Analysis Overview
SHA256
dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb
Threat Level: Known bad
The file dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 04:07
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 04:07
Reported
2024-10-13 04:09
Platform
win7-20240708-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe
"C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 211.57.201.131:11120 | tcp | |
| KR | 211.57.201.131:11170 | tcp |
Files
memory/2292-0-0x00000000000B0000-0x00000000000E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 55d8917181c503e477e70b39dc94348c |
| SHA1 | 4919c8d3202ef28db3830008f90d096745f3d13c |
| SHA256 | 0431e03b60210ae7bb8ee9214bc97b3992c5de4a685ae3e725c947f470890293 |
| SHA512 | 74ccebdb3f33252e2c573f3698a360dbe2c019e0452460f7cb01d0a3a67297a26d8457e10dbf5f79f0867d62efe70355735ab7905b3f53c07c4262ff9f7fc13a |
memory/2292-6-0x00000000004A0000-0x00000000004D1000-memory.dmp
memory/336-10-0x0000000000C80000-0x0000000000CB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d9c0ee26da8874510070fc31216de2a2 |
| SHA1 | 277e534411b942e513a8490cafb5c60f00fa39b5 |
| SHA256 | 79f20d1ace4736925edbd44055fea1d449e475e252e66231edbb5e83cfc7036e |
| SHA512 | 38f23d9230f4324c4ac40a879abb3571677583bf1ef872d05a388fe34e8fbbaaa3f14c99c206df46d02a91cdbdbe2f94f8d8ff91e350624d6049e7e881ce7807 |
memory/2292-19-0x00000000000B0000-0x00000000000E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55d2fdd1432483e3ba86ebeccfe130b6 |
| SHA1 | 7280b14d708800fd15303b2caa8628a0fbd7aa08 |
| SHA256 | 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb |
| SHA512 | 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3 |
memory/336-22-0x0000000000C80000-0x0000000000CB1000-memory.dmp
memory/336-24-0x0000000000C80000-0x0000000000CB1000-memory.dmp
memory/336-27-0x0000000000C80000-0x0000000000CB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 04:07
Reported
2024-10-13 04:09
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe
"C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 211.57.201.131:11120 | tcp | |
| KR | 211.57.201.131:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2792-0-0x0000000000AB0000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 0ea4c40ec0e7cb1bd27da9a194f22764 |
| SHA1 | 4d539544d286e975e3104eddd8602d3505486290 |
| SHA256 | fdc425e13022c6dfc5b83a491bf21e7603c669a317e24a26bd7eedb655235a0a |
| SHA512 | 5f2984f32f8793ee5427a3b20e18bd22107d09830abf202c1a10be0996dac60fe0028d700df92887cd4d26fdf5c9ab8216a6c98b84f31d58592ac482d659cfa1 |
memory/4288-12-0x0000000000930000-0x0000000000961000-memory.dmp
memory/2792-17-0x0000000000AB0000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d9c0ee26da8874510070fc31216de2a2 |
| SHA1 | 277e534411b942e513a8490cafb5c60f00fa39b5 |
| SHA256 | 79f20d1ace4736925edbd44055fea1d449e475e252e66231edbb5e83cfc7036e |
| SHA512 | 38f23d9230f4324c4ac40a879abb3571677583bf1ef872d05a388fe34e8fbbaaa3f14c99c206df46d02a91cdbdbe2f94f8d8ff91e350624d6049e7e881ce7807 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55d2fdd1432483e3ba86ebeccfe130b6 |
| SHA1 | 7280b14d708800fd15303b2caa8628a0fbd7aa08 |
| SHA256 | 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb |
| SHA512 | 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3 |
memory/4288-20-0x0000000000930000-0x0000000000961000-memory.dmp
memory/4288-22-0x0000000000930000-0x0000000000961000-memory.dmp
memory/4288-24-0x0000000000930000-0x0000000000961000-memory.dmp