Analysis Overview
SHA256
554d184034b79d48995612b49131724bbadbddef3ebc7109aaa92a053dc5fa53
Threat Level: Known bad
The file 44c9bd93e92e7fefccea46323b3a3dd0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 19:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 19:06
Reported
2024-07-26 19:09
Platform
win10v2004-20240709-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4620 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4620 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4620 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4620 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4620 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4620 wrote to memory of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe
"C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4620-0-0x00000000007F0000-0x0000000000818000-memory.dmp
memory/4620-1-0x0000000000B80000-0x0000000000B82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 91b3c72be0951c4d037ea66243d401e7 |
| SHA1 | fb07dcf7bf769575520f8f22d0a2d8d952504be6 |
| SHA256 | 9e15fac5d9a779cae065ef72a1ce29ac6f668732a2c4a93b762a67f4314c45c9 |
| SHA512 | 4960ed3142773ddcfa5aa37218fd34009dbfb1f59b514b3658216e29527fe4dcdf10f871c291b822f3f078c569473db979ace57908b940fda7871726712c7f53 |
memory/3660-17-0x0000000000A20000-0x0000000000A22000-memory.dmp
memory/3660-16-0x0000000000CC0000-0x0000000000CE8000-memory.dmp
memory/4620-19-0x00000000007F0000-0x0000000000818000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | bd5a3a3e212c7f7067b6571206fcec22 |
| SHA1 | 87362202e8eed65d3dc43375e7b1a7eef11dd138 |
| SHA256 | 1652c2c9de37f08ac0713a49a1adc4ed77436f9f22c5f0205301de98dbbced35 |
| SHA512 | 42e6f022ac8d476359fef93fd6c2fc5b3e68fc177b72c5d156d067781cf2f06c423e9a3bbce619eaa0b88b3a6c818558ef2ab2ad3c7d3b298155caf060d88b98 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7c1d9e0f564b1e893792dcef5f902a27 |
| SHA1 | f8ff96c98d41f1ce0a31d78f56796284c5e47e3d |
| SHA256 | c0b7315aed511cab0685b0bbbcfa2cb7f3e9c36e58f6d7f1576fad807800add7 |
| SHA512 | ef6a5eccec808909c7317359908b6cb46e8e074aff903114988b00a237180606257545bd36e5cea9521b13ba19923cd768a3d701f7fdf391a4bd41cdec606fba |
memory/3660-22-0x0000000000CC0000-0x0000000000CE8000-memory.dmp
memory/3660-24-0x0000000000A20000-0x0000000000A22000-memory.dmp
memory/3660-25-0x0000000000CC0000-0x0000000000CE8000-memory.dmp
memory/3660-31-0x0000000000CC0000-0x0000000000CE8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 19:06
Reported
2024-07-26 19:09
Platform
win7-20240708-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe
"C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2996-0-0x0000000000E00000-0x0000000000E28000-memory.dmp
memory/2996-1-0x0000000000020000-0x0000000000022000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 32ebc69ac1d8ef61ac2b8cdbf7036421 |
| SHA1 | 34595f5d012b44a5d66b6006fbc19b33f1b01c23 |
| SHA256 | 55dddc487d1674623c196b667bbd3d99b543da11c1121f98890b0915c598ba55 |
| SHA512 | e7e89509bba17fe64d589ddc4710c895460574a974f6ab4c3b7419c76986afc983a8dae7ce35d69ae741ccc7d243345c0fdb95e8dd96f5126653c4e0421e3fb3 |
memory/2996-7-0x0000000000500000-0x0000000000528000-memory.dmp
memory/2808-12-0x0000000000020000-0x0000000000022000-memory.dmp
memory/2808-11-0x0000000000A30000-0x0000000000A58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | bd5a3a3e212c7f7067b6571206fcec22 |
| SHA1 | 87362202e8eed65d3dc43375e7b1a7eef11dd138 |
| SHA256 | 1652c2c9de37f08ac0713a49a1adc4ed77436f9f22c5f0205301de98dbbced35 |
| SHA512 | 42e6f022ac8d476359fef93fd6c2fc5b3e68fc177b72c5d156d067781cf2f06c423e9a3bbce619eaa0b88b3a6c818558ef2ab2ad3c7d3b298155caf060d88b98 |
memory/2996-21-0x0000000000E00000-0x0000000000E28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7c1d9e0f564b1e893792dcef5f902a27 |
| SHA1 | f8ff96c98d41f1ce0a31d78f56796284c5e47e3d |
| SHA256 | c0b7315aed511cab0685b0bbbcfa2cb7f3e9c36e58f6d7f1576fad807800add7 |
| SHA512 | ef6a5eccec808909c7317359908b6cb46e8e074aff903114988b00a237180606257545bd36e5cea9521b13ba19923cd768a3d701f7fdf391a4bd41cdec606fba |
memory/2808-24-0x0000000000A30000-0x0000000000A58000-memory.dmp
memory/2808-26-0x0000000000A30000-0x0000000000A58000-memory.dmp
memory/2808-33-0x0000000000A30000-0x0000000000A58000-memory.dmp