Analysis Overview
SHA256
ac08ece39621233dc5293169ab545261c29b1039e4571f4c4d828628068797d2
Threat Level: Known bad
The file bf94e9ea9e34e9e1d313b0b2ca4a5efa was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Deletes itself
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 02:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 02:17
Reported
2024-03-11 02:20
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 2104 wrote to memory of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 2104 wrote to memory of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 2104 wrote to memory of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2104 wrote to memory of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2104 wrote to memory of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe
"C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3852 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| NL | 216.58.214.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/2104-0-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 89b09ed901ca8069e336823839364e5b |
| SHA1 | d193d341cab80a7c912c40d8b22507e504b9417c |
| SHA256 | ff88c8292d1bf90ca4dd94a4439a0922c18e5c1924ad5059248bc8122e4d6daa |
| SHA512 | 91bed91116727e666600cb31558f0742be2b575759932d1b566340176b5c66019ee4b8e6a8b7a1a0968491ef6f7c981f1f4c56f34c64ed6724f59506650aa316 |
memory/2104-16-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 7a4af96776b496c36957275df6376e0b |
| SHA1 | 84650387d66aefa18e3cba6197f74ffd70843b55 |
| SHA256 | 89ace4585665c644dba1d8f2d5c8154553446eebb3e51ce2aa472b6e66e59cce |
| SHA512 | 1103bbb151a725cdb1616c4756391ba34af23a855cceb222dc14fd80b293a9f334971a9db22f75ec92adb9355c91ccc73709537f78cc500ac62d91d7f1a6864f |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 02167b944a214fee3d34f9a7e356dc6a |
| SHA1 | ca5b3f38a7151268726401593eb35f9b67bdde97 |
| SHA256 | 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d |
| SHA512 | c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817 |
memory/3196-19-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3196-21-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3196-27-0x0000000000400000-0x0000000000436000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 02:17
Reported
2024-03-11 02:20
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe
"C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2976-0-0x0000000000400000-0x0000000000436000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 32b2f5dca650a5e555785c84a087f5ea |
| SHA1 | c5a07f2c78295ce30321c1deeaf4dc0a95f7e8e7 |
| SHA256 | 85d1b629c97ca44f467e537d1d06fc85f8916a7a45748683674d9fa76ab14777 |
| SHA512 | aa2c4fb9d557abbf4cd16ee7a6f303e7ecd67d9f8909e81a23f1e8fa2d68e1ad127419cc2ee7dda283a1a97f7b217a293d7b99eba2221db369eba9fbb455feaa |
memory/2976-8-0x00000000027C0000-0x00000000027F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 7a4af96776b496c36957275df6376e0b |
| SHA1 | 84650387d66aefa18e3cba6197f74ffd70843b55 |
| SHA256 | 89ace4585665c644dba1d8f2d5c8154553446eebb3e51ce2aa472b6e66e59cce |
| SHA512 | 1103bbb151a725cdb1616c4756391ba34af23a855cceb222dc14fd80b293a9f334971a9db22f75ec92adb9355c91ccc73709537f78cc500ac62d91d7f1a6864f |
memory/2544-17-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2976-18-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 02167b944a214fee3d34f9a7e356dc6a |
| SHA1 | ca5b3f38a7151268726401593eb35f9b67bdde97 |
| SHA256 | 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d |
| SHA512 | c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817 |
memory/2544-21-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2544-23-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2544-29-0x0000000000400000-0x0000000000436000-memory.dmp