Analysis Overview
SHA256
4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e
Threat Level: Known bad
The file 4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 21:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 21:37
Reported
2024-08-03 21:39
Platform
win7-20240729-en
Max time kernel
89s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe
"C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/1892-0-0x0000000000870000-0x00000000008A7000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | dce9c098415f46966f424a97c3994ec2 |
| SHA1 | 5064c4b4d56471ac7f1f5a63639df9333198ecb0 |
| SHA256 | b28b3c27f05d93bcf57027331ea8290d8af56f71fa68049dae57cb6de931039c |
| SHA512 | 4c75fac6ce13cf145aea03c479197e42c265bfe7f9d59f61d03dceada48bf5d11fe68d8d5cabaa5687e1bf25cde709cc4967c5708170544202ed3666ccd648b6 |
memory/2272-19-0x0000000000370000-0x00000000003A7000-memory.dmp
memory/1892-16-0x0000000000560000-0x0000000000597000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 7a6fd9fb6b34738327b46d09a88b5d53 |
| SHA1 | d7e7a2176972a928b204bec3cec2cb41aadf32f1 |
| SHA256 | ab5d84e01c2827f3bd79f53174f603d4502ae30fadbd64366069cc9864a3f06f |
| SHA512 | 0ed4ce04c7928b6f33eeee4d884f99ee6d2d7a717742a24ba4276d62959be7296ce98cdca79cac36479f150a424c367c6ddb077178a65205b32760dee5c49b65 |
memory/1892-18-0x0000000000870000-0x00000000008A7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a39f3ff1599241818ef65c0fd09039ed |
| SHA1 | 8d40b394a337a9da3330603fcd523842bccdf504 |
| SHA256 | 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc |
| SHA512 | 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e |
memory/2272-22-0x0000000000370000-0x00000000003A7000-memory.dmp
memory/2272-24-0x0000000000370000-0x00000000003A7000-memory.dmp
memory/2272-31-0x0000000000370000-0x00000000003A7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 21:37
Reported
2024-08-03 21:39
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe
"C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4124,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/816-0-0x0000000000110000-0x0000000000147000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | d06d9f80f98b8510a65aaeebbe96d8db |
| SHA1 | 2651d799280130e12be732151f54207710cbdec9 |
| SHA256 | bfb8bb6efccb6d40519a277b7dad8a7d8ca3ba10e8d8c67687d48f98b944ff69 |
| SHA512 | 7f63163b9205f74ca337672c42761f5fe4358e4b62056b0168ccaeb0d233b9590138511bd37b67b21ef5163334ece6eb3522575cdaa0c46033b645569ea9f5b9 |
memory/3300-11-0x0000000000790000-0x00000000007C7000-memory.dmp
memory/816-15-0x0000000000110000-0x0000000000147000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 7a6fd9fb6b34738327b46d09a88b5d53 |
| SHA1 | d7e7a2176972a928b204bec3cec2cb41aadf32f1 |
| SHA256 | ab5d84e01c2827f3bd79f53174f603d4502ae30fadbd64366069cc9864a3f06f |
| SHA512 | 0ed4ce04c7928b6f33eeee4d884f99ee6d2d7a717742a24ba4276d62959be7296ce98cdca79cac36479f150a424c367c6ddb077178a65205b32760dee5c49b65 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a39f3ff1599241818ef65c0fd09039ed |
| SHA1 | 8d40b394a337a9da3330603fcd523842bccdf504 |
| SHA256 | 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc |
| SHA512 | 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e |
memory/3300-18-0x0000000000790000-0x00000000007C7000-memory.dmp
memory/3300-20-0x0000000000790000-0x00000000007C7000-memory.dmp
memory/3300-26-0x0000000000790000-0x00000000007C7000-memory.dmp