Analysis Overview
SHA256
f2ca2511b414dfdddd8aaf75a968acb77edcdcde4ec9cbbcd026de737ef173bd
Threat Level: Known bad
The file 59c49c0b0b8c653cc95a856a558ae0a0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 05:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 05:00
Reported
2024-08-02 05:02
Platform
win7-20240708-en
Max time kernel
89s
Max time network
88s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe
"C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/1780-0-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | bcf61b83a671c1af4562fdec80798176 |
| SHA1 | c912469b88e43c9f6ae3c050ccc159244db76c7a |
| SHA256 | 1650b682791440006403ce3f10fa6cf2ddb87b6dd4c12ffa813069dc192a51d4 |
| SHA512 | 3954942ea65a6cc1c0395796e54959b35644798c8ff7d981a1e0fe6e255ca78e12f40b102c5179cfeed54fe9a675b99176413af379561a14127f916a52488288 |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | dc3b7247571d901221119c4a9a1e0b6e |
| SHA1 | ed0d64d767b68c42edf7cb7105465e4b4e6bd289 |
| SHA256 | 9ee625b0f3bc3f677e0fae141a42d8fb3db34bd4797f9f77d2d0e4b9cba3de35 |
| SHA512 | 052bc92cca76501b448962caae62833a49202d331e889b48696b185ac2dd3b1f4c72da7269574927e2cb41960b3f8f14ac1fba9112dcc98191990f8d0d7fb0f7 |
memory/1780-16-0x0000000002CE0000-0x0000000002D08000-memory.dmp
memory/1096-17-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1780-19-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b4a86880004da8726288d7ec954885a8 |
| SHA1 | 1bab1cfbdc2c540246210bc7852f8fe7e8357b31 |
| SHA256 | c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46 |
| SHA512 | 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4 |
memory/1096-22-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1096-24-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1096-31-0x0000000000400000-0x0000000000428000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 05:00
Reported
2024-08-02 05:02
Platform
win10v2004-20240730-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 324 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 324 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 324 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 324 wrote to memory of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 324 wrote to memory of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 324 wrote to memory of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe
"C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/324-0-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 9c58813d849e48fd457dcfcabd1fc194 |
| SHA1 | 2cbc3df4b698d079971ad9cdb2793294fa2bc612 |
| SHA256 | 3ed5127626251554b318af06ebfe39345177fd7261a8182bfb35aae428dfb6cd |
| SHA512 | 19553f8368bbb627cefbd75f80809bae7ed0028f866aba800a1248804f53de7c8ad5ecfc0bd6fc0cc6c4635aa41b9c9694ea59e1b13ae50ada28dad1dac610b9 |
memory/1608-12-0x0000000000400000-0x0000000000428000-memory.dmp
memory/324-15-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | dc3b7247571d901221119c4a9a1e0b6e |
| SHA1 | ed0d64d767b68c42edf7cb7105465e4b4e6bd289 |
| SHA256 | 9ee625b0f3bc3f677e0fae141a42d8fb3db34bd4797f9f77d2d0e4b9cba3de35 |
| SHA512 | 052bc92cca76501b448962caae62833a49202d331e889b48696b185ac2dd3b1f4c72da7269574927e2cb41960b3f8f14ac1fba9112dcc98191990f8d0d7fb0f7 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b4a86880004da8726288d7ec954885a8 |
| SHA1 | 1bab1cfbdc2c540246210bc7852f8fe7e8357b31 |
| SHA256 | c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46 |
| SHA512 | 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4 |
memory/1608-18-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1608-20-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1608-26-0x0000000000400000-0x0000000000428000-memory.dmp