Analysis Overview
SHA256
c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f
Threat Level: Known bad
The file c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
UPX packed file
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 02:49
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 02:49
Reported
2024-08-04 02:52
Platform
win7-20240729-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f.exe
"C:\Users\Admin\AppData\Local\Temp\c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2660-0-0x0000000000400000-0x0000000000431000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | f2cf602041ce080f8d03c2fb06c8164a |
| SHA1 | d15addb5a2e17b8cd9df11dd501936fc3fc5594a |
| SHA256 | 3ff948a3989f25a3524f55442ad1e440675b1d327895c04ab755d54dae9978c5 |
| SHA512 | e0756bbdffdc9bbbc4b10c4f3d3780eacd6f784840e870e529a32a184f299a5db1c9597fa267bb69d7acd6aa6f0e753ed71c36fb24ed314dfe594cfa5d31fb9d |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 6637b170389d4585d411c8a04b522289 |
| SHA1 | 7c464218af2563a530b0ec1f5c78ff00eed6e844 |
| SHA256 | e08eb5f2b6776b3d95a78f38afde4daa747b30885f47dda2356499202b8958e4 |
| SHA512 | 47eb19e74e566e6fa7e783780207b2fde080963729e61fda4912860592c34a0f3182b364510f3f83b9493e2d3fbab6352da3251378b03486cd62392a37fcbca3 |
memory/2660-8-0x0000000001D30000-0x0000000001D61000-memory.dmp
memory/2804-17-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2660-19-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/2804-22-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2804-24-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2804-31-0x0000000000400000-0x0000000000431000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 02:49
Reported
2024-08-04 02:52
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f.exe
"C:\Users\Admin\AppData\Local\Temp\c1a10d79b96a9be050614303a00d5769f53389d9ce07c980eb3b0b9b2ea70b6f.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3976-0-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | d977bef362b0d377dc59edc28e78280b |
| SHA1 | b42fb786e60528cddd198a2a9f3a1f62cb38d92d |
| SHA256 | 3d5bb8069bc5f87037cc009c409ae9e206302ab9b9a54f8826a3b03637c18776 |
| SHA512 | 97fa2dd2968dfc366c320c09aac5285cade4bde62e6ec49461b35c4e4f29322681653c8ec393f488b309d42c1fc5b65a6b30ce5d7e02aa72cedf2e4a8e1e60ba |
memory/1588-15-0x0000000000400000-0x0000000000431000-memory.dmp
memory/3976-17-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 6637b170389d4585d411c8a04b522289 |
| SHA1 | 7c464218af2563a530b0ec1f5c78ff00eed6e844 |
| SHA256 | e08eb5f2b6776b3d95a78f38afde4daa747b30885f47dda2356499202b8958e4 |
| SHA512 | 47eb19e74e566e6fa7e783780207b2fde080963729e61fda4912860592c34a0f3182b364510f3f83b9493e2d3fbab6352da3251378b03486cd62392a37fcbca3 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/1588-20-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1588-22-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1588-29-0x0000000000400000-0x0000000000431000-memory.dmp