Analysis Overview
SHA256
76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b
Threat Level: Known bad
The file 76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
UPX packed file
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 22:43
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 22:43
Reported
2024-08-11 22:46
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
134s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\opert.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\opert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe
"C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe"
C:\Users\Admin\AppData\Local\Temp\opert.exe
"C:\Users\Admin\AppData\Local\Temp\opert.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4376,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.28.139:11120 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3660-0-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\opert.exe
| MD5 | 63ef760053b8a7b73fcd10e8aea8e70a |
| SHA1 | 14cc1a09fd0b145f41231ed98b6d78be8baaa459 |
| SHA256 | d6a23f30dcad9cb1b900c86c6dda625da55ebda4437d56ff61b12949914200d0 |
| SHA512 | a0236b4d92ba7108303a1ea26749285a5149111b4cc495d3d6da2d47daf60873c827298363985338571588bf86fd0c98ed08765121f5f0f550a0758e73717fc0 |
memory/2660-13-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3660-14-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 35b91ecf81f9aa60b3db2f9237bb43ad |
| SHA1 | 1937e052e7d04b17ea5453508cf373c130e3f9c1 |
| SHA256 | 13a510a383b77b35d9cc35133137f7fc322ecbaf7e76f1f706b8378a950ca770 |
| SHA512 | 15561e562cf3e2553390c7b933b08caeedbca8df70e15cccd5b0b39dade76f338c1ac97e8e220b444049d7304689ef07cd43cb274ed47d4a10af3570de631c79 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 711e26fa1024e8da58addb2cc5cb0480 |
| SHA1 | d74e9904ded2879fc72a86888fc6b2a565dd1c6d |
| SHA256 | 6de0fa8644d6bd089519e966f32acc2d0ab83dfc425ac40d7d5114ad83657616 |
| SHA512 | 2df203e52c624dfe744df23e128d3495cf9a0bbcd5186b554724cc89a316322f5dd2e5e73a6dfec5790ad2f857be220e502024caf5b9c4500194f59e07a2bec4 |
memory/2660-17-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2660-18-0x0000000000400000-0x000000000045A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 22:43
Reported
2024-08-11 22:46
Platform
win7-20240705-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\opert.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\opert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe
"C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe"
C:\Users\Admin\AppData\Local\Temp\opert.exe
"C:\Users\Admin\AppData\Local\Temp\opert.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.28.139:11120 | tcp |
Files
memory/3016-0-0x0000000000400000-0x000000000045A000-memory.dmp
\Users\Admin\AppData\Local\Temp\opert.exe
| MD5 | 716f1355553f47bb8730743e50e2510e |
| SHA1 | 55ebf6dc178fa1204d9c0c8b401713457792b53b |
| SHA256 | 5b4438908c2fe7168531afaeeb288b210842c00f62464a04ca1794abe139868d |
| SHA512 | 25acde5aceb31292aeb50ce29c31246549c9761891732f82f09b9ca1cc01ce2e2ad7ade50ff80cba5833d2e6095c2ccba6e6fafec99c80618d530650000e8ec6 |
memory/3016-10-0x0000000002630000-0x000000000268A000-memory.dmp
memory/2408-16-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 35b91ecf81f9aa60b3db2f9237bb43ad |
| SHA1 | 1937e052e7d04b17ea5453508cf373c130e3f9c1 |
| SHA256 | 13a510a383b77b35d9cc35133137f7fc322ecbaf7e76f1f706b8378a950ca770 |
| SHA512 | 15561e562cf3e2553390c7b933b08caeedbca8df70e15cccd5b0b39dade76f338c1ac97e8e220b444049d7304689ef07cd43cb274ed47d4a10af3570de631c79 |
memory/3016-18-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 711e26fa1024e8da58addb2cc5cb0480 |
| SHA1 | d74e9904ded2879fc72a86888fc6b2a565dd1c6d |
| SHA256 | 6de0fa8644d6bd089519e966f32acc2d0ab83dfc425ac40d7d5114ad83657616 |
| SHA512 | 2df203e52c624dfe744df23e128d3495cf9a0bbcd5186b554724cc89a316322f5dd2e5e73a6dfec5790ad2f857be220e502024caf5b9c4500194f59e07a2bec4 |
memory/2408-21-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2408-22-0x0000000000400000-0x000000000045A000-memory.dmp