Analysis Overview
SHA256
ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2
Threat Level: Known bad
The file ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 14:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 14:13
Reported
2024-10-12 14:16
Platform
win7-20240729-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe
"C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/2580-0-0x0000000000BC0000-0x0000000000BE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | f13df147bd81a358f5d3b17c03c8f509 |
| SHA1 | 6e6844158852e316ac947c446ad8e0a1d2c9dd26 |
| SHA256 | 8ea6308f4d5f7b4b4f8258e66756851e968dc5f3bb3d52bfaa3e71eba4b5c6d4 |
| SHA512 | cae55d43ca5de89973d110335460edec5b76dfc55b313c5920da9c0f9b9117e727f989b47ff922d25d27fa5912fab3a4265ce622012eb680bb4a1e9b52d0ca5f |
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 52de364334f68538894034967dfa7b25 |
| SHA1 | d394b860ff927b3ea1504d8bbf73aaa61a450895 |
| SHA256 | 32c8eaa5d1514a1b8920543cbb2e86686812ef8d678ab6a092686398679beb01 |
| SHA512 | 45aeecea873ce57713bc49e65fb398f90a725ad1210e9b31feee0debe6a9df31c9c7345f1f5546b56cfa52c6ed1de0542ebf405aa0352ebed302bbc3b1407de5 |
memory/2052-10-0x0000000000C70000-0x0000000000C95000-memory.dmp
memory/2580-9-0x00000000003D0000-0x00000000003F5000-memory.dmp
memory/2580-19-0x0000000000BC0000-0x0000000000BE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | efd90b3ac908d5482af367de3a82184a |
| SHA1 | de9f01d2ed0247b7b347e55c5a09721a60147fb9 |
| SHA256 | 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d |
| SHA512 | 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02 |
memory/2052-22-0x0000000000C70000-0x0000000000C95000-memory.dmp
memory/2052-24-0x0000000000C70000-0x0000000000C95000-memory.dmp
memory/2052-31-0x0000000000C70000-0x0000000000C95000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 14:13
Reported
2024-10-12 14:16
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe
"C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1156-0-0x0000000000A80000-0x0000000000AA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 99c4f74a1d7f2b0c9b0711f0c01ee666 |
| SHA1 | 20fbe25ae69238779891ac7b3b29bcde15b4b927 |
| SHA256 | 0f4a20923217d4b8c82ffc11de89754cfdddbe5346be51fe9e39dc243ea812fe |
| SHA512 | 38f01d0226ca3435ce8767684479cb4dc45d41c4bc50a75e455d079b5d315889514eb016437b08f13382810b824d9ab74edc0c53c1f26f12535f638b18a16435 |
memory/4960-15-0x00000000001F0000-0x0000000000215000-memory.dmp
memory/1156-18-0x0000000000A80000-0x0000000000AA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 52de364334f68538894034967dfa7b25 |
| SHA1 | d394b860ff927b3ea1504d8bbf73aaa61a450895 |
| SHA256 | 32c8eaa5d1514a1b8920543cbb2e86686812ef8d678ab6a092686398679beb01 |
| SHA512 | 45aeecea873ce57713bc49e65fb398f90a725ad1210e9b31feee0debe6a9df31c9c7345f1f5546b56cfa52c6ed1de0542ebf405aa0352ebed302bbc3b1407de5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | efd90b3ac908d5482af367de3a82184a |
| SHA1 | de9f01d2ed0247b7b347e55c5a09721a60147fb9 |
| SHA256 | 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d |
| SHA512 | 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02 |
memory/4960-21-0x00000000001F0000-0x0000000000215000-memory.dmp
memory/4960-23-0x00000000001F0000-0x0000000000215000-memory.dmp
memory/4960-29-0x00000000001F0000-0x0000000000215000-memory.dmp