Analysis Overview
SHA256
de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9
Threat Level: Known bad
The file de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9 was found to be: Known bad.
Malicious Activity Summary
Urelas
UPX packed file
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 05:50
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 05:50
Reported
2024-08-02 05:53
Platform
win7-20240704-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe
"C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2572-0-0x0000000000250000-0x000000000027C000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 44d8a98194d58d6e3c71a5679a46ef4f |
| SHA1 | e3cf9b95ddfe0a6dbd1987d192c9d004044c369b |
| SHA256 | 64fc8b5a93a50eb11dc800dceca62f177aff7034c86390f839520bf78b27c3d3 |
| SHA512 | a92122c7d2b778b43032f268b5f59d3151681901a6be97e2fe9318d99823c9679b16b0ad3847a1cad5313cf31b7845f0474513e236c7d454d467b75670962010 |
memory/2572-6-0x0000000000450000-0x000000000047C000-memory.dmp
memory/2068-10-0x0000000000D60000-0x0000000000D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 99bff618b65a7245c790f68022a727da |
| SHA1 | ae6c0c9429430e057ce83371daf2b3a66cfd154a |
| SHA256 | 7b7102980250ba2913a818393baa7000fa56b504ebf89562b19a2e72110d868e |
| SHA512 | 6ae84dce05918269212996c2021a08f64645c78454a16a9a8195d4b92bd1ea91010e2c94ef88c943cc658ba6b6f2c8f4043d1311dd95cc9c37ca22831bc0dfe5 |
memory/2572-19-0x0000000000250000-0x000000000027C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b4a86880004da8726288d7ec954885a8 |
| SHA1 | 1bab1cfbdc2c540246210bc7852f8fe7e8357b31 |
| SHA256 | c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46 |
| SHA512 | 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4 |
memory/2068-22-0x0000000000D60000-0x0000000000D8C000-memory.dmp
memory/2068-24-0x0000000000D60000-0x0000000000D8C000-memory.dmp
memory/2068-31-0x0000000000D60000-0x0000000000D8C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 05:50
Reported
2024-08-02 05:53
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe
"C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/2068-0-0x00000000004A0000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 16f94c6e33bfd6861350c37c6aeca7c0 |
| SHA1 | 7ea2e2be8f530fabf215f80ffe3d6d1f3936fdda |
| SHA256 | 6ec2dc2ea1dc24f4f8c401470972d2c3eef236c4915db0a153dc911eb3396602 |
| SHA512 | dc9b42216d30717cdcbfddc35b43b58850e30b473bde07e1f0157d7e63bd22b3838165ceaf2ab59cc9d0c843f5d5b305a31c503f4f243a15763ef1b397865bc0 |
memory/768-13-0x0000000000AC0000-0x0000000000AEC000-memory.dmp
memory/2068-15-0x00000000004A0000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 99bff618b65a7245c790f68022a727da |
| SHA1 | ae6c0c9429430e057ce83371daf2b3a66cfd154a |
| SHA256 | 7b7102980250ba2913a818393baa7000fa56b504ebf89562b19a2e72110d868e |
| SHA512 | 6ae84dce05918269212996c2021a08f64645c78454a16a9a8195d4b92bd1ea91010e2c94ef88c943cc658ba6b6f2c8f4043d1311dd95cc9c37ca22831bc0dfe5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b4a86880004da8726288d7ec954885a8 |
| SHA1 | 1bab1cfbdc2c540246210bc7852f8fe7e8357b31 |
| SHA256 | c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46 |
| SHA512 | 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4 |
memory/768-18-0x0000000000AC0000-0x0000000000AEC000-memory.dmp
memory/768-20-0x0000000000AC0000-0x0000000000AEC000-memory.dmp
memory/768-26-0x0000000000AC0000-0x0000000000AEC000-memory.dmp