Analysis Overview
SHA256
9c05422800be0f885587377ea887fe550f2f7d43663e33159c3f2e361a7fa866
Threat Level: Known bad
The file 3be6c4b2317679ba8ade29058dc762c0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 18:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 18:01
Reported
2024-07-26 18:03
Platform
win7-20240705-en
Max time kernel
119s
Max time network
92s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe
"C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2864-0-0x0000000001330000-0x0000000001358000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | f0297e215391819fcb780e2834659f71 |
| SHA1 | e8ac081d85ce1fb9d4fd913db3f196716a1e4432 |
| SHA256 | 09ed2011f12faf4c217226b7691700682a78c44ac2fdc60495a28329430b99ab |
| SHA512 | 3e97749908f8340581df33a939fc0848d8aacf6f05840ffe82839c8722ab7c1ff63786d67174b02a5037de7466e381bbcbfd8e38430b904aa97b71815fef7ea6 |
memory/2864-9-0x00000000005C0000-0x00000000005E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 050997d3b3978bb95bdd70bf032bf9bb |
| SHA1 | 1db435b51cc35c8871fafbbc3a7d767ab4a6d03e |
| SHA256 | 1a3f968a6d5fa16c460cc6f1a6f9bba6f79b42c3af4cc4be055761712add4b26 |
| SHA512 | 508eedc4398f5b0c301439f2e7fcd529da60c75369898691ea73a49db999c5e02064e15e4bef752975d9f9578cce507a88c2b30134b7e9555191007a78ecc6be |
memory/2760-11-0x0000000000920000-0x0000000000948000-memory.dmp
memory/2864-18-0x0000000001330000-0x0000000001358000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a250860c0687ed9dda488805c025a2d2 |
| SHA1 | 0c181ed3b46463d35631ca169f0928c33a1da389 |
| SHA256 | 3947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37 |
| SHA512 | 0286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a |
memory/2760-21-0x0000000000920000-0x0000000000948000-memory.dmp
memory/2760-23-0x0000000000920000-0x0000000000948000-memory.dmp
memory/2760-30-0x0000000000920000-0x0000000000948000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 18:01
Reported
2024-07-26 18:04
Platform
win10v2004-20240709-en
Max time kernel
103s
Max time network
109s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2300 wrote to memory of 116 | N/A | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 2300 wrote to memory of 116 | N/A | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 2300 wrote to memory of 116 | N/A | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 2300 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2300 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2300 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe
"C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2300-0-0x00000000002F0000-0x0000000000318000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 90785e4edb0844867180bc02911f3b7f |
| SHA1 | fb372b8a7986e91df7850156267958f89bd39a72 |
| SHA256 | 008e97f01091ecedf6964214f9f12f932ecf37648d26c7027eea8e66ab15c2a0 |
| SHA512 | a02d6d1166784a915e7ecd5096afa28769e7838a9350c8da34921eb71e7dd06893b7326e0512192e4a264801a2b8e509faf23a10a5d26e93a99b1a363884c3ec |
memory/116-14-0x0000000000E60000-0x0000000000E88000-memory.dmp
memory/2300-17-0x00000000002F0000-0x0000000000318000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 050997d3b3978bb95bdd70bf032bf9bb |
| SHA1 | 1db435b51cc35c8871fafbbc3a7d767ab4a6d03e |
| SHA256 | 1a3f968a6d5fa16c460cc6f1a6f9bba6f79b42c3af4cc4be055761712add4b26 |
| SHA512 | 508eedc4398f5b0c301439f2e7fcd529da60c75369898691ea73a49db999c5e02064e15e4bef752975d9f9578cce507a88c2b30134b7e9555191007a78ecc6be |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a250860c0687ed9dda488805c025a2d2 |
| SHA1 | 0c181ed3b46463d35631ca169f0928c33a1da389 |
| SHA256 | 3947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37 |
| SHA512 | 0286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a |
memory/116-20-0x0000000000E60000-0x0000000000E88000-memory.dmp
memory/116-22-0x0000000000E60000-0x0000000000E88000-memory.dmp
memory/116-28-0x0000000000E60000-0x0000000000E88000-memory.dmp