Analysis Overview
SHA256
fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6
Threat Level: Known bad
The file fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 05:06
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 05:06
Reported
2024-10-08 10:44
Platform
win7-20240903-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe
"C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2288-0-0x0000000000360000-0x0000000000391000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | b8e234dfbdbd6300ac4ad07ff295ce1f |
| SHA1 | e148bf4aacd7125cd8cc20b0ed0c31096efab277 |
| SHA256 | 6c3903f67ec3e9514e6490171a6a41e3b839469f45e56881514aee66303abaab |
| SHA512 | b2d99d62853b2d34f4f81f11cb38b8417fb4ff4f4a77a0bd485497b9cf416b59e116e2f4fcfaf7e3337e594312d71dd81e3005de3ce4025c76389a00f8783f85 |
memory/2108-10-0x0000000000C30000-0x0000000000C61000-memory.dmp
memory/2288-9-0x0000000000570000-0x00000000005A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 540a9ac78448a14043de54466947c995 |
| SHA1 | b1fac401682e5ebc32169f549111554cf8a8b7ca |
| SHA256 | 6d2c7ce0566cc4da3a8152380e04db7242b75328b12c3f4f8c675b9fa72b963b |
| SHA512 | ea3c011243b6173bf6243057072b0e152335ecc79a97d7086db84e857e111bae3969c23e63c55cadbe66fd987254b44b90e4b2358404718563ead73ab8346723 |
memory/2288-18-0x0000000000360000-0x0000000000391000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ede6388dfbb03ff576508b085d03e793 |
| SHA1 | 71d2e779ac6ed074b5698651a8c7fa3b047ccb50 |
| SHA256 | 779c0d78580692dadb2978ddfcd44d68f8282bb3453c638c9a4c2feecc1b96f8 |
| SHA512 | 097e3b9b2ad80944e542785db3a9062ecb2c657192d96659dcc5267f362b186c91722f2bc103f19ef895e6d9821cf33d262569fae23605888d75f38d2e30093b |
memory/2108-21-0x0000000000C30000-0x0000000000C61000-memory.dmp
memory/2108-22-0x0000000000C30000-0x0000000000C61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 05:06
Reported
2024-10-08 10:44
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe
"C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.201.50.20.in-addr.arpa | udp |
Files
memory/1388-0-0x0000000000060000-0x0000000000091000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 7bc24c9d58f61739a16c3621da0544b8 |
| SHA1 | 2bcb07d63cc412037fe43f7f086b0db3bd91b3be |
| SHA256 | 3eb4b2a55ee8250a9c0323c7cc1412c5c4e5ba70de1bb7a646b86daf76a869d8 |
| SHA512 | 0c0348520015c4c25c9b4c547cfae4c119342526337bca8ace3629ab4cb65c4d017194966de3bf8bc024f8010b2048c0261b0f8d1c91f0c683f2f171461fe310 |
memory/2612-15-0x00000000005B0000-0x00000000005E1000-memory.dmp
memory/1388-17-0x0000000000060000-0x0000000000091000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 540a9ac78448a14043de54466947c995 |
| SHA1 | b1fac401682e5ebc32169f549111554cf8a8b7ca |
| SHA256 | 6d2c7ce0566cc4da3a8152380e04db7242b75328b12c3f4f8c675b9fa72b963b |
| SHA512 | ea3c011243b6173bf6243057072b0e152335ecc79a97d7086db84e857e111bae3969c23e63c55cadbe66fd987254b44b90e4b2358404718563ead73ab8346723 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ede6388dfbb03ff576508b085d03e793 |
| SHA1 | 71d2e779ac6ed074b5698651a8c7fa3b047ccb50 |
| SHA256 | 779c0d78580692dadb2978ddfcd44d68f8282bb3453c638c9a4c2feecc1b96f8 |
| SHA512 | 097e3b9b2ad80944e542785db3a9062ecb2c657192d96659dcc5267f362b186c91722f2bc103f19ef895e6d9821cf33d262569fae23605888d75f38d2e30093b |
memory/2612-20-0x00000000005B0000-0x00000000005E1000-memory.dmp
memory/2612-21-0x00000000005B0000-0x00000000005E1000-memory.dmp