Analysis Overview
SHA256
0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85
Threat Level: Known bad
The file 0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85N was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 14:29
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 14:29
Reported
2024-10-15 14:31
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85N.exe
"C:\Users\Admin\AppData\Local\Temp\0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.47.76:11120 | tcp | |
| KR | 218.54.47.74:11150 | tcp | |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp |
Files
memory/1684-0-0x0000000000BD0000-0x0000000000BFB000-memory.dmp
\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 092d11393f381e45e6b857d038f5fc35 |
| SHA1 | 7f9f3d553d7513f1cf6b0353c76333b7c40e06c2 |
| SHA256 | 585a7db88dd016a873629f9f32f53fe5ce69ebfdfffa14763b05753f3a1c6faa |
| SHA512 | 6f23c464eb74dbfacecb8576b689199b647c4d640227ee73797665f0380c4df0e2e38bc3095b104e2e6e0144be61c4e8de484faacada5efc48c60bc55aeb504a |
memory/2936-10-0x0000000000EC0000-0x0000000000EEB000-memory.dmp
memory/1684-7-0x0000000000AB0000-0x0000000000ADB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 809642777c7cdfbb0dd067abefc87083 |
| SHA1 | 0f6cf2cbc0d15360a5db30d362c124f255e53e6f |
| SHA256 | 4a53c8eadfbed7dd4c5caafa52c9b4fa6dcbe86cd3144649d2e7cebadf8b3939 |
| SHA512 | 95ddbded3f32c4a7f8e97f9a3c65425e30b4c056ef1ff97825f5b634b3a7c47d50aa53e1a63fcdcf3e8c3cbacced4fd1862537202faeb7db1fb8e86901a94335 |
memory/1684-18-0x0000000000BD0000-0x0000000000BFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ac5e84ed8031d66a9fcd5e472ba8091b |
| SHA1 | 06303add604104d6abbb69458f89773c066b470c |
| SHA256 | 3a3cfa6f4786dab0ac8bc76204948f32a3a2cbd094922f87c251ec80d22baae5 |
| SHA512 | 7bf829102a70a1304dae435b8ae3c9ef9a925af7e995fe381d80730f4f702e1fd2a0a1b6a3a4b4667925f5bb95c897166a8fc0f52d3171d9cdba0bf09b53f152 |
memory/2936-21-0x0000000000EC0000-0x0000000000EEB000-memory.dmp
memory/2936-22-0x0000000000EC0000-0x0000000000EEB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 14:29
Reported
2024-10-15 14:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\biudfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85N.exe
"C:\Users\Admin\AppData\Local\Temp\0db1026131fbe525b1bfe8d94a76e013281a5d14195df528784b3a6719d8ea85N.exe"
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| KR | 218.54.47.76:11120 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| KR | 218.54.47.74:11150 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 218.54.47.76:11170 | tcp | |
| KR | 218.54.47.77:11150 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1396-0-0x0000000000B10000-0x0000000000B3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biudfw.exe
| MD5 | 629952881d91234b5ebb3b3a780fd8f9 |
| SHA1 | fcdc06382f58372353fd9f045cb7f6aa0100def9 |
| SHA256 | a02a6b9a7d22f46eb42ad2c0d18df257f29ca24ad26058e7f12addaf44ad0ad4 |
| SHA512 | 6ffa7c01cd1b3f7eab560a838f4b9063d469ad90303afc010a6001bc983c77a94b43ddc4e2f1559f23e050be6d9ecd49fc11888c9be83351d2818fb5618cba9d |
memory/3484-15-0x00000000003E0000-0x000000000040B000-memory.dmp
memory/1396-17-0x0000000000B10000-0x0000000000B3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 809642777c7cdfbb0dd067abefc87083 |
| SHA1 | 0f6cf2cbc0d15360a5db30d362c124f255e53e6f |
| SHA256 | 4a53c8eadfbed7dd4c5caafa52c9b4fa6dcbe86cd3144649d2e7cebadf8b3939 |
| SHA512 | 95ddbded3f32c4a7f8e97f9a3c65425e30b4c056ef1ff97825f5b634b3a7c47d50aa53e1a63fcdcf3e8c3cbacced4fd1862537202faeb7db1fb8e86901a94335 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ac5e84ed8031d66a9fcd5e472ba8091b |
| SHA1 | 06303add604104d6abbb69458f89773c066b470c |
| SHA256 | 3a3cfa6f4786dab0ac8bc76204948f32a3a2cbd094922f87c251ec80d22baae5 |
| SHA512 | 7bf829102a70a1304dae435b8ae3c9ef9a925af7e995fe381d80730f4f702e1fd2a0a1b6a3a4b4667925f5bb95c897166a8fc0f52d3171d9cdba0bf09b53f152 |
memory/3484-20-0x00000000003E0000-0x000000000040B000-memory.dmp
memory/3484-21-0x00000000003E0000-0x000000000040B000-memory.dmp