Analysis Overview
SHA256
4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb
Threat Level: Known bad
The file 4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 21:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 21:21
Reported
2024-10-10 21:23
Platform
win7-20240729-en
Max time kernel
89s
Max time network
89s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe
"C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/1744-0-0x0000000000A50000-0x0000000000A75000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | ddff2b771dc90cb22936a12df73c8370 |
| SHA1 | ad2ffa9d19960af4a524eb9cda468911644769f1 |
| SHA256 | de429009498a4290c55ac6396421f1a7db57a8f9606c08733614735e10c5ee90 |
| SHA512 | 4709441d115f72a7a1180d1e3c86ed203e3eee9f2432c995e67d43540c0d4c9fbd08c6b542db23c2b7273c62dc2c3ecffad26222d97f836d8b904085eca41b9a |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 81636de2e91f2cf944a42f5849c54575 |
| SHA1 | f5d5fe65461deabd03da16d528c7ccace6557c73 |
| SHA256 | 5a8e87ab4a66938bdab75b6aa5d0cec15c528d3d1f11d50759ca7e01730bb66d |
| SHA512 | 34f07e2a439e36cd4282b62fc10d1b9f80468525f1b138b7405eb2bf4381ee9c99e936ee33977fe6a96b915b484cd7599fc8c393f7402f3227e6ece321449ea0 |
memory/1744-19-0x0000000000A50000-0x0000000000A75000-memory.dmp
memory/2152-17-0x0000000000A10000-0x0000000000A35000-memory.dmp
memory/1744-8-0x00000000009C0000-0x00000000009E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | efd90b3ac908d5482af367de3a82184a |
| SHA1 | de9f01d2ed0247b7b347e55c5a09721a60147fb9 |
| SHA256 | 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d |
| SHA512 | 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02 |
memory/2152-22-0x0000000000A10000-0x0000000000A35000-memory.dmp
memory/2152-24-0x0000000000A10000-0x0000000000A35000-memory.dmp
memory/2152-31-0x0000000000A10000-0x0000000000A35000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 21:21
Reported
2024-10-10 21:23
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
137s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe
"C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
memory/4076-0-0x0000000000F80000-0x0000000000FA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 5babbf5125765032d24d9928826e97e7 |
| SHA1 | 00ac9dfef75e296f79194ed7c090162d8aa03afa |
| SHA256 | 2016fc8cb48ef14f460290a7a2af586237d10e51bfb7cbf1889590dfa70674b4 |
| SHA512 | d620afab5310f3a92763cf2c29de4f32ae242da70ef2aa2447e51f0b133f9e8d7a6d8ea19bb13f32cef9996361187ea7086fd15347e6f9e94004e5dca80a63aa |
memory/1988-13-0x0000000000EE0000-0x0000000000F05000-memory.dmp
memory/4076-18-0x0000000000F80000-0x0000000000FA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 81636de2e91f2cf944a42f5849c54575 |
| SHA1 | f5d5fe65461deabd03da16d528c7ccace6557c73 |
| SHA256 | 5a8e87ab4a66938bdab75b6aa5d0cec15c528d3d1f11d50759ca7e01730bb66d |
| SHA512 | 34f07e2a439e36cd4282b62fc10d1b9f80468525f1b138b7405eb2bf4381ee9c99e936ee33977fe6a96b915b484cd7599fc8c393f7402f3227e6ece321449ea0 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | efd90b3ac908d5482af367de3a82184a |
| SHA1 | de9f01d2ed0247b7b347e55c5a09721a60147fb9 |
| SHA256 | 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d |
| SHA512 | 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02 |
memory/1988-21-0x0000000000EE0000-0x0000000000F05000-memory.dmp
memory/1988-23-0x0000000000EE0000-0x0000000000F05000-memory.dmp
memory/1988-29-0x0000000000EE0000-0x0000000000F05000-memory.dmp