Analysis Overview
SHA256
12efad2cf07da1cc5c0013bea8fa60b3cbf8b8e0b30a5dd356f5cae8003cf303
Threat Level: Known bad
The file c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 15:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 15:07
Reported
2024-08-06 15:09
Platform
win7-20240705-en
Max time kernel
89s
Max time network
87s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe
"C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/580-0-0x0000000001370000-0x0000000001395000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 45aa37cb4ba13b358cb994de6f731346 |
| SHA1 | c141cc89f6a32ca5158f18f457c313898cae490f |
| SHA256 | a10ea6d2118c6c30cf5ab4fd646fbb22e95137f60492168dee306698fd5090a3 |
| SHA512 | bc5fa2d89a07f4861c85e70744176fddf14ddb9653dc61be8571cb96ac3f492aed4afee254810e08013b984837f6100b6aafd927bf77619c521fc55f062817b1 |
memory/1652-17-0x0000000000350000-0x0000000000375000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 92ec417aef2021a405bdc3937ca8c169 |
| SHA1 | f09e6b7ab8c2511030dae91392e149f9f3a9b319 |
| SHA256 | ac75dd1269f0aedc8d5956ad79c398248f2a0d82d5713eea3d245daffd0ad716 |
| SHA512 | 344e3507b8a5c0fd5234112d6c23e4ef44ed938b9d694a1e4a313ace686a1b9e2f5a004218b836d9b12f303db3eb2db45de1fe9bb17c4320a95b38614420e968 |
memory/580-16-0x00000000009B0000-0x00000000009D5000-memory.dmp
memory/580-18-0x0000000001370000-0x0000000001395000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 657ce9e5dd337971e44dfb9cb3fbf7dd |
| SHA1 | 026734083afaa4b7d298781b26a72ac9b67ac831 |
| SHA256 | 3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472 |
| SHA512 | 79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d |
memory/1652-21-0x0000000000350000-0x0000000000375000-memory.dmp
memory/1652-23-0x0000000000350000-0x0000000000375000-memory.dmp
memory/1652-29-0x0000000000350000-0x0000000000375000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 15:07
Reported
2024-08-06 15:09
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4880 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4880 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4880 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4880 wrote to memory of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4880 wrote to memory of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4880 wrote to memory of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe
"C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4880-0-0x0000000000670000-0x0000000000695000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 7e684c4a31029a78aa6cd16ff48b45ba |
| SHA1 | 4880467336a8b14d67a867f8e1f53d3978da60fe |
| SHA256 | f15efdea2ccb5d1b891797c4832e337a15ec716c7ebc57eccd04e63cd9c069d6 |
| SHA512 | 419a8db7369c9c0048d87d66e890d6210f4e634720d19dc90914823e00d8b7538bcb01fedd854bc6573b91346ac841eb2e60bc914ea065a27d84913ac795bb12 |
memory/4412-15-0x0000000000050000-0x0000000000075000-memory.dmp
memory/4880-17-0x0000000000670000-0x0000000000695000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 92ec417aef2021a405bdc3937ca8c169 |
| SHA1 | f09e6b7ab8c2511030dae91392e149f9f3a9b319 |
| SHA256 | ac75dd1269f0aedc8d5956ad79c398248f2a0d82d5713eea3d245daffd0ad716 |
| SHA512 | 344e3507b8a5c0fd5234112d6c23e4ef44ed938b9d694a1e4a313ace686a1b9e2f5a004218b836d9b12f303db3eb2db45de1fe9bb17c4320a95b38614420e968 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 657ce9e5dd337971e44dfb9cb3fbf7dd |
| SHA1 | 026734083afaa4b7d298781b26a72ac9b67ac831 |
| SHA256 | 3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472 |
| SHA512 | 79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d |
memory/4412-20-0x0000000000050000-0x0000000000075000-memory.dmp
memory/4412-22-0x0000000000050000-0x0000000000075000-memory.dmp
memory/4412-28-0x0000000000050000-0x0000000000075000-memory.dmp