671b5874bc5423ff94337295ddc5bb96bd0d3ce435b4b8acd7387052a0f63a0ac3b50 |
memory/4800-39-0x0000000000400000-0x0000000000622000-memory.dmp
memory/3232-41-0x0000000000400000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | e9c5a40e11bf1236a6ea4f5039bfe690 |
| SHA1 | c3a96906562922c0915f27d0f7e0e169c4f53485 |
| SHA256 | 68cc0fbf95f86b7dd07827f3cad030fd76732b3ec68d14ae832c041238852d4d |
| SHA512 | c8c2f2b9ac8c9e9efbd73809f56a6f5c12f8aab13e50ef9784220616623df6b48767704af304fb6a56e0de9b8c880f5eca5beec3ab0dc4da28606996e4ad9185 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/4800-44-0x0000000000400000-0x0000000000622000-memory.dmp