Malware Analysis Report

2024-11-16 13:28

Sample ID 240726-3bfsns1ekj
Target 6914ce5eb27b92b5ce458c06eac964b0N.exe
SHA256 4fcf1ad0f4dbe5bc30c644767e49e3eeb459636963d22778f83cb346b8e05577
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fcf1ad0f4dbe5bc30c644767e49e3eeb459636963d22778f83cb346b8e05577

Threat Level: Known bad

The file 6914ce5eb27b92b5ce458c06eac964b0N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks computer location settings

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 23:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 23:20

Reported

2024-07-26 23:23

Platform

win7-20240705-en

Max time kernel

89s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe

"C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2412-0-0x0000000001050000-0x0000000001077000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 00989879661bf8eed1d769b7f672f29f
SHA1 d54ada255aafd9e1c92fb7205b79c248cf4d8d31
SHA256 2175a4627de5fef0306944bf686f707068639f9a2593160340db6404202f7df7
SHA512 2d0a5cb5dc8e6e42d3b159e95842a12b20caa27ff6123b606c991396172251c62542fe1fa62f7df337dced59766695163c66f9a8ede29891a09e8f8a47ac7c8c

memory/2412-6-0x00000000004E0000-0x0000000000507000-memory.dmp

memory/2536-10-0x00000000001A0000-0x00000000001C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 55cceab02cdd862011c08a2718d97bf0
SHA1 52d86666f6684acab0bacafbf4c97cdc4e500019
SHA256 184375989cfb2b460331312fad8f72037fc45e3c9d7df9738ed497114229808d
SHA512 f330bcd3a607e4e1275dadea380e74e693f62e2da13b245e91eef54e851504df9260da555ab6f50bdf17d26ee6b28699f4d72c2c6bc264b44be38be92472e0bb

memory/2412-19-0x0000000001050000-0x0000000001077000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1c9b2720af0ca9528b47898d9c7f4799
SHA1 80495f16e333f54ecc700252323c2a7cb7d751e1
SHA256 d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5
SHA512 5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

memory/2536-22-0x00000000001A0000-0x00000000001C7000-memory.dmp

memory/2536-24-0x00000000001A0000-0x00000000001C7000-memory.dmp

memory/2536-30-0x00000000001A0000-0x00000000001C7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 23:20

Reported

2024-07-26 23:23

Platform

win10v2004-20240709-en

Max time kernel

105s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe

"C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2532-0-0x0000000000A30000-0x0000000000A57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 e28336858b9393da2039bf3b375ffc7d
SHA1 d34db99937b9906f09d61d35d19e91100307100e
SHA256 c37513850fb763929806007d76d070b4670e46d961ca9f67949a8c9514603514
SHA512 a4f95346b70e1957e7a9c4e74e80e04a13bad93430e3bf7a50f80714fcb92e8cbfffc7956a7024e0cdcbd12c1530013a83dcaab8693244fcd2883517da8d6048

memory/4400-15-0x0000000000A30000-0x0000000000A57000-memory.dmp

memory/2532-18-0x0000000000A30000-0x0000000000A57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 55cceab02cdd862011c08a2718d97bf0
SHA1 52d86666f6684acab0bacafbf4c97cdc4e500019
SHA256 184375989cfb2b460331312fad8f72037fc45e3c9d7df9738ed497114229808d
SHA512 f330bcd3a607e4e1275dadea380e74e693f62e2da13b245e91eef54e851504df9260da555ab6f50bdf17d26ee6b28699f4d72c2c6bc264b44be38be92472e0bb

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1c9b2720af0ca9528b47898d9c7f4799
SHA1 80495f16e333f54ecc700252323c2a7cb7d751e1
SHA256 d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5
SHA512 5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

memory/4400-21-0x0000000000A30000-0x0000000000A57000-memory.dmp

memory/4400-23-0x0000000000A30000-0x0000000000A57000-memory.dmp

memory/4400-29-0x0000000000A30000-0x0000000000A57000-memory.dmp