Analysis Overview
SHA256
f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0
Threat Level: Known bad
The file f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0 was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-17 01:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-17 01:58
Reported
2024-03-17 02:01
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe
"C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/1964-0-0x0000000000990000-0x00000000009C0000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | cfe18579a47456ecea45bdf185f79fa1 |
| SHA1 | 9bb2fe282c0f61f15b2dd180ba82e544780e689b |
| SHA256 | 574d65b8af3759b29c233e7823707829f359f617a03e546f7710684533c09233 |
| SHA512 | 0b12961dd911194dbd0c36b72f0905390c1eff25702060a88501c184c5fc7f73f64ee84d71e41626f47513e75b0a8327c774b59b8de7537fd8d9153a2130f2ae |
memory/1964-6-0x0000000000670000-0x00000000006A0000-memory.dmp
memory/2972-16-0x00000000012A0000-0x00000000012D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | b3262c8533a67d54004ef6e527d9bb24 |
| SHA1 | 45b6b9786078b1a8d283f9cadfebd3167180b66d |
| SHA256 | 6a6f9142af4836797f9217a61eb81d67c461f87a404ef8e3be6bcc5913023b38 |
| SHA512 | cdb44109ce3a23121c05d14369c9a856f3e52ac3a932b59689d361f0974348ac3388b03cc5f4008a6950d090ef8e1f90658e29486f101f39a4c0a5fa07116a30 |
memory/1964-18-0x0000000000990000-0x00000000009C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ad66dcc3e4d62e8844a34f8e570fc21d |
| SHA1 | 5ae300786796af39a81a5f96daddbb5fd6d7ad0a |
| SHA256 | b7b165b08c5e5fff025ada3ba0b814d0e1323567a23ecd89d7b6f264e48c74b1 |
| SHA512 | 24ed5e4361ac13ae419cfcabed2650eb07e646f61b3d9e4d6c67d3a3ca31d7a504c015dde6e9b859d20edf03e90698fa879c4fe1c62b26238736cd8dcf390105 |
memory/2972-21-0x00000000012A0000-0x00000000012D0000-memory.dmp
memory/2972-23-0x00000000012A0000-0x00000000012D0000-memory.dmp
memory/2972-29-0x00000000012A0000-0x00000000012D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-17 01:58
Reported
2024-03-17 02:01
Platform
win10v2004-20240226-en
Max time kernel
163s
Max time network
176s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe
"C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| KR | 112.175.88.209:11120 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.213.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2052-0-0x0000000000C60000-0x0000000000C90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | f1bb7b7298b5e9ab07837d5d42ebd3a1 |
| SHA1 | 4dcb0f694132ba983e4180b7691e3f5ed76add4a |
| SHA256 | bb234f548d5328e219355ea9533e93526932c71a7eff2f59145db77914b323b6 |
| SHA512 | 2af1da38ebd9bea09c22aa7966bdc3530126caa0e4b838f52894c32d5a7d591f8b331e8f9ac5d377eeb5b6d6a121eb5a4420fc75ab26e297e9e5e78861f9cf5b |
memory/2052-10-0x0000000000C60000-0x0000000000C90000-memory.dmp
memory/4396-12-0x00000000002F0000-0x0000000000320000-memory.dmp
memory/2052-15-0x0000000000C60000-0x0000000000C90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | b3262c8533a67d54004ef6e527d9bb24 |
| SHA1 | 45b6b9786078b1a8d283f9cadfebd3167180b66d |
| SHA256 | 6a6f9142af4836797f9217a61eb81d67c461f87a404ef8e3be6bcc5913023b38 |
| SHA512 | cdb44109ce3a23121c05d14369c9a856f3e52ac3a932b59689d361f0974348ac3388b03cc5f4008a6950d090ef8e1f90658e29486f101f39a4c0a5fa07116a30 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ad66dcc3e4d62e8844a34f8e570fc21d |
| SHA1 | 5ae300786796af39a81a5f96daddbb5fd6d7ad0a |
| SHA256 | b7b165b08c5e5fff025ada3ba0b814d0e1323567a23ecd89d7b6f264e48c74b1 |
| SHA512 | 24ed5e4361ac13ae419cfcabed2650eb07e646f61b3d9e4d6c67d3a3ca31d7a504c015dde6e9b859d20edf03e90698fa879c4fe1c62b26238736cd8dcf390105 |
memory/4396-18-0x00000000002F0000-0x0000000000320000-memory.dmp
memory/4396-20-0x00000000002F0000-0x0000000000320000-memory.dmp
memory/4396-26-0x00000000002F0000-0x0000000000320000-memory.dmp