Analysis Overview
SHA256
828a04a211899614965b995e7a077a6a382d5599bfd86993ffab5d75d0692a4a
Threat Level: Known bad
The file de2368758da69e422fa38e9ef3c76770N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Checks computer location settings
UPX packed file
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 01:59
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 01:59
Reported
2024-08-04 02:01
Platform
win7-20240704-en
Max time kernel
67s
Max time network
56s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\opert.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\opert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe
"C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe"
C:\Users\Admin\AppData\Local\Temp\opert.exe
"C:\Users\Admin\AppData\Local\Temp\opert.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.28.139:11120 | tcp |
Files
memory/1792-0-0x0000000000840000-0x0000000000879000-memory.dmp
\Users\Admin\AppData\Local\Temp\opert.exe
| MD5 | 2de2da70e584c5f21514c3473faffed0 |
| SHA1 | 378cb43f427c037a63a2db35c4a5fe018c7a285e |
| SHA256 | 127d9e553732be686e227db5cad2f4830a2d78da6de16f252dea000ba1fa0c3d |
| SHA512 | 6955df508955dc2ede02883e3229fe0d61641d9888a686997c27c0ccff795b5484fcb260003694c86c1c10dccf6fd475ee85dd856d3c8be9a4c1f402cd8945fe |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 8ebb5e515e68471584943228bde27301 |
| SHA1 | b81eb6c83e61919310d19b02e0636fd0b24cbf9b |
| SHA256 | 08bee23234ef7f8f8e2c3d984c776535ff96ece058c1d71ce73c2258468cfd30 |
| SHA512 | bedf2bfb052c322df7adf8e2f336a255f4bf34261801113c110c0ea64ca5d3423696f0e51a458938debf07ec598d85b333939502499d4356c339fb38e99a0333 |
memory/2540-17-0x0000000000250000-0x0000000000289000-memory.dmp
memory/1792-16-0x0000000002210000-0x0000000002249000-memory.dmp
memory/1792-19-0x0000000000840000-0x0000000000879000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6735bbe93159782090eb9c49dde676c6 |
| SHA1 | 6edec7009f27d90d36081a9d4a05fc6e6bde28e2 |
| SHA256 | f8925f72b19e3a2e14ebfda83d63a10e4a6f218d84cc30fb738caa9a575e1217 |
| SHA512 | 8c85cef74bcd042b528424c1b99149bf5374c428f61a5f3c99e4f42460453b7a36cd0edbf8f76a042432800ee93916a7650b55e41d06f51566ad2cf3d69be696 |
memory/2540-22-0x0000000000250000-0x0000000000289000-memory.dmp
memory/2540-28-0x0000000000250000-0x0000000000289000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 01:59
Reported
2024-08-04 02:01
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\opert.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\opert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3556 wrote to memory of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | C:\Users\Admin\AppData\Local\Temp\opert.exe |
| PID 3556 wrote to memory of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | C:\Users\Admin\AppData\Local\Temp\opert.exe |
| PID 3556 wrote to memory of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | C:\Users\Admin\AppData\Local\Temp\opert.exe |
| PID 3556 wrote to memory of 264 | N/A | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3556 wrote to memory of 264 | N/A | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3556 wrote to memory of 264 | N/A | C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe
"C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe"
C:\Users\Admin\AppData\Local\Temp\opert.exe
"C:\Users\Admin\AppData\Local\Temp\opert.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| KR | 218.54.28.139:11120 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/3556-0-0x0000000000FB0000-0x0000000000FE9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\opert.exe
| MD5 | bfd67028f4a96897e6f9ab84e5f7df9d |
| SHA1 | 664fea05eda12772fab5b93418b06919345ce15d |
| SHA256 | 246ca3912d0cec7aa1c8f5de1f61638c3506f55ee3ed6d51aad16b9404cbfe99 |
| SHA512 | cd50aca410168da090e1caa3cd4453dd887748b55d7170d493be979b63023f87427aa079f8085033f8e99fff57515529208bbd253e788bbb4a9daf999189e17b |
memory/320-12-0x0000000000AA0000-0x0000000000AD9000-memory.dmp
memory/3556-15-0x0000000000FB0000-0x0000000000FE9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 8ebb5e515e68471584943228bde27301 |
| SHA1 | b81eb6c83e61919310d19b02e0636fd0b24cbf9b |
| SHA256 | 08bee23234ef7f8f8e2c3d984c776535ff96ece058c1d71ce73c2258468cfd30 |
| SHA512 | bedf2bfb052c322df7adf8e2f336a255f4bf34261801113c110c0ea64ca5d3423696f0e51a458938debf07ec598d85b333939502499d4356c339fb38e99a0333 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6735bbe93159782090eb9c49dde676c6 |
| SHA1 | 6edec7009f27d90d36081a9d4a05fc6e6bde28e2 |
| SHA256 | f8925f72b19e3a2e14ebfda83d63a10e4a6f218d84cc30fb738caa9a575e1217 |
| SHA512 | 8c85cef74bcd042b528424c1b99149bf5374c428f61a5f3c99e4f42460453b7a36cd0edbf8f76a042432800ee93916a7650b55e41d06f51566ad2cf3d69be696 |
memory/320-18-0x0000000000AA0000-0x0000000000AD9000-memory.dmp
memory/320-24-0x0000000000AA0000-0x0000000000AD9000-memory.dmp