Analysis Overview
SHA256
cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb
Threat Level: Known bad
The file cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 03:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 03:02
Reported
2024-08-07 03:04
Platform
win7-20240704-en
Max time kernel
90s
Max time network
83s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe
"C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2172-0-0x0000000000C50000-0x0000000000C87000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | b42db576208121735b9203953edebd34 |
| SHA1 | 28a4a2fa39910e2ad53b3daf0c56d500251df6c7 |
| SHA256 | 5746c14ffb65a69526aef3e74eb395fcb5793bc62d7d159f84a1026b017b47b2 |
| SHA512 | adffbe719b4dbcfb7e36e6642e96271c0db324391a0ebc0319e5dd6e055a022474e6148b1db336b6ef40469be9bc9baf7244ee1d317e047f008c4441ee6fc0a5 |
memory/2172-6-0x0000000000B00000-0x0000000000B37000-memory.dmp
memory/968-10-0x0000000000FE0000-0x0000000001017000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 060a220c7dd7c939af5b9104732001bd |
| SHA1 | 67dc7728f78072c8f754b710ce2e1b1c8bc1e19f |
| SHA256 | df86da355a64ba5107a90fafa4c7437ddf6a9ae0d83ffe0a739ee703d784e998 |
| SHA512 | 6757edfd77352432701c5150415e380add0d511e033645d34da3dcd4aa8bd9dd844364ce02a5bc82ce0258aae1cbb8009cc167f040f7e058540caa23bab3ba33 |
memory/2172-19-0x0000000000C50000-0x0000000000C87000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a39f3ff1599241818ef65c0fd09039ed |
| SHA1 | 8d40b394a337a9da3330603fcd523842bccdf504 |
| SHA256 | 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc |
| SHA512 | 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e |
memory/968-22-0x0000000000FE0000-0x0000000001017000-memory.dmp
memory/968-24-0x0000000000FE0000-0x0000000001017000-memory.dmp
memory/968-30-0x0000000000FE0000-0x0000000001017000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 03:02
Reported
2024-08-07 03:04
Platform
win10v2004-20240802-en
Max time kernel
100s
Max time network
109s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe
"C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3940-0-0x0000000000170000-0x00000000001A7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 25c1fbc8956f68917485c169e390cd85 |
| SHA1 | a99ea4d8c25c735436ae9cb49cc0cc9668692116 |
| SHA256 | 180d12e845508261f7d3577c10bff8097d88673c133d4c7c8b2ada8cb1ec64fd |
| SHA512 | 1f43c67ee37bba139f3bf16f24802888028de141485516c43cab5f39fe4e73dc6b7d1c18c5954a4cf75d1158c4f67ae15b167e99e7c1fb9b556f4e62a3a2bd6b |
memory/2636-10-0x00000000001A0000-0x00000000001D7000-memory.dmp
memory/3940-15-0x0000000000170000-0x00000000001A7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 060a220c7dd7c939af5b9104732001bd |
| SHA1 | 67dc7728f78072c8f754b710ce2e1b1c8bc1e19f |
| SHA256 | df86da355a64ba5107a90fafa4c7437ddf6a9ae0d83ffe0a739ee703d784e998 |
| SHA512 | 6757edfd77352432701c5150415e380add0d511e033645d34da3dcd4aa8bd9dd844364ce02a5bc82ce0258aae1cbb8009cc167f040f7e058540caa23bab3ba33 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a39f3ff1599241818ef65c0fd09039ed |
| SHA1 | 8d40b394a337a9da3330603fcd523842bccdf504 |
| SHA256 | 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc |
| SHA512 | 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e |
memory/2636-18-0x00000000001A0000-0x00000000001D7000-memory.dmp
memory/2636-20-0x00000000001A0000-0x00000000001D7000-memory.dmp
memory/2636-27-0x00000000001A0000-0x00000000001D7000-memory.dmp