File name:

308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe

Full analysis: https://app.any.run/tasks/e65a2597-0151-4c3a-8304-a46dc5879833
Verdict: Malicious activity
Analysis date: January 11, 2025, 00:25:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
bootkor
rootkit
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

2F203267891BB1EB54D07D8B0D1DD6B8

SHA1:

ED10D57465BF14277F8FC63E776D91B6AB250735

SHA256:

308802FD522ADA1C0DF18ACE01E919A2EC314594AA6CC94C61FE2C944EA59462

SSDEEP:

6144:qMx8BbAT/ZJ0ahCKcCoB2LuR5IeH2fSWQNwwIjxvwYe2DUdkVgs+Y+Fi:r8WjxCZGL0IeHxNf8YYe2DUaVgBdA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)
      • nogoj.exe (PID: 2324)
      • qitisy.exe (PID: 3092)

    • URELAS mutex has been found

      • qitisy.exe (PID: 3092)

    • URELAS has been detected (YARA)

      • qitisy.exe (PID: 3092)

    • BOOTKOR has been detected (SURICATA)

      • qitisy.exe (PID: 3092)

    • Connects to the CnC server

      • qitisy.exe (PID: 3092)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)
      • nogoj.exe (PID: 2324)

    • Executable content was dropped or overwritten

      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)
      • nogoj.exe (PID: 2324)

    • Starts itself from another location

      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)
      • nogoj.exe (PID: 2324)

    • Executing commands from a ".bat" file

      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)

    • Starts CMD.EXE for commands execution

      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)

    • Connects to unusual port

      • qitisy.exe (PID: 3092)

    • Contacting a server suspected of hosting an CnC

      • qitisy.exe (PID: 3092)

  • INFO

    • The process uses the downloaded file

      • nogoj.exe (PID: 2324)
      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)

    • Process checks computer location settings

      • nogoj.exe (PID: 2324)
      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)

    • Checks supported languages

      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)
      • nogoj.exe (PID: 2324)
      • qitisy.exe (PID: 3092)

    • Reads the computer name

      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)
      • nogoj.exe (PID: 2324)
      • qitisy.exe (PID: 3092)

    • Create files in a temporary directory

      • nogoj.exe (PID: 2324)
      • 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe (PID: 5536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:07:31 13:17:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 110592
InitializedDataSize: 176128
UninitializedDataSize: -
EntryPoint: 0xca59
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe #URELAS nogoj.exe cmd.exe no specs conhost.exe no specs #BOOTKOR qitisy.exe

Process information

PID
CMD
Path
Indicators
Parent process
5536"C:\Users\admin\Desktop\308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe" C:\Users\admin\Desktop\308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2324"C:\Users\admin\AppData\Local\Temp\nogoj.exe" C:\Users\admin\AppData\Local\Temp\nogoj.exe
308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nogoj.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4932C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_vslite.bat" "C:\Windows\SysWOW64\cmd.exe308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3092"C:\Users\admin\AppData\Local\Temp\qitisy.exe" OKC:\Users\admin\AppData\Local\Temp\qitisy.exe
nogoj.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\qitisy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
875
Read events
875
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5536308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exeC:\Users\admin\AppData\Local\Temp\_vslite.battext
MD5:65C3A55E7D951AB22846541B9AFE0D5D
SHA256:FD19DD74C6D29A735A4FE56D2EE34589A7C692F92FDA1975CFA38EE1DDA09F62
2324nogoj.exeC:\Users\admin\AppData\Local\Temp\qitisy.exeexecutable
MD5:74AD4742115CFAFE99BB1A1B7C0AE960
SHA256:BC02B3F2DFEB87211E422F2835BF004FC87401A5CDE3AFB7E2F1705B99DB8EB4
5536308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:51D1D4E9C0C032C32FDE4ADAA3C3EFBD
SHA256:36A2605D0DB1DC0E5BA6BEC874DB7FEC9DC331AF83510E800F0B83F0FA766209
5536308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exeC:\Users\admin\AppData\Local\Temp\nogoj.exeexecutable
MD5:74AD4742115CFAFE99BB1A1B7C0AE960
SHA256:BC02B3F2DFEB87211E422F2835BF004FC87401A5CDE3AFB7E2F1705B99DB8EB4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1488
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1488
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3092
qitisy.exe
218.54.31.226:11110
SK Broadband Co Ltd
KR
malicious
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 104.208.16.95
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
308802fd522ada1c0df18ace01e919a2ec314594aa6cc94c61fe2c944ea59462.exe