Analysis Overview
SHA256
84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b
Threat Level: Known bad
The file 84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Deletes itself
Loads dropped DLL
UPX packed file
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-31 01:14
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 01:14
Reported
2024-07-31 01:16
Platform
win7-20240705-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe
"C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2860-0-0x0000000000400000-0x0000000000431000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | f9458c431ad6b2b318fe5e9ce2392f42 |
| SHA1 | a01fc1b8defed0dbb091fe846f7c4cd1f00e5bd3 |
| SHA256 | 7a5db11581422b4b57007dbc31c55f1f0f5b75bcbcc3cff22c0fce70aafefba8 |
| SHA512 | a0510be609e8ab9df627a6427b7e05892c0bbd5b9fc8f22b9e347e25e8cc2a5a2a07bf700b93261dfc4126f392fe4c60228d5de892b7aa4414340e096f04bf74 |
memory/2860-6-0x0000000002BE0000-0x0000000002C11000-memory.dmp
memory/1640-10-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 609ce0e460850082c0ebaa19e82c2597 |
| SHA1 | b6b475a8ff74cd1ac908cb70450f7bd52dbaa8ce |
| SHA256 | b91838d7f251698e27bd43b0d199a998d2ca2f286befc70b50e23a0d8fee8e80 |
| SHA512 | d416bdb10800e56f971381fa843da964abfd0697dea7ec9801ad9b9e2bd9af4e6ad9e2ec6abae66174f142e606b791172b4d38379eec7c2d119052daaa6f8e12 |
memory/2860-19-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/1640-22-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1640-24-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1640-31-0x0000000000400000-0x0000000000431000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-31 01:14
Reported
2024-07-31 01:16
Platform
win10v2004-20240730-en
Max time kernel
94s
Max time network
122s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe
"C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2308-0-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 094b187ffce5850aedbecb686332ae58 |
| SHA1 | 71447c905dd8f6d33c95fc0b02feacf2f27bc974 |
| SHA256 | 85b23209cc3a7883fe30ebf4b896c5bf0915e46d917597a7b721f891648cbd8c |
| SHA512 | 532e3a8d47046e749abf9bea5f9f71ea9c6786ff82497d5afbf34303ec7adbcf4839650425803442d727407f0ff1fd62b088e6619df3c43ea79ac172ef5d6733 |
memory/640-15-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2308-18-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 609ce0e460850082c0ebaa19e82c2597 |
| SHA1 | b6b475a8ff74cd1ac908cb70450f7bd52dbaa8ce |
| SHA256 | b91838d7f251698e27bd43b0d199a998d2ca2f286befc70b50e23a0d8fee8e80 |
| SHA512 | d416bdb10800e56f971381fa843da964abfd0697dea7ec9801ad9b9e2bd9af4e6ad9e2ec6abae66174f142e606b791172b4d38379eec7c2d119052daaa6f8e12 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/640-21-0x0000000000400000-0x0000000000431000-memory.dmp
memory/640-23-0x0000000000400000-0x0000000000431000-memory.dmp
memory/640-29-0x0000000000400000-0x0000000000431000-memory.dmp