Analysis Overview
SHA256
a90191bcd4c952c26f0b92a2872303fd3c7e97e0e7473ee882e8d490741d6307
Threat Level: Known bad
The file e1a2c6df63912e750f762a181afcdc20N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 04:28
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 04:28
Reported
2024-08-04 04:30
Platform
win7-20240704-en
Max time kernel
90s
Max time network
82s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe
"C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 70327f9f9a020a4bcc08c2ca0ce4e0cd |
| SHA1 | ca82986657b4dabe5709d93bc4e074f4068acc23 |
| SHA256 | ba345335030ded70d9cfde7e4d4de2cac95b4506886392eee10ce6123f845970 |
| SHA512 | 990cd349e0494ea29a2832d204551a5ccd526392d95206ac960a506ca1a25d289c03b9d6f6fd59e06c399a06227c9011729420423dc41d0a4b4aec88aaf0348c |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 9c50fddb0095a59554d669c6ddcf8b7e |
| SHA1 | e619094e38f8c3351ee084338a41ea4a7005c0aa |
| SHA256 | 9d8821c4186c809f5131f10cd894675b833a9dde5285718fae4ac700a804112f |
| SHA512 | 4f6e51ee364d2666130bd1b69d0edf494beefbda828fac3d056488af06c2ab4d105ae498010ddddc42551838b7049a4cade84b59e497ee53f3a55025fc46bbc1 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 2930c042c9ee5e07f321f2134a0c7edc |
| SHA1 | ee39f41eaf6ce3c8d917a89e65959414ae0088e6 |
| SHA256 | a328475bbb730da292b83ed6cabbdbfc0616f042296f0c6fa356c5368ffc1309 |
| SHA512 | 2da91d5effc116d8c8661c2a99f1d9c2aaffda0f776551dc7ad1911fdb2765591e5b441b9a1fe0090bcda8ed24d180b563ed2c127676cf1de40001e4b15b5506 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 04:28
Reported
2024-08-04 04:30
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
98s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2884 wrote to memory of 1416 | N/A | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 2884 wrote to memory of 1416 | N/A | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 2884 wrote to memory of 1416 | N/A | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 2884 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2884 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2884 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe
"C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 6f3dc7255da3d90a8fa6cabac96dea40 |
| SHA1 | 787d3dd93bf4cc160cf38d283cdb9a76dbec26b3 |
| SHA256 | 8640f61cbb9fc03903c044a481abded5bf7800b1d8a5ff6baa41830666ded239 |
| SHA512 | 27500b90734448fcb021df5bf8e77237b1a94fe2d5144c71c1c0d13179a9a36dc1d4da85e644e01e92e3fb2441f98236eed9b0627547d7b5af8ecffe9be05f9c |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 9c50fddb0095a59554d669c6ddcf8b7e |
| SHA1 | e619094e38f8c3351ee084338a41ea4a7005c0aa |
| SHA256 | 9d8821c4186c809f5131f10cd894675b833a9dde5285718fae4ac700a804112f |
| SHA512 | 4f6e51ee364d2666130bd1b69d0edf494beefbda828fac3d056488af06c2ab4d105ae498010ddddc42551838b7049a4cade84b59e497ee53f3a55025fc46bbc1 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 2930c042c9ee5e07f321f2134a0c7edc |
| SHA1 | ee39f41eaf6ce3c8d917a89e65959414ae0088e6 |
| SHA256 | a328475bbb730da292b83ed6cabbdbfc0616f042296f0c6fa356c5368ffc1309 |
| SHA512 | 2da91d5effc116d8c8661c2a99f1d9c2aaffda0f776551dc7ad1911fdb2765591e5b441b9a1fe0090bcda8ed24d180b563ed2c127676cf1de40001e4b15b5506 |