Analysis Overview
SHA256
4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff
Threat Level: Known bad
The file 4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 21:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 21:30
Reported
2024-08-04 21:32
Platform
win7-20240708-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe
"C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2972-0-0x0000000000190000-0x00000000001B5000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 2174de5aec1f6def7261a817814fec00 |
| SHA1 | 60c52f2a94ea1f23cc82f3dd6f3a1eb9d196b61d |
| SHA256 | 189beb52e1e8e0d81a3bb5dceae77b44d8809e2404882e08a341c03a11d7a97a |
| SHA512 | fe2f8767d2a9430da3e3d637df3b47e05f2e733a86a8f05db013a4448650c8e2d4160e517fffcb8d0c63f1f852f40a1b6fb9718a98c71ae42f95b1b511df1065 |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 8a6b0ede7a9a1b7d054127ab15202bcc |
| SHA1 | e2bd2ea415132a933519b2520c6a0b4f3c933284 |
| SHA256 | 4f3c90f4294bd0733d394a740c0100717695ef4899e8d6d8c14b348342cb4f06 |
| SHA512 | 501af41bc194a9ec7041979cbc88be97f7f2c7c6baaadcd69c01f4edb97b11b512d2ec94ddfc1f20d520e5d2edc039d98e66fae106216f2ade2c649ce14e7882 |
memory/2972-19-0x0000000000190000-0x00000000001B5000-memory.dmp
memory/2296-18-0x0000000000010000-0x0000000000035000-memory.dmp
memory/2972-16-0x0000000000530000-0x0000000000555000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | efd90b3ac908d5482af367de3a82184a |
| SHA1 | de9f01d2ed0247b7b347e55c5a09721a60147fb9 |
| SHA256 | 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d |
| SHA512 | 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02 |
memory/2296-22-0x0000000000010000-0x0000000000035000-memory.dmp
memory/2296-24-0x0000000000010000-0x0000000000035000-memory.dmp
memory/2296-30-0x0000000000010000-0x0000000000035000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 21:30
Reported
2024-08-04 21:32
Platform
win10v2004-20240802-en
Max time kernel
95s
Max time network
148s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe
"C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
Files
memory/1916-0-0x00000000004A0000-0x00000000004C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 77e029121fbdf9488fab6dad2c1499f0 |
| SHA1 | 723e9234b7b8b5b5a09123bb47794eb00485a0f1 |
| SHA256 | 3fc36517392486d6bcfcaf46359470ebf484e3b34b8a45ab7194f99162deedb3 |
| SHA512 | 77793d765029ff495e8ab586c994f9c711b90793edebf3b41eb4690a36907eb33a0eeff08ba4e71f28105518b4df6dfa671aa87ae57ec414e1d19ad186062f30 |
memory/1160-15-0x0000000000560000-0x0000000000585000-memory.dmp
memory/1916-18-0x00000000004A0000-0x00000000004C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 8a6b0ede7a9a1b7d054127ab15202bcc |
| SHA1 | e2bd2ea415132a933519b2520c6a0b4f3c933284 |
| SHA256 | 4f3c90f4294bd0733d394a740c0100717695ef4899e8d6d8c14b348342cb4f06 |
| SHA512 | 501af41bc194a9ec7041979cbc88be97f7f2c7c6baaadcd69c01f4edb97b11b512d2ec94ddfc1f20d520e5d2edc039d98e66fae106216f2ade2c649ce14e7882 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | efd90b3ac908d5482af367de3a82184a |
| SHA1 | de9f01d2ed0247b7b347e55c5a09721a60147fb9 |
| SHA256 | 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d |
| SHA512 | 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02 |
memory/1160-21-0x0000000000560000-0x0000000000585000-memory.dmp
memory/1160-23-0x0000000000560000-0x0000000000585000-memory.dmp
memory/1160-29-0x0000000000560000-0x0000000000585000-memory.dmp