Analysis Overview
SHA256
592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85
Threat Level: Known bad
The file 592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 07:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 07:11
Reported
2024-10-10 07:13
Platform
win7-20240729-en
Max time kernel
89s
Max time network
77s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe
"C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/1520-0-0x00000000000C0000-0x00000000000F5000-memory.dmp
memory/1520-18-0x0000000000510000-0x0000000000545000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 3775a1ae7984061b1bc1d54072a64e7e |
| SHA1 | 48522f84f54b7e1191edd3ff06c97cddad081610 |
| SHA256 | f060e3eba12f776fd357abb731f5fbd9518068d349ba9510eaeb93d45b1e6cb9 |
| SHA512 | 6233997891ad5fa87bb6840f7fad516ed75ea2481cfa313b7e73750371341ebba2ce8505625ca0cce22296c3e77d13e4e525d95f129b7b74d0a980ce2283d506 |
memory/1944-19-0x0000000000040000-0x0000000000075000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 29bddbeacfa12a1b1c86f62e7589b299 |
| SHA1 | 9fd051c969b5cdeba63f3bc845a15029933674b5 |
| SHA256 | 86c2f9ad0c8b363b086b3be3d9363b0ed5593119c13e4f56f85dbdf53962d8a8 |
| SHA512 | 906131c5b611e06ffb9108858237bb86e594a963c95b67c441f476c5491c3e4f6fe9aaf1b70614b0249168aac027c570cc59de25542fd6d6455c6ad924597c18 |
memory/1520-17-0x00000000000C0000-0x00000000000F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55e10a9af74d3f3fa5ae3cb7ff5ad9d4 |
| SHA1 | 449221fd8d7196a54de2bd583625d8d1b64db56a |
| SHA256 | a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1 |
| SHA512 | 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a |
memory/1520-22-0x0000000000510000-0x0000000000545000-memory.dmp
memory/1944-23-0x0000000000040000-0x0000000000075000-memory.dmp
memory/1944-26-0x0000000000040000-0x0000000000075000-memory.dmp
memory/1944-33-0x0000000000040000-0x0000000000075000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 07:11
Reported
2024-10-10 07:13
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe
"C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
memory/844-0-0x00000000006D0000-0x0000000000705000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | e579b202ac41292a8ab8b561347287c3 |
| SHA1 | b086c547c04977efd097b2c9b33ddc961b22c3b7 |
| SHA256 | f88667440fb716a3f23d7067cf8a7baa8c2eb8b0e351a7c939f4418714215735 |
| SHA512 | ce5261dbd9ade2eb87aca2804c68d6d505f1cb22e7ec498433bb948caa06628f22eddeddba2e1ded82c200bd8470147c254f709802ee04d36a6a774c544c70d1 |
memory/4956-10-0x0000000000B00000-0x0000000000B35000-memory.dmp
memory/844-15-0x00000000006D0000-0x0000000000705000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 3775a1ae7984061b1bc1d54072a64e7e |
| SHA1 | 48522f84f54b7e1191edd3ff06c97cddad081610 |
| SHA256 | f060e3eba12f776fd357abb731f5fbd9518068d349ba9510eaeb93d45b1e6cb9 |
| SHA512 | 6233997891ad5fa87bb6840f7fad516ed75ea2481cfa313b7e73750371341ebba2ce8505625ca0cce22296c3e77d13e4e525d95f129b7b74d0a980ce2283d506 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 55e10a9af74d3f3fa5ae3cb7ff5ad9d4 |
| SHA1 | 449221fd8d7196a54de2bd583625d8d1b64db56a |
| SHA256 | a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1 |
| SHA512 | 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a |
memory/4956-18-0x0000000000B00000-0x0000000000B35000-memory.dmp
memory/4956-20-0x0000000000B00000-0x0000000000B35000-memory.dmp
memory/4956-27-0x0000000000B00000-0x0000000000B35000-memory.dmp