Analysis Overview
SHA256
3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d
Threat Level: Known bad
The file 3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 20:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 20:44
Reported
2024-07-26 20:47
Platform
win7-20240704-en
Max time kernel
91s
Max time network
96s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe
"C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2860-0-0x0000000000130000-0x0000000000155000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 438028d040bcf9ef5e90df0abb1af5b2 |
| SHA1 | 87c967f65a922de4a960e31992bd5484b03ba0d4 |
| SHA256 | e091a36526d6f0f9bd7f66675d366ecf2983fb84614b673bf402d2e6f37be370 |
| SHA512 | 740f986b7da06420856b12c8cf91586367cc1e38b01420a2ab6b7563cd7ad18d3876146cda1266c1ad923460293e4fbe6997dd90dc51a1c8168b2fa9dc9f00fc |
memory/2784-10-0x0000000000C50000-0x0000000000C75000-memory.dmp
memory/2860-9-0x0000000000200000-0x0000000000225000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | b2f167d976fbab4ebcad72be5625f596 |
| SHA1 | 0a79af93d0857c93a01cfd402228775c49949abb |
| SHA256 | a9465f51a25bf51cb3447e223c87bcc83f651554147eecc3f2436af2b2244c4c |
| SHA512 | f62fa12998f5c82f99068b9d9e82977fa35a02ccdd4bfdc7c97015b2e5ccc63a3294f9eec1b8c7a74908d3451750d157c5a8c0631c0ffc5e0cccff358125dee6 |
memory/2860-19-0x0000000000130000-0x0000000000155000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 657ce9e5dd337971e44dfb9cb3fbf7dd |
| SHA1 | 026734083afaa4b7d298781b26a72ac9b67ac831 |
| SHA256 | 3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472 |
| SHA512 | 79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d |
memory/2784-22-0x0000000000C50000-0x0000000000C75000-memory.dmp
memory/2784-24-0x0000000000C50000-0x0000000000C75000-memory.dmp
memory/2784-31-0x0000000000C50000-0x0000000000C75000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 20:44
Reported
2024-07-26 20:47
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe
"C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
Files
memory/1028-0-0x0000000000290000-0x00000000002B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | bb4b322fee271a5a631167637e39aa3d |
| SHA1 | b576d43438a586af45bda3fd1714244b0157e040 |
| SHA256 | abc847b9f97d6702fc3872445ed1ae61b51e48308104f7aff8e52c9d1e5e8416 |
| SHA512 | 62778cc497600e8e8415cd3a66ec1122dd036fde603b19fefe0a4ee3d951a9cf3ee1b85b97e5ac7c3f3a41062d11ff5ef1c2d6856ef53dfd71403d6ff9d83c7b |
memory/4664-14-0x0000000000010000-0x0000000000035000-memory.dmp
memory/1028-17-0x0000000000290000-0x00000000002B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | b2f167d976fbab4ebcad72be5625f596 |
| SHA1 | 0a79af93d0857c93a01cfd402228775c49949abb |
| SHA256 | a9465f51a25bf51cb3447e223c87bcc83f651554147eecc3f2436af2b2244c4c |
| SHA512 | f62fa12998f5c82f99068b9d9e82977fa35a02ccdd4bfdc7c97015b2e5ccc63a3294f9eec1b8c7a74908d3451750d157c5a8c0631c0ffc5e0cccff358125dee6 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 657ce9e5dd337971e44dfb9cb3fbf7dd |
| SHA1 | 026734083afaa4b7d298781b26a72ac9b67ac831 |
| SHA256 | 3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472 |
| SHA512 | 79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d |
memory/4664-20-0x0000000000010000-0x0000000000035000-memory.dmp
memory/4664-22-0x0000000000010000-0x0000000000035000-memory.dmp
memory/4664-28-0x0000000000010000-0x0000000000035000-memory.dmp