Analysis Overview
SHA256
5e5c02c531739d8ba66ce5aa431e4443c2d5178a87ad6d957a566b418c445913
Threat Level: Known bad
The file 712e479001a3b483063b6a4d4b5964d0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 11:35
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 11:35
Reported
2024-08-01 11:37
Platform
win7-20240708-en
Max time kernel
91s
Max time network
92s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe
"C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2992-0-0x0000000000400000-0x0000000000431000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 5b7c1ae80db04788ea629c036d2d10f1 |
| SHA1 | eff59c2afa0a1b6db5c87b630be29de760302f59 |
| SHA256 | 720afa038c2685de8071cf78f498c7fe536bf59fac3bfed9cce4d7d738b65de7 |
| SHA512 | 24a0c2a0b4b4be8ed450996ab29968ab3ec2f5da064d8b41a49b2004beea400c2490dc598a31c351c18fe595ddbb943a5b3ada285d6b2821cb7e5e4ee6f5be19 |
memory/544-16-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2992-15-0x0000000001E80000-0x0000000001EB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | f938d0796f9bc8a9a5d2d746e9b1b373 |
| SHA1 | bb37010a8cb00fdc6709dba3cb29f16b2b86a2c5 |
| SHA256 | 5f666132f16a5fa4b91310258545cb0446b16ac65130dfa10547ce3329e0c3a4 |
| SHA512 | de56e12498f652170ae03dc49ef04f185ff50f5cce30ed1fee4cc4af4c5a76f6b6667ab1cde19886034395f040362cda6b730ded8e12f95127e9b50059222a2c |
memory/2992-18-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/544-21-0x0000000000400000-0x0000000000431000-memory.dmp
memory/544-23-0x0000000000400000-0x0000000000431000-memory.dmp
memory/544-30-0x0000000000400000-0x0000000000431000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 11:35
Reported
2024-08-01 11:37
Platform
win10v2004-20240730-en
Max time kernel
98s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4628 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 4628 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 4628 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 4628 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4628 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4628 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe
"C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/4628-0-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 891d6f54ce84db2ace947024f1b24938 |
| SHA1 | 5e19efacb5dcad893f3b78b135febaac38709594 |
| SHA256 | 47c0dbfcc8b84272f0e258261a90242aeeeeecb015f6379add048dba9f85eaa5 |
| SHA512 | 4bbc08c3ba38db99a000b0cf90fcd134edf757d4ab26c6d5e86d85846923943bc8463561da8d6d23c45416b0d6ad10f134baebcc9de0e61b5b5ac59b85312e01 |
memory/3864-15-0x0000000000400000-0x0000000000431000-memory.dmp
memory/4628-18-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | f938d0796f9bc8a9a5d2d746e9b1b373 |
| SHA1 | bb37010a8cb00fdc6709dba3cb29f16b2b86a2c5 |
| SHA256 | 5f666132f16a5fa4b91310258545cb0446b16ac65130dfa10547ce3329e0c3a4 |
| SHA512 | de56e12498f652170ae03dc49ef04f185ff50f5cce30ed1fee4cc4af4c5a76f6b6667ab1cde19886034395f040362cda6b730ded8e12f95127e9b50059222a2c |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/3864-21-0x0000000000400000-0x0000000000431000-memory.dmp
memory/3864-23-0x0000000000400000-0x0000000000431000-memory.dmp
memory/3864-29-0x0000000000400000-0x0000000000431000-memory.dmp