Analysis Overview
SHA256
dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb
Threat Level: Known bad
The file dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 04:10
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 04:10
Reported
2024-10-13 04:13
Platform
win7-20240708-en
Max time kernel
47s
Max time network
35s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe
"C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 211.57.201.131:11120 | tcp | |
| KR | 211.57.201.131:11170 | tcp |
Files
memory/2320-0-0x00000000001A0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 3f66c6488339da24a021ee8176f4e93c |
| SHA1 | f2f2259096ece9a1fe98236de0adaf860b4a05b2 |
| SHA256 | 68def003fd053249172741cd89442918742fca942413cd2e3c44244e27c4eb58 |
| SHA512 | b55f9b074d5c3e21842fe042d0c0a094397e3069f0e8857a5ad88744497777762525191c1bd9d67764391d08eb61e8ccbe1136d165f7e1a4ae2fea67adf5b929 |
memory/1252-10-0x0000000000C70000-0x0000000000CA1000-memory.dmp
memory/2320-8-0x0000000000330000-0x0000000000361000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d9c0ee26da8874510070fc31216de2a2 |
| SHA1 | 277e534411b942e513a8490cafb5c60f00fa39b5 |
| SHA256 | 79f20d1ace4736925edbd44055fea1d449e475e252e66231edbb5e83cfc7036e |
| SHA512 | 38f23d9230f4324c4ac40a879abb3571677583bf1ef872d05a388fe34e8fbbaaa3f14c99c206df46d02a91cdbdbe2f94f8d8ff91e350624d6049e7e881ce7807 |
memory/2320-19-0x00000000001A0000-0x00000000001D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55d2fdd1432483e3ba86ebeccfe130b6 |
| SHA1 | 7280b14d708800fd15303b2caa8628a0fbd7aa08 |
| SHA256 | 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb |
| SHA512 | 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3 |
memory/1252-22-0x0000000000C70000-0x0000000000CA1000-memory.dmp
memory/1252-24-0x0000000000C70000-0x0000000000CA1000-memory.dmp
memory/1252-27-0x0000000000C70000-0x0000000000CA1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 04:10
Reported
2024-10-13 04:13
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe
"C:\Users\Admin\AppData\Local\Temp\dd971f966366e6185b67eaebeecedca3dc45c2e617db13ac934f7e91b6af00eb.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| KR | 211.57.201.131:11120 | tcp | |
| KR | 211.57.201.131:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/3356-0-0x0000000000EA0000-0x0000000000ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | 8ebd5f4b7a527597e23dc642d7e67c5a |
| SHA1 | 973cba0eea8c1f927774ed3561af13a66cb00fa9 |
| SHA256 | 805ed92fba70811b0aa8ee9d78cb05a36147e66e4f4e46d6de8b7906fb7cd3ac |
| SHA512 | aabd532bd9ab1f2d3cc7fd820733b7e6f2dcf30c8dfb4d04e8e1c71d4c076c60cc0517eba37c82d6db173971bcb4ade662452264b025d6bcd8312743631a60fe |
memory/4612-13-0x0000000000C60000-0x0000000000C91000-memory.dmp
memory/3356-18-0x0000000000EA0000-0x0000000000ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d9c0ee26da8874510070fc31216de2a2 |
| SHA1 | 277e534411b942e513a8490cafb5c60f00fa39b5 |
| SHA256 | 79f20d1ace4736925edbd44055fea1d449e475e252e66231edbb5e83cfc7036e |
| SHA512 | 38f23d9230f4324c4ac40a879abb3571677583bf1ef872d05a388fe34e8fbbaaa3f14c99c206df46d02a91cdbdbe2f94f8d8ff91e350624d6049e7e881ce7807 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55d2fdd1432483e3ba86ebeccfe130b6 |
| SHA1 | 7280b14d708800fd15303b2caa8628a0fbd7aa08 |
| SHA256 | 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb |
| SHA512 | 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3 |
memory/4612-21-0x0000000000C60000-0x0000000000C91000-memory.dmp
memory/4612-23-0x0000000000C60000-0x0000000000C91000-memory.dmp
memory/4612-25-0x0000000000C60000-0x0000000000C91000-memory.dmp