Analysis Overview
SHA256
c79270e4b69116574c9311790949685c355fcc977364fde0649a4448b87b14a3
Threat Level: Known bad
The file b00a3c21f17a72955210061b96699f00N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-14 01:13
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 01:13
Reported
2024-08-14 01:15
Platform
win7-20240704-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe
"C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2696-0-0x0000000001180000-0x00000000011A7000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | d00ecb84eec8b5de97d2f9232bf91f77 |
| SHA1 | ca5df309522efdac32807929497faf68b709f2a8 |
| SHA256 | aeb54466894734e7c5cd2f18df84e22765dcec2f349e335c3e3ffde2041f2847 |
| SHA512 | b109a66e0c8be6f4a9bbd31e5f662fa4871516d6fa56ad7b41d5fd2048ba7c8286036121f73f719ce91337e53b74ce864408c0ecae62f6371f56fb8632a78aaa |
memory/2696-6-0x0000000000690000-0x00000000006B7000-memory.dmp
memory/2740-10-0x0000000000D40000-0x0000000000D67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | c00921fb82a42073851c2c99a9a936ae |
| SHA1 | 17bd85b0c47838945bf77c2ff39aa6a13d3d5223 |
| SHA256 | 77e312f4e1b482da638d4f18dab3e8b88c69f07dcf99f6b6f54580a31b4d3580 |
| SHA512 | af2b88060e91fab25c44d2ad5f48de6eac3933c0857dbb71c085850a8f28e7812d8148f530feb48e59ac9ad99b6d0572bb336574a0f76729b63f0a434f651e30 |
memory/2696-18-0x0000000001180000-0x00000000011A7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0ecda9ecaa423d5a8481985b7d3d5a77 |
| SHA1 | ecc237c20c234cf9c0e20b39a39ab27244dc7971 |
| SHA256 | caed69520592602de846673610507a47e22e0fb108e8e88ba1a85b314607f0a9 |
| SHA512 | 82ce4bfc411781d187b6151383064f18e22b37f5f03d783476fed1c8ba74ee38dc74b16badf96961e22d6b63ae31425ae785c17fa3bd5d767ae3b0bd9652fe3a |
memory/2740-21-0x0000000000D40000-0x0000000000D67000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 01:13
Reported
2024-08-14 01:15
Platform
win10v2004-20240802-en
Max time kernel
98s
Max time network
101s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4080 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4080 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4080 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | C:\Users\Admin\AppData\Local\Temp\biudfw.exe |
| PID 4080 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4080 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4080 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe
"C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/4080-0-0x00000000008E0000-0x0000000000907000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 77bb0c1c554b1bc95fefd7eecf026da3 |
| SHA1 | 5deb239436014d9b0c43e87f8794d5ba2dbe1780 |
| SHA256 | fe9b26fb5c9cd6ecf995f861e692d3f9e96f0f04b0683c2838bc2ba7ac9f39d7 |
| SHA512 | fa4f80d94598f428ab32ff09bd8305241016ed25f3a9f9694868aeea933cd0cdaa97ebc64aa2a7496cfe83e333b7f2c20465462a7ebf9ce6f584420e50d669bd |
memory/4652-15-0x0000000000C90000-0x0000000000CB7000-memory.dmp
memory/4080-17-0x00000000008E0000-0x0000000000907000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | c00921fb82a42073851c2c99a9a936ae |
| SHA1 | 17bd85b0c47838945bf77c2ff39aa6a13d3d5223 |
| SHA256 | 77e312f4e1b482da638d4f18dab3e8b88c69f07dcf99f6b6f54580a31b4d3580 |
| SHA512 | af2b88060e91fab25c44d2ad5f48de6eac3933c0857dbb71c085850a8f28e7812d8148f530feb48e59ac9ad99b6d0572bb336574a0f76729b63f0a434f651e30 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0ecda9ecaa423d5a8481985b7d3d5a77 |
| SHA1 | ecc237c20c234cf9c0e20b39a39ab27244dc7971 |
| SHA256 | caed69520592602de846673610507a47e22e0fb108e8e88ba1a85b314607f0a9 |
| SHA512 | 82ce4bfc411781d187b6151383064f18e22b37f5f03d783476fed1c8ba74ee38dc74b16badf96961e22d6b63ae31425ae785c17fa3bd5d767ae3b0bd9652fe3a |
memory/4652-20-0x0000000000C90000-0x0000000000CB7000-memory.dmp