Analysis Overview
SHA256
16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8
Threat Level: Known bad
The file 16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8 was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-08 18:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-08 18:54
Reported
2024-08-08 18:57
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Urelas
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe
"C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe"
C:\Users\Admin\AppData\Local\Temp\poldge.exe
"C:\Users\Admin\AppData\Local\Temp\poldge.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11150 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.28.240:11150 | tcp |
Files
memory/2332-0-0x0000000000400000-0x000000000043B000-memory.dmp
\Users\Admin\AppData\Local\Temp\poldge.exe
| MD5 | b4814c520cfe09595459d2699e7715b1 |
| SHA1 | 4064d399a08b85d9f1ba15126e2784f820c70f44 |
| SHA256 | af228849c82312dc85bcbf904856bec02612fa001a702ecacd7e222df15e2a06 |
| SHA512 | 36a9a6879472b197e3e287315f760a82b3235254aa37c397373a7b831290042ad199d58a8830f32373f9d8d764e77f430490dd9b09b402c8f8ef04ecf2372dc0 |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | e0349b3455e3920f262d18fe0449e543 |
| SHA1 | 28389c9f4493413b0e1457e3735abe5aef8b6352 |
| SHA256 | 0cbed31d62e6982021e58433f3dc8b50851d141dc4c513a7ede40d7b3d5b8df8 |
| SHA512 | 49d00244155764f7c645fabf40f471afe24d77c4f26bf88e9b92863f7715f5ee9b7271b2940d87f1e07246d9186cc0f279f1704ef9f0abd88ca23147a8f43b70 |
memory/1928-17-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2332-16-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 3f372385bf24b44385f4b1251d3aca4d |
| SHA1 | 83546de6ba8f20bd08a15896d34f6242ed64352f |
| SHA256 | b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27 |
| SHA512 | d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7 |
memory/1928-20-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1928-26-0x0000000000400000-0x000000000043B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-08 18:54
Reported
2024-08-08 18:57
Platform
win10v2004-20240802-en
Max time kernel
131s
Max time network
133s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\poldge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe
"C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe"
C:\Users\Admin\AppData\Local\Temp\poldge.exe
"C:\Users\Admin\AppData\Local\Temp\poldge.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 121.88.5.183:11150 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| KR | 218.54.28.240:11150 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/3448-0-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\poldge.exe
| MD5 | ba7c3a46bf011cb1b0f5417961ac5cde |
| SHA1 | 73687acfdd009833470111a49bbf22bdc5c4bcce |
| SHA256 | 7986d37e5126d94b0e84529c528a7418a04dee1c42ab20023f7a1883bf5a68bb |
| SHA512 | 6464b67ef66ea0f4bb871ddec1ff1d25cdcf6a1de42622b8c6e72cd2cd3bf0f6ac4eb434346adb0f2a48c03606edb34253c682006a4f844b03c02d52d690fb65 |
memory/5072-12-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3448-15-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | e0349b3455e3920f262d18fe0449e543 |
| SHA1 | 28389c9f4493413b0e1457e3735abe5aef8b6352 |
| SHA256 | 0cbed31d62e6982021e58433f3dc8b50851d141dc4c513a7ede40d7b3d5b8df8 |
| SHA512 | 49d00244155764f7c645fabf40f471afe24d77c4f26bf88e9b92863f7715f5ee9b7271b2940d87f1e07246d9186cc0f279f1704ef9f0abd88ca23147a8f43b70 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 3f372385bf24b44385f4b1251d3aca4d |
| SHA1 | 83546de6ba8f20bd08a15896d34f6242ed64352f |
| SHA256 | b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27 |
| SHA512 | d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7 |
memory/5072-18-0x0000000000400000-0x000000000043B000-memory.dmp
memory/5072-24-0x0000000000400000-0x000000000043B000-memory.dmp