Analysis Overview
SHA256
836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf
Threat Level: Known bad
The file 836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 22:48
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 22:48
Reported
2024-10-09 22:51
Platform
win7-20240903-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe
"C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp |
Files
memory/2292-1-0x0000000000E00000-0x0000000000E82000-memory.dmp
memory/2292-0-0x0000000000E00000-0x0000000000E82000-memory.dmp
\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | 7eafee011423bbc7a03f9d6902ea11ea |
| SHA1 | 75e149f555d2df758f98750ad38d2ee0f3e0ea2b |
| SHA256 | d35724ff1cd3fa0dd84bc148ad7f163662956e9e2ac5b8abe9ed42ef9fec195a |
| SHA512 | f4ba2a1b0475d5205493d516d77e24ef41570023b8ed5939dfcf80d1fde1a3959d7bbfd2c8f771a67d977bd492d0f0bd7d51038c5e0b78387375c52a95880154 |
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | fbf013e1f3dc8909c5806662e13ec8c0 |
| SHA1 | 4a7a31de3408c23e1de4243ef8c113126cfde7fc |
| SHA256 | 81fb42d98f502a99ceb69fb0df9c67cb27c8856d77766b13b7a7a6e1eab28a13 |
| SHA512 | 9192c250ae4dc3197f913f8dc8455ed15489b0d5100f3e6d39781783acd78b52db43f40b9599ad4ee879806ed066ea593c582f06eeb98461d6817962220668ab |
memory/2292-19-0x0000000000D60000-0x0000000000DE2000-memory.dmp
memory/2292-18-0x0000000000E00000-0x0000000000E82000-memory.dmp
memory/2320-20-0x0000000001280000-0x0000000001302000-memory.dmp
memory/2320-16-0x0000000001280000-0x0000000001302000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 145cec05d8d704ff7aa3d812b1aff628 |
| SHA1 | 097ae09965ed3804359803708b8af87b5b90fcbb |
| SHA256 | 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea |
| SHA512 | 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d |
memory/2320-23-0x0000000001280000-0x0000000001302000-memory.dmp
memory/2320-24-0x0000000001280000-0x0000000001302000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 22:48
Reported
2024-10-09 22:51
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe
"C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4728-0-0x0000000000860000-0x00000000008E2000-memory.dmp
memory/4728-1-0x0000000000860000-0x00000000008E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | 781b61f74dbe208d4339190bbfd5a660 |
| SHA1 | c2a878a4f714b01c2bb13dc3851567f469ea1cc7 |
| SHA256 | 95d7498efd61a681ef31dbd852c728082a50e4f4dea06e4b99d9002c6ea98e01 |
| SHA512 | da69a492691b7ceb01e90c8ed6c82730de408471e95330963e0c419170df6dfadb6cf4ad9836d2ecc6d5cd31657893424c17d8c94e45c46ed89d2a2d8b182539 |
memory/2996-14-0x0000000000920000-0x00000000009A2000-memory.dmp
memory/4728-16-0x0000000000860000-0x00000000008E2000-memory.dmp
memory/2996-11-0x0000000000920000-0x00000000009A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | fbf013e1f3dc8909c5806662e13ec8c0 |
| SHA1 | 4a7a31de3408c23e1de4243ef8c113126cfde7fc |
| SHA256 | 81fb42d98f502a99ceb69fb0df9c67cb27c8856d77766b13b7a7a6e1eab28a13 |
| SHA512 | 9192c250ae4dc3197f913f8dc8455ed15489b0d5100f3e6d39781783acd78b52db43f40b9599ad4ee879806ed066ea593c582f06eeb98461d6817962220668ab |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 145cec05d8d704ff7aa3d812b1aff628 |
| SHA1 | 097ae09965ed3804359803708b8af87b5b90fcbb |
| SHA256 | 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea |
| SHA512 | 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d |
memory/2996-19-0x0000000000920000-0x00000000009A2000-memory.dmp
memory/2996-20-0x0000000000920000-0x00000000009A2000-memory.dmp