Analysis Overview
SHA256
ab523b44bb896976cbd004767f37aaf5475fdb212156c61276dce81c8b9a77d4
Threat Level: Known bad
The file acf28e718581966b6f116d765656eb30N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Deletes itself
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 08:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 08:12
Reported
2024-07-27 08:14
Platform
win7-20240704-en
Max time kernel
91s
Max time network
96s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe
"C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2064-0-0x0000000001060000-0x0000000001086000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | a2a81ccaa4d0ae43969ccd5b7ed24c05 |
| SHA1 | cf2f95fe73d2e740b4cd1a8a663e834d2293adde |
| SHA256 | de93351a17cc372daec90f4aa3bfbe084b5d9bf19572550c30141367b05aebd6 |
| SHA512 | fb7860ac9942a2448588e29eccf16d23cbb2e67da17eb0d805b66c6d533fe73b6e638361d6233db6babc49c3385554019ff060234921c252270c195a5d9cb2ed |
memory/2064-6-0x00000000005A0000-0x00000000005C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 1c644509f50a95e09933bf8ed8b1dedb |
| SHA1 | 62c73d2fa1960469d7fb4680c2bc735f1d56ce71 |
| SHA256 | d94ff3c021f239a0e3726aca73472a472afdb1cf6d004347cb2d9f53914b8525 |
| SHA512 | bcddf3479074caf029c6f46369fabbedac2b5c56d1728980c4a77c2db113cfd615cc2a2ff4a183b58534caa0d7fe522279b24b6f840d04c1a3236923cac64ddf |
memory/2084-17-0x0000000000830000-0x0000000000856000-memory.dmp
memory/2064-19-0x0000000001060000-0x0000000001086000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7cdc8777d33db85bc19aefb64879a7f7 |
| SHA1 | f2d494d4dfe93a05eb58513935196e8578648adf |
| SHA256 | 9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336 |
| SHA512 | 34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f |
memory/2084-22-0x0000000000830000-0x0000000000856000-memory.dmp
memory/2084-24-0x0000000000830000-0x0000000000856000-memory.dmp
memory/2084-30-0x0000000000830000-0x0000000000856000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 08:12
Reported
2024-07-27 08:14
Platform
win10v2004-20240709-en
Max time kernel
102s
Max time network
103s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4524 wrote to memory of 4288 | N/A | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4524 wrote to memory of 4288 | N/A | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4524 wrote to memory of 4288 | N/A | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4524 wrote to memory of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4524 wrote to memory of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4524 wrote to memory of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe
"C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4524-0-0x0000000000990000-0x00000000009B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 967892c6820ff4913799c7bf9d0b793c |
| SHA1 | cf1466f0bc408ef24455a36d161864b5a3526b24 |
| SHA256 | f6ada49e5a5ee5d0cd09a96ec7b53e831b824df734cd0851d5f731c73b1c4d5a |
| SHA512 | ac88854992393503216c7889330ab2a376a29b5727647bf90b31453c5e35d7a5b9897fc0d795e550d7292d1ddf012038f53e609101748b6e30ef5435cf43ffe5 |
memory/4288-13-0x0000000000AC0000-0x0000000000AE6000-memory.dmp
memory/4524-15-0x0000000000990000-0x00000000009B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 1c644509f50a95e09933bf8ed8b1dedb |
| SHA1 | 62c73d2fa1960469d7fb4680c2bc735f1d56ce71 |
| SHA256 | d94ff3c021f239a0e3726aca73472a472afdb1cf6d004347cb2d9f53914b8525 |
| SHA512 | bcddf3479074caf029c6f46369fabbedac2b5c56d1728980c4a77c2db113cfd615cc2a2ff4a183b58534caa0d7fe522279b24b6f840d04c1a3236923cac64ddf |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7cdc8777d33db85bc19aefb64879a7f7 |
| SHA1 | f2d494d4dfe93a05eb58513935196e8578648adf |
| SHA256 | 9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336 |
| SHA512 | 34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f |
memory/4288-18-0x0000000000AC0000-0x0000000000AE6000-memory.dmp
memory/4288-20-0x0000000000AC0000-0x0000000000AE6000-memory.dmp
memory/4288-27-0x0000000000AC0000-0x0000000000AE6000-memory.dmp