Analysis Overview
SHA256
4fcf1ad0f4dbe5bc30c644767e49e3eeb459636963d22778f83cb346b8e05577
Threat Level: Known bad
The file 6914ce5eb27b92b5ce458c06eac964b0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Executes dropped EXE
Deletes itself
Checks computer location settings
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 23:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 23:20
Reported
2024-07-26 23:23
Platform
win7-20240705-en
Max time kernel
89s
Max time network
93s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe
"C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2412-0-0x0000000001050000-0x0000000001077000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 00989879661bf8eed1d769b7f672f29f |
| SHA1 | d54ada255aafd9e1c92fb7205b79c248cf4d8d31 |
| SHA256 | 2175a4627de5fef0306944bf686f707068639f9a2593160340db6404202f7df7 |
| SHA512 | 2d0a5cb5dc8e6e42d3b159e95842a12b20caa27ff6123b606c991396172251c62542fe1fa62f7df337dced59766695163c66f9a8ede29891a09e8f8a47ac7c8c |
memory/2412-6-0x00000000004E0000-0x0000000000507000-memory.dmp
memory/2536-10-0x00000000001A0000-0x00000000001C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 55cceab02cdd862011c08a2718d97bf0 |
| SHA1 | 52d86666f6684acab0bacafbf4c97cdc4e500019 |
| SHA256 | 184375989cfb2b460331312fad8f72037fc45e3c9d7df9738ed497114229808d |
| SHA512 | f330bcd3a607e4e1275dadea380e74e693f62e2da13b245e91eef54e851504df9260da555ab6f50bdf17d26ee6b28699f4d72c2c6bc264b44be38be92472e0bb |
memory/2412-19-0x0000000001050000-0x0000000001077000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1c9b2720af0ca9528b47898d9c7f4799 |
| SHA1 | 80495f16e333f54ecc700252323c2a7cb7d751e1 |
| SHA256 | d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5 |
| SHA512 | 5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac |
memory/2536-22-0x00000000001A0000-0x00000000001C7000-memory.dmp
memory/2536-24-0x00000000001A0000-0x00000000001C7000-memory.dmp
memory/2536-30-0x00000000001A0000-0x00000000001C7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 23:20
Reported
2024-07-26 23:23
Platform
win10v2004-20240709-en
Max time kernel
105s
Max time network
108s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 2532 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 2532 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 2532 wrote to memory of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2532 wrote to memory of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2532 wrote to memory of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe
"C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2532-0-0x0000000000A30000-0x0000000000A57000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | e28336858b9393da2039bf3b375ffc7d |
| SHA1 | d34db99937b9906f09d61d35d19e91100307100e |
| SHA256 | c37513850fb763929806007d76d070b4670e46d961ca9f67949a8c9514603514 |
| SHA512 | a4f95346b70e1957e7a9c4e74e80e04a13bad93430e3bf7a50f80714fcb92e8cbfffc7956a7024e0cdcbd12c1530013a83dcaab8693244fcd2883517da8d6048 |
memory/4400-15-0x0000000000A30000-0x0000000000A57000-memory.dmp
memory/2532-18-0x0000000000A30000-0x0000000000A57000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 55cceab02cdd862011c08a2718d97bf0 |
| SHA1 | 52d86666f6684acab0bacafbf4c97cdc4e500019 |
| SHA256 | 184375989cfb2b460331312fad8f72037fc45e3c9d7df9738ed497114229808d |
| SHA512 | f330bcd3a607e4e1275dadea380e74e693f62e2da13b245e91eef54e851504df9260da555ab6f50bdf17d26ee6b28699f4d72c2c6bc264b44be38be92472e0bb |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1c9b2720af0ca9528b47898d9c7f4799 |
| SHA1 | 80495f16e333f54ecc700252323c2a7cb7d751e1 |
| SHA256 | d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5 |
| SHA512 | 5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac |
memory/4400-21-0x0000000000A30000-0x0000000000A57000-memory.dmp
memory/4400-23-0x0000000000A30000-0x0000000000A57000-memory.dmp
memory/4400-29-0x0000000000A30000-0x0000000000A57000-memory.dmp