Analysis Overview
SHA256
7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5
Threat Level: Known bad
The file 7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5 was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-08 22:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-08 22:55
Reported
2024-08-08 22:57
Platform
win7-20240705-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe
"C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 5c832aa84399bbed00e0b433171f1b31 |
| SHA1 | e64e2de779a8b672e80ab009920f2be9dd1b4b34 |
| SHA256 | 85733e200b497ce2eb13b53143820d334fba403cfe3e6af7fe0d3d6f296bfbfa |
| SHA512 | a36ce7fe681f0362e439089e6db3a8e56abdcafb07120740dc95dcf37329c17eae1cd8c056e0a0890f817b1c2cfa26ae3e54fb650efce00c6b3debef01dcc7d2 |
memory/2092-19-0x0000000000010000-0x0000000000037000-memory.dmp
memory/2292-16-0x0000000000D60000-0x0000000000D87000-memory.dmp
memory/2092-15-0x0000000001CF0000-0x0000000001D17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 83868ea232b17dfb5d78dfbbbb97dd6c |
| SHA1 | 8ea8e7e9e71d8e9ac4694f35410375871c12e9ab |
| SHA256 | ba1d07e7222d8b5c30c85dc4706cec58c5cc8625dba9f28c5bfd5aa74c226669 |
| SHA512 | 40dfafa28d3574cb3e4d748bcf64182137a7f31252e03aec3d14fe7e26112563129d4119dfa53442b3eaa6d480897c7724c953249bcc630126e9d9c54d12688a |
memory/2092-0-0x0000000000010000-0x0000000000037000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1c9b2720af0ca9528b47898d9c7f4799 |
| SHA1 | 80495f16e333f54ecc700252323c2a7cb7d751e1 |
| SHA256 | d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5 |
| SHA512 | 5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac |
memory/2292-22-0x0000000000D60000-0x0000000000D87000-memory.dmp
memory/2292-24-0x0000000000D60000-0x0000000000D87000-memory.dmp
memory/2292-31-0x0000000000D60000-0x0000000000D87000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-08 22:55
Reported
2024-08-08 22:57
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
124s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe
"C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/3732-0-0x0000000000060000-0x0000000000087000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | d92d90db5eb9243ffb1b76b767e9f8e9 |
| SHA1 | a03910597f05300fb7ada646be19d03a2cda83ff |
| SHA256 | 48c4793c25eb223eb36220536f77aa6561fead3c21d1b09cb319cdec4cb9c15a |
| SHA512 | d9008891c1f2fc38714ca85dde47a4cf730fd2da5a677378efe5fb853be156d6667805879c1e04dd4e462b79f8c0abd379fa60aef2516f252eaa83efc16d82fb |
memory/804-15-0x00000000007F0000-0x0000000000817000-memory.dmp
memory/3732-18-0x0000000000060000-0x0000000000087000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 5c832aa84399bbed00e0b433171f1b31 |
| SHA1 | e64e2de779a8b672e80ab009920f2be9dd1b4b34 |
| SHA256 | 85733e200b497ce2eb13b53143820d334fba403cfe3e6af7fe0d3d6f296bfbfa |
| SHA512 | a36ce7fe681f0362e439089e6db3a8e56abdcafb07120740dc95dcf37329c17eae1cd8c056e0a0890f817b1c2cfa26ae3e54fb650efce00c6b3debef01dcc7d2 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1c9b2720af0ca9528b47898d9c7f4799 |
| SHA1 | 80495f16e333f54ecc700252323c2a7cb7d751e1 |
| SHA256 | d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5 |
| SHA512 | 5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac |
memory/804-21-0x00000000007F0000-0x0000000000817000-memory.dmp
memory/804-23-0x00000000007F0000-0x0000000000817000-memory.dmp
memory/804-29-0x00000000007F0000-0x0000000000817000-memory.dmp