Analysis Overview
SHA256
f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4
Threat Level: Known bad
The file f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4 was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 05:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 05:00
Reported
2024-10-13 05:03
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe
"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"
C:\Users\Admin\AppData\Local\Temp\shoste.exe
"C:\Users\Admin\AppData\Local\Temp\shoste.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.28.139:11120 | tcp |
Files
memory/2368-0-0x0000000000C50000-0x0000000000C85000-memory.dmp
memory/2172-17-0x0000000000A70000-0x0000000000AA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\shoste.exe
| MD5 | 300e716526b35e808f575f6a1199ec8d |
| SHA1 | 5ba46e97a4743dd3f1cbbbd8c7b12a21c6f9521f |
| SHA256 | 557af369b39c7c5c5c1e169621f5f1711809a9864291fad444fe62e3561bdb2d |
| SHA512 | 681b061300588898265be270b1e7c2f5f46698ecface80957736812ca30879c879d3f26454c495e0e41d5d89def40a6982eea0c444143190bd5ee1adab802c51 |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | dfc1868e4957bc76c07d22931e2f6779 |
| SHA1 | aea3ca1d9c4c7ed739fc04c5a48cbfbe792f3d2f |
| SHA256 | e52e9012393c4b6cf20707de354cf9e744633a32cc3a625c6aaf9bad8b0f2d2e |
| SHA512 | ad511d7f3af93f5f649adc46cb62a0db5d53376a17f5936ad7f64832acd369f3a1ba06e0c36fdb8ee2f922ab38157640583bac1fcc67b113f9f24564cf614700 |
memory/2368-19-0x0000000000C50000-0x0000000000C85000-memory.dmp
memory/2368-16-0x0000000000A70000-0x0000000000AA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f51c1462254f3bb8aa00201af0b0a030 |
| SHA1 | 60d3c892bb5c4f654c318451012f936d81164418 |
| SHA256 | 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5 |
| SHA512 | 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0 |
memory/2172-22-0x0000000000A70000-0x0000000000AA5000-memory.dmp
memory/2172-30-0x0000000000A70000-0x0000000000AA5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 05:00
Reported
2024-10-13 05:03
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe
"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"
C:\Users\Admin\AppData\Local\Temp\shoste.exe
"C:\Users\Admin\AppData\Local\Temp\shoste.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.28.139:11120 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2840-0-0x0000000000630000-0x0000000000665000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\shoste.exe
| MD5 | d3c5a1898457111ce02cb45bae365736 |
| SHA1 | ac9dea019974970a7f2c2addb78d5aacf78e9fb1 |
| SHA256 | 6c7a12fb58d76f5f05e2ecb089348d6303b656a29b16a195564e45503c60eb61 |
| SHA512 | 2bfc10ce024ab33dab84bebbade99f7c2b62894e43dae03ab8dc37003bffc84f8c7a10e83ce09aff8a62e55159bd1c710c167fa3ada826a4a568b63fe55562c1 |
memory/5100-10-0x0000000000FD0000-0x0000000001005000-memory.dmp
memory/2840-14-0x0000000000630000-0x0000000000665000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | dfc1868e4957bc76c07d22931e2f6779 |
| SHA1 | aea3ca1d9c4c7ed739fc04c5a48cbfbe792f3d2f |
| SHA256 | e52e9012393c4b6cf20707de354cf9e744633a32cc3a625c6aaf9bad8b0f2d2e |
| SHA512 | ad511d7f3af93f5f649adc46cb62a0db5d53376a17f5936ad7f64832acd369f3a1ba06e0c36fdb8ee2f922ab38157640583bac1fcc67b113f9f24564cf614700 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f51c1462254f3bb8aa00201af0b0a030 |
| SHA1 | 60d3c892bb5c4f654c318451012f936d81164418 |
| SHA256 | 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5 |
| SHA512 | 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0 |
memory/5100-17-0x0000000000FD0000-0x0000000001005000-memory.dmp
memory/5100-23-0x0000000000FD0000-0x0000000001005000-memory.dmp