Analysis Overview
SHA256
f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4
Threat Level: Known bad
The file f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4 was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Deletes itself
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 05:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 05:09
Reported
2024-10-13 05:11
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe
"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"
C:\Users\Admin\AppData\Local\Temp\shoste.exe
"C:\Users\Admin\AppData\Local\Temp\shoste.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.28.139:11120 | tcp |
Files
memory/1704-0-0x0000000000C40000-0x0000000000C75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | dfc1868e4957bc76c07d22931e2f6779 |
| SHA1 | aea3ca1d9c4c7ed739fc04c5a48cbfbe792f3d2f |
| SHA256 | e52e9012393c4b6cf20707de354cf9e744633a32cc3a625c6aaf9bad8b0f2d2e |
| SHA512 | ad511d7f3af93f5f649adc46cb62a0db5d53376a17f5936ad7f64832acd369f3a1ba06e0c36fdb8ee2f922ab38157640583bac1fcc67b113f9f24564cf614700 |
memory/1264-17-0x00000000013D0000-0x0000000001405000-memory.dmp
memory/1704-16-0x0000000000B00000-0x0000000000B35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\shoste.exe
| MD5 | bd8302f65ba0d9afa69d07f30cb295ab |
| SHA1 | 4b0cb42ac547e1711760e9b77d74f072babd4812 |
| SHA256 | 03b9b97a67531507aaa6ccb2b6cbcb61418f9013913b95fe667625162784941b |
| SHA512 | 199e29f5b6ae16c9fcae2d20693afb653ad33ceb8a05e609fd807a1d86e79b282b3cd469883a166df1b0f41299553fc612474b819843a857fdf4441496a2121f |
memory/1704-19-0x0000000000C40000-0x0000000000C75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f51c1462254f3bb8aa00201af0b0a030 |
| SHA1 | 60d3c892bb5c4f654c318451012f936d81164418 |
| SHA256 | 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5 |
| SHA512 | 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0 |
memory/1264-22-0x00000000013D0000-0x0000000001405000-memory.dmp
memory/1264-30-0x00000000013D0000-0x0000000001405000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 05:09
Reported
2024-10-13 05:11
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\shoste.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe
"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"
C:\Users\Admin\AppData\Local\Temp\shoste.exe
"C:\Users\Admin\AppData\Local\Temp\shoste.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| KR | 218.54.28.139:11120 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1404-0-0x0000000000470000-0x00000000004A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\shoste.exe
| MD5 | e99e64807bb42a5b821e979087c625d9 |
| SHA1 | ce065d4eec7077a42a2749a14c754693cae900e7 |
| SHA256 | 149cc9e41d5d401040901ae982cc34da5afa39fcbc043daf67b3444b19e79b39 |
| SHA512 | f17c116864fed5a3a26387ffdbca1bf64ab868bb908f2abdb383bdbf065cddb65200f8f37f05d6c654d6ffe85369f5bf121412e17f2cd5d8fdc2c2c1c1ea787f |
memory/1788-12-0x0000000000910000-0x0000000000945000-memory.dmp
memory/1404-15-0x0000000000470000-0x00000000004A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | dfc1868e4957bc76c07d22931e2f6779 |
| SHA1 | aea3ca1d9c4c7ed739fc04c5a48cbfbe792f3d2f |
| SHA256 | e52e9012393c4b6cf20707de354cf9e744633a32cc3a625c6aaf9bad8b0f2d2e |
| SHA512 | ad511d7f3af93f5f649adc46cb62a0db5d53376a17f5936ad7f64832acd369f3a1ba06e0c36fdb8ee2f922ab38157640583bac1fcc67b113f9f24564cf614700 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f51c1462254f3bb8aa00201af0b0a030 |
| SHA1 | 60d3c892bb5c4f654c318451012f936d81164418 |
| SHA256 | 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5 |
| SHA512 | 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0 |
memory/1788-18-0x0000000000910000-0x0000000000945000-memory.dmp
memory/1788-24-0x0000000000910000-0x0000000000945000-memory.dmp