Analysis Overview
SHA256
7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed
Threat Level: Known bad
The file 7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed was found to be: Known bad.
Malicious Activity Summary
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 23:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 23:37
Reported
2024-08-06 23:40
Platform
win7-20240704-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe
"C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/1876-0-0x00000000002C0000-0x00000000002E6000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | d3ffd1625e34029aa7bee59c831eac4b |
| SHA1 | 4326857064825c31f008caf48bf0e14c9025e92a |
| SHA256 | f662b3c29b5bac511989402cf387f02c5cc897d3fbf13ad14d56144f5584aedf |
| SHA512 | f0dbf93cc6f15bfe680f32df51ad1edfb5202a3d794f69b818cfd5f0435fcbd342a037ca29654ea18f1b887b4d1c9034a46d9c358716d194851e471a81466647 |
memory/1876-6-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 742ca291db423d34618f3829a135cd9c |
| SHA1 | 0c00fcff458090048e2715eaa9da17c11002a8ce |
| SHA256 | 0514ba7fa6782519d027c78162f863911770e949e40338eb39890cda0bbdb541 |
| SHA512 | 42f87aef6259f93af54078b6206b7e0a0d0b7fb0e993c9f3a40570edd9b41d5cee11ca2943517d8f7551536aa5eece692efb0a81f63506abf9637232d7607be2 |
memory/3060-17-0x0000000001160000-0x0000000001186000-memory.dmp
memory/1876-19-0x00000000002C0000-0x00000000002E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b4a86880004da8726288d7ec954885a8 |
| SHA1 | 1bab1cfbdc2c540246210bc7852f8fe7e8357b31 |
| SHA256 | c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46 |
| SHA512 | 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4 |
memory/3060-22-0x0000000001160000-0x0000000001186000-memory.dmp
memory/3060-24-0x0000000001160000-0x0000000001186000-memory.dmp
memory/3060-30-0x0000000001160000-0x0000000001186000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 23:37
Reported
2024-08-06 23:40
Platform
win10v2004-20240802-en
Max time kernel
100s
Max time network
108s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe
"C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.58.20.217.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2432-0-0x00000000000B0000-0x00000000000D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | dd8111c9f18dc2393c30547c32c043ae |
| SHA1 | c3857491d272016076acd21452eed287f0efacf1 |
| SHA256 | fa4ac4386b6894c0b3779e1d9d6f4f64bccac39406a70a43ce646ce71e5f7ff5 |
| SHA512 | dfe5d5212c8f57082fc22e8dde973acecce08a26d96ef77845ee4e5976a2f56a824177e0484d97db3846668ad756dbceef4ed1b316429cab73225ab03a3f6c2d |
memory/4872-12-0x0000000000120000-0x0000000000146000-memory.dmp
memory/2432-15-0x00000000000B0000-0x00000000000D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 742ca291db423d34618f3829a135cd9c |
| SHA1 | 0c00fcff458090048e2715eaa9da17c11002a8ce |
| SHA256 | 0514ba7fa6782519d027c78162f863911770e949e40338eb39890cda0bbdb541 |
| SHA512 | 42f87aef6259f93af54078b6206b7e0a0d0b7fb0e993c9f3a40570edd9b41d5cee11ca2943517d8f7551536aa5eece692efb0a81f63506abf9637232d7607be2 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b4a86880004da8726288d7ec954885a8 |
| SHA1 | 1bab1cfbdc2c540246210bc7852f8fe7e8357b31 |
| SHA256 | c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46 |
| SHA512 | 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4 |
memory/4872-18-0x0000000000120000-0x0000000000146000-memory.dmp
memory/4872-20-0x0000000000120000-0x0000000000146000-memory.dmp
memory/4872-27-0x0000000000120000-0x0000000000146000-memory.dmp