Analysis Overview
SHA256
0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e
Threat Level: Known bad
The file 0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 18:32
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 18:32
Reported
2024-10-08 18:35
Platform
win7-20240708-en
Max time kernel
47s
Max time network
35s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe
"C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 211.57.201.131:11120 | tcp | |
| KR | 211.57.201.131:11170 | tcp |
Files
memory/964-0-0x00000000013A0000-0x00000000013D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 919cededa276942794bf519a732f70b1 |
| SHA1 | 20d67dff907230bd4a1a6c1f358e94f2e87bf59f |
| SHA256 | 4c20439e4f7c5c5a455e13af89a767fc10a4101937d12e781a04cfae0fc26379 |
| SHA512 | 9d7ca9bbc2a72f32eeff943fae5ac88d2d8c12f5ead85734c9245f4c1632eb9403e33836d4ad2a6aa2fc2397c696f771910eb0b2b35eda738c7aa2d553289fa4 |
memory/964-6-0x0000000000DB0000-0x0000000000DE1000-memory.dmp
memory/2860-10-0x0000000000CF0000-0x0000000000D21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 790d13839f31c639cd8de46da32d5651 |
| SHA1 | 5ea6127c75929b7f00a5a8d3b51167ad50d2f47e |
| SHA256 | 799234648766c4aa0ab5da3f93544ac41639b22674d312140cd48a3b12c759f1 |
| SHA512 | f246635909a7ba6ce7b9b945d293e73c72344458422303f5a6bb99630d63d35d349520d316d23e118badb937da9066f5a7c6112d9787cf54ba2322bb776477d8 |
memory/964-19-0x00000000013A0000-0x00000000013D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55d2fdd1432483e3ba86ebeccfe130b6 |
| SHA1 | 7280b14d708800fd15303b2caa8628a0fbd7aa08 |
| SHA256 | 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb |
| SHA512 | 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3 |
memory/2860-22-0x0000000000CF0000-0x0000000000D21000-memory.dmp
memory/2860-24-0x0000000000CF0000-0x0000000000D21000-memory.dmp
memory/2860-26-0x0000000000CF0000-0x0000000000D21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 18:32
Reported
2024-10-08 18:35
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe
"C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 211.57.201.131:11120 | tcp | |
| KR | 211.57.201.131:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2120-0-0x0000000000080000-0x00000000000B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 98e9ee0241b55e781baf7231ceb8afe3 |
| SHA1 | 3cdd772b72af7f5305534c54a0828e33d7387eab |
| SHA256 | b12524d56424556078b53e018b93c01851d776b0b6a416aa4542cdae5b6fa9cb |
| SHA512 | dd2253acb59c6fd50f513e02fc45a4c0483b15b0ae3aeebbaa81e50194d5d063fad1b425b042e5dfd5278804bc32117c4b5409c5b9af8e952c3d96068bed2ab4 |
memory/4928-13-0x0000000000FA0000-0x0000000000FD1000-memory.dmp
memory/2120-18-0x0000000000080000-0x00000000000B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 790d13839f31c639cd8de46da32d5651 |
| SHA1 | 5ea6127c75929b7f00a5a8d3b51167ad50d2f47e |
| SHA256 | 799234648766c4aa0ab5da3f93544ac41639b22674d312140cd48a3b12c759f1 |
| SHA512 | f246635909a7ba6ce7b9b945d293e73c72344458422303f5a6bb99630d63d35d349520d316d23e118badb937da9066f5a7c6112d9787cf54ba2322bb776477d8 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55d2fdd1432483e3ba86ebeccfe130b6 |
| SHA1 | 7280b14d708800fd15303b2caa8628a0fbd7aa08 |
| SHA256 | 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb |
| SHA512 | 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3 |
memory/4928-21-0x0000000000FA0000-0x0000000000FD1000-memory.dmp
memory/4928-23-0x0000000000FA0000-0x0000000000FD1000-memory.dmp
memory/4928-25-0x0000000000FA0000-0x0000000000FD1000-memory.dmp