Analysis Overview
SHA256
0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e
Threat Level: Known bad
The file 0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 18:35
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 18:35
Reported
2024-10-08 18:38
Platform
win7-20240903-en
Max time kernel
48s
Max time network
43s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe
"C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 211.57.201.131:11120 | tcp | |
| KR | 211.57.201.131:11170 | tcp |
Files
memory/2368-0-0x0000000000260000-0x0000000000291000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 33f98a341fab62c52f6545fb137b927e |
| SHA1 | b35e5678167b74fba44f9a963affb051cb471463 |
| SHA256 | f9332e6a43f6d02297cd910cefcd583e0fcf885cf4da7886a1bd124f41bbdadb |
| SHA512 | 4cd103d4e9db65aa6d75511f7d66e4f87bf33823b7df7f5194e3df6b70e7a6699ca8f291f07fc52d9cb0df608d2d1e23ec3f6426f07bf3b0a1f4ea018c1afae2 |
memory/2368-6-0x00000000004F0000-0x0000000000521000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 790d13839f31c639cd8de46da32d5651 |
| SHA1 | 5ea6127c75929b7f00a5a8d3b51167ad50d2f47e |
| SHA256 | 799234648766c4aa0ab5da3f93544ac41639b22674d312140cd48a3b12c759f1 |
| SHA512 | f246635909a7ba6ce7b9b945d293e73c72344458422303f5a6bb99630d63d35d349520d316d23e118badb937da9066f5a7c6112d9787cf54ba2322bb776477d8 |
memory/2368-18-0x0000000000260000-0x0000000000291000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55d2fdd1432483e3ba86ebeccfe130b6 |
| SHA1 | 7280b14d708800fd15303b2caa8628a0fbd7aa08 |
| SHA256 | 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb |
| SHA512 | 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3 |
memory/2704-21-0x0000000000380000-0x00000000003B1000-memory.dmp
memory/2704-23-0x0000000000380000-0x00000000003B1000-memory.dmp
memory/2704-26-0x0000000000380000-0x00000000003B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 18:35
Reported
2024-10-08 18:38
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe
"C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 211.57.201.131:11120 | tcp | |
| KR | 211.57.201.131:11170 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4460-0-0x00000000000C0000-0x00000000000F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 6d688df215d02c3c2f01c34035e3c926 |
| SHA1 | cfbd94f67ae8143a99986b3954ac80e98313f5b4 |
| SHA256 | db9e65b73a48f8e779eb8868cb866e699f41f3ce1d6c0872d24b98560ab05dc9 |
| SHA512 | 34ebaf969d3ae6df540f6a354fe85825f4a5ac8627e43b04a120916c28230033d631088f347f329d4b824eb820e91308ba0327a2b4a0aca6837f14779cfd677d |
memory/3708-15-0x0000000000B00000-0x0000000000B31000-memory.dmp
memory/4460-18-0x00000000000C0000-0x00000000000F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 790d13839f31c639cd8de46da32d5651 |
| SHA1 | 5ea6127c75929b7f00a5a8d3b51167ad50d2f47e |
| SHA256 | 799234648766c4aa0ab5da3f93544ac41639b22674d312140cd48a3b12c759f1 |
| SHA512 | f246635909a7ba6ce7b9b945d293e73c72344458422303f5a6bb99630d63d35d349520d316d23e118badb937da9066f5a7c6112d9787cf54ba2322bb776477d8 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55d2fdd1432483e3ba86ebeccfe130b6 |
| SHA1 | 7280b14d708800fd15303b2caa8628a0fbd7aa08 |
| SHA256 | 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb |
| SHA512 | 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3 |
memory/3708-21-0x0000000000B00000-0x0000000000B31000-memory.dmp
memory/3708-23-0x0000000000B00000-0x0000000000B31000-memory.dmp
memory/3708-25-0x0000000000B00000-0x0000000000B31000-memory.dmp