Analysis Overview
SHA256
def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f
Threat Level: Known bad
The file def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 04:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 04:06
Reported
2024-08-04 04:09
Platform
win7-20240704-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe
"C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2400-0-0x0000000000DD0000-0x0000000000DF6000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 262f3800c6843eb01ed6ef2965a67e05 |
| SHA1 | dc01624091e6c05e237d53a9d6a444f24122c191 |
| SHA256 | dc34b3ae19122bdd9490f85a8ba7886cc4e145dc24102d40bd4a09aab042a96c |
| SHA512 | 9f6d2b0a777102c98afde373f273e5d273949846419cc986914dbc84af8939abdcaca8b4f3ab123a7823411a705b1b9b72ec5322ab76f20040f962cab05f4e6d |
memory/2812-16-0x0000000000040000-0x0000000000066000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d8635929082df9ac0a5be0ff1d465f7a |
| SHA1 | bf6a78a72d41e126a32b0b82873967e1edcd7356 |
| SHA256 | ab5130aed942753f5ae3acd322c1cbce5a044cf37453dc74e04bfc6a95ad3736 |
| SHA512 | 690d7bbe838a8d491256802e6702a3256c9271b4821387574f69f9a5b8a220e94729c9042cf267393c73dd8da4bf221b9ef286c7ac11740687d59dcf7417c759 |
memory/2400-12-0x0000000000B30000-0x0000000000B56000-memory.dmp
memory/2400-19-0x0000000000DD0000-0x0000000000DF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7cdc8777d33db85bc19aefb64879a7f7 |
| SHA1 | f2d494d4dfe93a05eb58513935196e8578648adf |
| SHA256 | 9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336 |
| SHA512 | 34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f |
memory/2812-22-0x0000000000040000-0x0000000000066000-memory.dmp
memory/2812-24-0x0000000000040000-0x0000000000066000-memory.dmp
memory/2812-31-0x0000000000040000-0x0000000000066000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 04:06
Reported
2024-08-04 04:09
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
85s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe
"C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/4088-0-0x0000000000FA0000-0x0000000000FC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 1a182b6bf9d3fcf63b272a3c214fa2df |
| SHA1 | be701496b4ca96f4b5fb2802d865a25b59dd3a5f |
| SHA256 | 1c4166ee70ebbaced45b3bf92c9778f53b31b6a6970bce4cae02bd1fb35926b8 |
| SHA512 | d29951a3825be0693f945f1354f2e2fd9b838236e93645930128c9cbc03ffe0bf22e03f242ce7125705cd67a592d84d1dce71911362535793ffa0da67de187f6 |
memory/1420-12-0x0000000000450000-0x0000000000476000-memory.dmp
memory/4088-15-0x0000000000FA0000-0x0000000000FC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | d8635929082df9ac0a5be0ff1d465f7a |
| SHA1 | bf6a78a72d41e126a32b0b82873967e1edcd7356 |
| SHA256 | ab5130aed942753f5ae3acd322c1cbce5a044cf37453dc74e04bfc6a95ad3736 |
| SHA512 | 690d7bbe838a8d491256802e6702a3256c9271b4821387574f69f9a5b8a220e94729c9042cf267393c73dd8da4bf221b9ef286c7ac11740687d59dcf7417c759 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7cdc8777d33db85bc19aefb64879a7f7 |
| SHA1 | f2d494d4dfe93a05eb58513935196e8578648adf |
| SHA256 | 9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336 |
| SHA512 | 34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f |
memory/1420-18-0x0000000000450000-0x0000000000476000-memory.dmp
memory/1420-20-0x0000000000450000-0x0000000000476000-memory.dmp
memory/1420-27-0x0000000000450000-0x0000000000476000-memory.dmp