Analysis Overview
SHA256
27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1
Threat Level: Known bad
The file 27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Loads dropped DLL
Deletes itself
Checks computer location settings
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 19:39
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 19:39
Reported
2024-10-07 19:43
Platform
win7-20240903-en
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe
"C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2876-0-0x0000000000400000-0x0000000000431000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 836db3035505dd5214fe48ccd600c503 |
| SHA1 | 3fc5ad46378ea143e0fa0ecf61b8116e70452791 |
| SHA256 | 76b3b383d6a10aebda4d955c3d024d4d42a87296bcca26abeaf46c4b98311177 |
| SHA512 | d51fef73c08195f9df11c099e4b92400ce5b9b4b33437766cd41740f89c67a528328f29fe7516ec43ebd0df5910e9d200e2e9d818b102bc5ee5df9162f18f42c |
memory/1864-9-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 839fcd8ad55c2036ccbc1a03c7dcd838 |
| SHA1 | 542fa9ba2f7b049ac94617d49aeb0bb97ed01052 |
| SHA256 | 8219e7029137248d238defe857458d4ac53194f9f3aa733e6e88654aa66a29ca |
| SHA512 | b89b84296e8b40226b3622a670108689f69f4ecbba9dbe736558f06817f1c44615fe44d043e6a09ecb63bb7fc45cc2e687c27f6193959be84a09203252bac676 |
memory/2876-17-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/1864-20-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1864-22-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1864-28-0x0000000000400000-0x0000000000431000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 19:39
Reported
2024-10-08 11:00
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
149s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe
"C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3620-0-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 294a9136a801b41b258feb29c08f7be9 |
| SHA1 | e9784752a7efdf457a7b2b2f8437adeb11c38d37 |
| SHA256 | 0c6c782e73064aeac8001cd75998541b94fc2ec406cbddddd10a23f24da7627d |
| SHA512 | df206361736fe0443f1b4400151159cd2a41c3fbe6189db61cc198ffa8a359bd31c2b24b3924b288c290f2a9b9e3144d46ba5e61658de1787ca2d7633583a4fd |
memory/3620-17-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 839fcd8ad55c2036ccbc1a03c7dcd838 |
| SHA1 | 542fa9ba2f7b049ac94617d49aeb0bb97ed01052 |
| SHA256 | 8219e7029137248d238defe857458d4ac53194f9f3aa733e6e88654aa66a29ca |
| SHA512 | b89b84296e8b40226b3622a670108689f69f4ecbba9dbe736558f06817f1c44615fe44d043e6a09ecb63bb7fc45cc2e687c27f6193959be84a09203252bac676 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/4128-20-0x0000000000400000-0x0000000000431000-memory.dmp
memory/4128-22-0x0000000000400000-0x0000000000431000-memory.dmp
memory/4128-28-0x0000000000400000-0x0000000000431000-memory.dmp