Analysis Overview
SHA256
7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1
Threat Level: Known bad
The file 7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 14:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 14:47
Reported
2024-10-09 14:49
Platform
win7-20240729-en
Max time kernel
92s
Max time network
70s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe
"C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe"
C:\Users\Admin\AppData\Local\Temp\shoste.exe
"C:\Users\Admin\AppData\Local\Temp\shoste.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.28.139:11120 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 1e0fda6d58274dbbd94c1ad912d3d7bb |
| SHA1 | ca4ad6544c472c7af4974575d9932f3fe2dca9cb |
| SHA256 | 3d6c75cc51dc2a973048a92de79c3f1fc67932e35bd851d7388e3c41e73fed3f |
| SHA512 | c6c2802e3fe336f73ec0467954274c3a2a2d821cdb88cede22a00551d5271b6b0279604d7b54bee14843e4a70ac9986d2d5d7db2d72a8ab09183ab0948df8482 |
memory/376-18-0x0000000000090000-0x00000000000C5000-memory.dmp
memory/2304-10-0x00000000011D0000-0x0000000001205000-memory.dmp
memory/376-9-0x0000000001DF0000-0x0000000001E25000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\shoste.exe
| MD5 | b4658af7d8b2585e4a39d3db56e52ac5 |
| SHA1 | a59a677d9bca91998602d0901b142154fae23a0c |
| SHA256 | d8c1865f2884302c0e798e9229af87502c4fab91335b4a3c7030523e33191a8a |
| SHA512 | 887b6d04b8401296732295a49569409f68196be00001d2330fb9d7e4db035fc915f82f5e008483e21282329a61e97b44f17121af8848332b99a8cd284a408680 |
memory/376-0-0x0000000000090000-0x00000000000C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f51c1462254f3bb8aa00201af0b0a030 |
| SHA1 | 60d3c892bb5c4f654c318451012f936d81164418 |
| SHA256 | 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5 |
| SHA512 | 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0 |
memory/2304-21-0x00000000011D0000-0x0000000001205000-memory.dmp
memory/2304-28-0x00000000011D0000-0x0000000001205000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 14:47
Reported
2024-10-09 14:49
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
98s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe
"C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe"
C:\Users\Admin\AppData\Local\Temp\shoste.exe
"C:\Users\Admin\AppData\Local\Temp\shoste.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.28.139:11120 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2276-0-0x0000000000150000-0x0000000000185000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\shoste.exe
| MD5 | 2a9769c7c150e3e4ab9748dd238b3bf0 |
| SHA1 | a6fece983c57543eb0a3cfe90415abb01250da76 |
| SHA256 | 979b56288a54b1b9f46d078af5bda33aed53142971de851b39b09b721b454fb9 |
| SHA512 | bca90b56c956fd4093ea65ea320a35bb3fb3f812767641c1dd3ebeb74ef073e7ee365d0199ee8b811a57f0192602e51760b3620814d48a00b97be2def6fc9486 |
memory/3332-10-0x0000000000340000-0x0000000000375000-memory.dmp
memory/2276-14-0x0000000000150000-0x0000000000185000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 1e0fda6d58274dbbd94c1ad912d3d7bb |
| SHA1 | ca4ad6544c472c7af4974575d9932f3fe2dca9cb |
| SHA256 | 3d6c75cc51dc2a973048a92de79c3f1fc67932e35bd851d7388e3c41e73fed3f |
| SHA512 | c6c2802e3fe336f73ec0467954274c3a2a2d821cdb88cede22a00551d5271b6b0279604d7b54bee14843e4a70ac9986d2d5d7db2d72a8ab09183ab0948df8482 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f51c1462254f3bb8aa00201af0b0a030 |
| SHA1 | 60d3c892bb5c4f654c318451012f936d81164418 |
| SHA256 | 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5 |
| SHA512 | 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0 |
memory/3332-17-0x0000000000340000-0x0000000000375000-memory.dmp
memory/3332-23-0x0000000000340000-0x0000000000375000-memory.dmp