Analysis Overview
SHA256
01f890783b8750e10b5c62cc087e5fbeb7b924bca6ecb2e522351831a919bcc1
Threat Level: Known bad
The file 68d69faf6220c50a95de6b54815474f0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 07:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 07:07
Reported
2024-07-28 07:10
Platform
win7-20240704-en
Max time kernel
69s
Max time network
74s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe
"C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"
C:\Users\Admin\AppData\Local\Temp\poldge.exe
"C:\Users\Admin\AppData\Local\Temp\poldge.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11150 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.28.240:11150 | tcp |
Files
memory/1624-0-0x0000000000400000-0x000000000043B000-memory.dmp
\Users\Admin\AppData\Local\Temp\poldge.exe
| MD5 | 3083e7bd8495296f665b4764a22f4df6 |
| SHA1 | 3c3d49e1090e3cf53c5cd4c181c318a08092c139 |
| SHA256 | 09eced2ce52e1af674c0a8637a5f9924050fc22e77da83b229bae5df9bbdb715 |
| SHA512 | 3fc96c81d4d5f9b2182f72ecd5b244e3268fbdb4ec9076c7ddaf2c04abf3587e3ac6ec57eb75a359b10698cb19ed2cc31353ab276d102b04a86abb0f626741a2 |
memory/2440-9-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | dff8e39ed48c596107b0527450202ab2 |
| SHA1 | f5442f78bf9926ecfa56152e4ebbc1e1af041f8e |
| SHA256 | 174bac57d3f72e76634e3babdc911b9742e05fb62810425075aef9e0944d1768 |
| SHA512 | dd9d73e9a020dbd3b081a6665078a1e68e68e5d1041c52a51ce1f326f0b9e0694a488d11c91554cad4861e008c16d9a8a6ad6f961af5788729572f0078f05b09 |
memory/1624-18-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 3f372385bf24b44385f4b1251d3aca4d |
| SHA1 | 83546de6ba8f20bd08a15896d34f6242ed64352f |
| SHA256 | b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27 |
| SHA512 | d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7 |
memory/2440-21-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2440-27-0x0000000000400000-0x000000000043B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-28 07:07
Reported
2024-07-28 07:09
Platform
win10v2004-20240709-en
Max time kernel
103s
Max time network
108s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1224 wrote to memory of 828 | N/A | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | C:\Users\Admin\AppData\Local\Temp\poldge.exe |
| PID 1224 wrote to memory of 828 | N/A | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | C:\Users\Admin\AppData\Local\Temp\poldge.exe |
| PID 1224 wrote to memory of 828 | N/A | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | C:\Users\Admin\AppData\Local\Temp\poldge.exe |
| PID 1224 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1224 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1224 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe
"C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"
C:\Users\Admin\AppData\Local\Temp\poldge.exe
"C:\Users\Admin\AppData\Local\Temp\poldge.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| KR | 121.88.5.183:11150 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| KR | 218.54.28.240:11150 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/1224-0-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\poldge.exe
| MD5 | 4bdde19067b5e16fa93dca96bdb7b84e |
| SHA1 | f3d9aaa8246a6d3347b5b53d7ef1c48be136540c |
| SHA256 | 8c5bb96551cd756a6e8fbcd0d1f46ac1816b6d571f8dc73472063f686f95be7a |
| SHA512 | c3f009d3f5d1bdf42e3be580ee6e23a6d9fcc1f0722df17814a58e4e4f4e7714f3ceca9fa196eeb656434dbe4fcca89dd6f05de29e86a766e7b573acb5a205a2 |
memory/828-11-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1224-14-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | dff8e39ed48c596107b0527450202ab2 |
| SHA1 | f5442f78bf9926ecfa56152e4ebbc1e1af041f8e |
| SHA256 | 174bac57d3f72e76634e3babdc911b9742e05fb62810425075aef9e0944d1768 |
| SHA512 | dd9d73e9a020dbd3b081a6665078a1e68e68e5d1041c52a51ce1f326f0b9e0694a488d11c91554cad4861e008c16d9a8a6ad6f961af5788729572f0078f05b09 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 3f372385bf24b44385f4b1251d3aca4d |
| SHA1 | 83546de6ba8f20bd08a15896d34f6242ed64352f |
| SHA256 | b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27 |
| SHA512 | d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7 |
memory/828-17-0x0000000000400000-0x000000000043B000-memory.dmp
memory/828-23-0x0000000000400000-0x000000000043B000-memory.dmp