Analysis Overview
SHA256
8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781f
Threat Level: Known bad
The file 8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 00:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 00:08
Reported
2024-10-09 00:11
Platform
win7-20240903-en
Max time kernel
89s
Max time network
89s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe
"C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2788-0-0x0000000000200000-0x0000000000225000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | d034258c8a117330b037e147dc4a8c31 |
| SHA1 | c7019b445d9af7fadb62d29caa87bb7cf10ff1c4 |
| SHA256 | 1bcd3d5d90d0b4bc179f8dd9bee29cb0f77919a4abe28ec85f2c4cd9f22cbb0f |
| SHA512 | c7f6b903ac84ca5d0c4de12f37343c3dba9440d6fc6bbc4c5b978b8188e72b5e387c005c9c1d7e1df151ce4b81b061fffb08e962294745f99b1cc9be33952e5c |
memory/2788-6-0x0000000001D80000-0x0000000001DA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | e5c2a54d6541cc1e6cf6a37b844ee0e1 |
| SHA1 | b969a707b11fcf16cb74c979047434438f7f2258 |
| SHA256 | 550f9c934e86a7cf394aa1e37b5d117dff8c5893c0142352d7c529d7f670d25b |
| SHA512 | ab4abbc3202f9727b5b67610f9750cd92229e8b8ab00d2322dee631864c210b11441e381cddd06bbd93bc6b26fd98291d9cf6760561183a48fb4f6f6a0ad8add |
memory/2788-18-0x0000000000200000-0x0000000000225000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | efd90b3ac908d5482af367de3a82184a |
| SHA1 | de9f01d2ed0247b7b347e55c5a09721a60147fb9 |
| SHA256 | 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d |
| SHA512 | 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02 |
memory/2164-21-0x0000000000260000-0x0000000000285000-memory.dmp
memory/2164-23-0x0000000000260000-0x0000000000285000-memory.dmp
memory/2164-30-0x0000000000260000-0x0000000000285000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 00:08
Reported
2024-10-09 00:11
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe
"C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3456-0-0x0000000000350000-0x0000000000375000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 9643ad261f94d359af79e2c39c26dcd4 |
| SHA1 | fc618a7eb66c95106d4b9f3108e8f6f4c70ad45f |
| SHA256 | 52fc3d31bc24bd5f5002e2e5e9d6924f80ec1237563c562e0a8e21c45c63a042 |
| SHA512 | 83f032a75d52bf79fb11b5bed9975c502c108549fa8ba90bd83add2c53af5b3b2ea712c287c5f946f7b2730fc8969356a7f15b3fd63f9f186595d20a92e96552 |
memory/4156-15-0x0000000000D00000-0x0000000000D25000-memory.dmp
memory/3456-17-0x0000000000350000-0x0000000000375000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | e5c2a54d6541cc1e6cf6a37b844ee0e1 |
| SHA1 | b969a707b11fcf16cb74c979047434438f7f2258 |
| SHA256 | 550f9c934e86a7cf394aa1e37b5d117dff8c5893c0142352d7c529d7f670d25b |
| SHA512 | ab4abbc3202f9727b5b67610f9750cd92229e8b8ab00d2322dee631864c210b11441e381cddd06bbd93bc6b26fd98291d9cf6760561183a48fb4f6f6a0ad8add |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | efd90b3ac908d5482af367de3a82184a |
| SHA1 | de9f01d2ed0247b7b347e55c5a09721a60147fb9 |
| SHA256 | 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d |
| SHA512 | 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02 |
memory/4156-20-0x0000000000D00000-0x0000000000D25000-memory.dmp
memory/4156-22-0x0000000000D00000-0x0000000000D25000-memory.dmp
memory/4156-28-0x0000000000D00000-0x0000000000D25000-memory.dmp