Analysis Overview
SHA256
9b9fcae8338d9b592efd5542a5f2f94035efc4607e1a862e31950d12acb062f4
Threat Level: Known bad
The file ac59e3715f8dae42406952e8ec759320N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 16:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 16:05
Reported
2024-08-05 16:08
Platform
win7-20240708-en
Max time kernel
89s
Max time network
89s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe
"C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2416-0-0x0000000000E80000-0x0000000000EB7000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 843af422c855a493e775c10e7ffab33d |
| SHA1 | 37c587744c83d926a629b6c6dac2083fd4306014 |
| SHA256 | 9d749de75c28d3629c7e8e73415bb31d5fbff6f7105c6b8941f8e5a45a87b833 |
| SHA512 | bb6e6ae77ee381c0c9669ff93a85859c5f71a274cbb2febcafb87ac698769c3d9a98634ff98d9da718c23e1c8f3dde58a4da66ea605fd6001074a681f7f9545b |
memory/2840-10-0x0000000000020000-0x0000000000057000-memory.dmp
memory/2416-9-0x0000000000990000-0x00000000009C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 3419bd20baf35d56aa81eee396613864 |
| SHA1 | 09f84ec125b495804b571ce4a7cc9e3c4f3dbc87 |
| SHA256 | 6e01d85a5f7fce2f926d34f81bbeceb551a37e85426a1c1631e0e93b3d50848c |
| SHA512 | 9766e337e84ded3bf205f7479b05b7c5aa6a76b758adadac1961bc8910b29795214bef9f18930a4737a8538057cff5c294288adc8a47f90260dd2288f44fee6c |
memory/2416-19-0x0000000000E80000-0x0000000000EB7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a39f3ff1599241818ef65c0fd09039ed |
| SHA1 | 8d40b394a337a9da3330603fcd523842bccdf504 |
| SHA256 | 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc |
| SHA512 | 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e |
memory/2840-22-0x0000000000020000-0x0000000000057000-memory.dmp
memory/2840-24-0x0000000000020000-0x0000000000057000-memory.dmp
memory/2840-31-0x0000000000020000-0x0000000000057000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 16:05
Reported
2024-08-05 16:08
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 1792 | N/A | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 2452 wrote to memory of 1792 | N/A | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 2452 wrote to memory of 1792 | N/A | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 2452 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2452 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2452 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe
"C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| US | 8.8.8.8:53 | 20.58.20.217.in-addr.arpa | udp |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/2452-0-0x0000000000250000-0x0000000000287000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 07fe947e10aac7c6e26e0578c938845e |
| SHA1 | 1e8ac3e0da548bb75664287c08651cdeb708540b |
| SHA256 | b0ee06b910ce3f09045b4f15ff0a24a4047b0d36fddef4b1808a3395a6fb2bdb |
| SHA512 | f65cc54fd5cbdc9ff49a17263b42e240ca0b44cf482108fecba85b7d616d65c24718b168d1a4d7a068fff415c5ddbfeceaeaf4e0bb587d578740d28df75b2a12 |
memory/1792-13-0x0000000000F10000-0x0000000000F47000-memory.dmp
memory/2452-15-0x0000000000250000-0x0000000000287000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 3419bd20baf35d56aa81eee396613864 |
| SHA1 | 09f84ec125b495804b571ce4a7cc9e3c4f3dbc87 |
| SHA256 | 6e01d85a5f7fce2f926d34f81bbeceb551a37e85426a1c1631e0e93b3d50848c |
| SHA512 | 9766e337e84ded3bf205f7479b05b7c5aa6a76b758adadac1961bc8910b29795214bef9f18930a4737a8538057cff5c294288adc8a47f90260dd2288f44fee6c |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a39f3ff1599241818ef65c0fd09039ed |
| SHA1 | 8d40b394a337a9da3330603fcd523842bccdf504 |
| SHA256 | 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc |
| SHA512 | 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e |
memory/1792-18-0x0000000000F10000-0x0000000000F47000-memory.dmp
memory/1792-20-0x0000000000F10000-0x0000000000F47000-memory.dmp
memory/1792-26-0x0000000000F10000-0x0000000000F47000-memory.dmp