Analysis Overview
SHA256
183efc32d12f7d89426755f1650f72e06399e2c81b934c9bcb6b6e9305de9849
Threat Level: Known bad
The file 5d40681dee8a5eaa2ee76ab80f59fec0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Checks computer location settings
UPX packed file
Deletes itself
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-31 03:40
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 03:40
Reported
2024-07-31 03:42
Platform
win7-20240704-en
Max time kernel
119s
Max time network
91s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe
"C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/1580-0-0x0000000000050000-0x000000000007C000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 5410c36b26b0518622068c704b1566dd |
| SHA1 | 0d5a5e3c5f8cdbdb219745bf0fb2a81fe5825029 |
| SHA256 | cc1682cde36824b29ab18716a2363a0aac74be4489dc96ad14e489b3d6800283 |
| SHA512 | f318937e07dbe9a544505ad2c16bbddabbe70b47153ce81a41625130e87adcb263e2963d1139edef44e512b4293042b625045c862931a1c185ff5d7808d9e831 |
memory/992-11-0x0000000000800000-0x000000000082C000-memory.dmp
memory/1580-10-0x0000000002AD0000-0x0000000002AFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 819362708bc5eee198a15582daab8e7d |
| SHA1 | 564d69a5cb20a00734ea49cef078f16b582988e3 |
| SHA256 | 9e4c8e74ec0ed2ed3fe8888d2227f4bbb0c94134d3cd75b52c7553bec616305b |
| SHA512 | d30d35f26473eeab5308a61fee132387e459df63365e431e3a09a48ad7194b812efd4ca4eaf7f1424e24c00da7608098f74947b031d1c8296aba49ef6daad485 |
memory/1580-19-0x0000000000050000-0x000000000007C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b4a86880004da8726288d7ec954885a8 |
| SHA1 | 1bab1cfbdc2c540246210bc7852f8fe7e8357b31 |
| SHA256 | c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46 |
| SHA512 | 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4 |
memory/992-22-0x0000000000800000-0x000000000082C000-memory.dmp
memory/992-24-0x0000000000800000-0x000000000082C000-memory.dmp
memory/992-31-0x0000000000800000-0x000000000082C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-31 03:40
Reported
2024-07-31 03:42
Platform
win10v2004-20240730-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3248 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 3248 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 3248 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 3248 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3248 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3248 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe
"C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3248-0-0x0000000000090000-0x00000000000BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 5a5f202cf2b7cf395cc7edfa0c3abbaf |
| SHA1 | 1eb3a41b48edb5d5dd56259c11c41cf5ac661c55 |
| SHA256 | aac373365b0484475a6f1b224fadc130d9d8c2082dfe141bf87f7b4a27ecbea2 |
| SHA512 | 8a1a7b47dd49a28c4425db1bab1a275166d54a78f2f656dc63d9622627740dd1121f1e3f35cc4321969c9a18b3e5edd1884528ac285c2613a546a3d3cf816bbd |
memory/1724-10-0x0000000000700000-0x000000000072C000-memory.dmp
memory/3248-15-0x0000000000090000-0x00000000000BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 819362708bc5eee198a15582daab8e7d |
| SHA1 | 564d69a5cb20a00734ea49cef078f16b582988e3 |
| SHA256 | 9e4c8e74ec0ed2ed3fe8888d2227f4bbb0c94134d3cd75b52c7553bec616305b |
| SHA512 | d30d35f26473eeab5308a61fee132387e459df63365e431e3a09a48ad7194b812efd4ca4eaf7f1424e24c00da7608098f74947b031d1c8296aba49ef6daad485 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b4a86880004da8726288d7ec954885a8 |
| SHA1 | 1bab1cfbdc2c540246210bc7852f8fe7e8357b31 |
| SHA256 | c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46 |
| SHA512 | 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4 |
memory/1724-18-0x0000000000700000-0x000000000072C000-memory.dmp
memory/1724-20-0x0000000000700000-0x000000000072C000-memory.dmp
memory/1724-27-0x0000000000700000-0x000000000072C000-memory.dmp