Malware Analysis Report

2024-11-16 13:27

Sample ID 240726-wlyb5sybrg
Target 3be6c4b2317679ba8ade29058dc762c0N.exe
SHA256 9c05422800be0f885587377ea887fe550f2f7d43663e33159c3f2e361a7fa866
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c05422800be0f885587377ea887fe550f2f7d43663e33159c3f2e361a7fa866

Threat Level: Known bad

The file 3be6c4b2317679ba8ade29058dc762c0N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 18:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 18:01

Reported

2024-07-26 18:03

Platform

win7-20240705-en

Max time kernel

119s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe

"C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2864-0-0x0000000001330000-0x0000000001358000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 f0297e215391819fcb780e2834659f71
SHA1 e8ac081d85ce1fb9d4fd913db3f196716a1e4432
SHA256 09ed2011f12faf4c217226b7691700682a78c44ac2fdc60495a28329430b99ab
SHA512 3e97749908f8340581df33a939fc0848d8aacf6f05840ffe82839c8722ab7c1ff63786d67174b02a5037de7466e381bbcbfd8e38430b904aa97b71815fef7ea6

memory/2864-9-0x00000000005C0000-0x00000000005E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 050997d3b3978bb95bdd70bf032bf9bb
SHA1 1db435b51cc35c8871fafbbc3a7d767ab4a6d03e
SHA256 1a3f968a6d5fa16c460cc6f1a6f9bba6f79b42c3af4cc4be055761712add4b26
SHA512 508eedc4398f5b0c301439f2e7fcd529da60c75369898691ea73a49db999c5e02064e15e4bef752975d9f9578cce507a88c2b30134b7e9555191007a78ecc6be

memory/2760-11-0x0000000000920000-0x0000000000948000-memory.dmp

memory/2864-18-0x0000000001330000-0x0000000001358000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a250860c0687ed9dda488805c025a2d2
SHA1 0c181ed3b46463d35631ca169f0928c33a1da389
SHA256 3947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37
SHA512 0286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a

memory/2760-21-0x0000000000920000-0x0000000000948000-memory.dmp

memory/2760-23-0x0000000000920000-0x0000000000948000-memory.dmp

memory/2760-30-0x0000000000920000-0x0000000000948000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 18:01

Reported

2024-07-26 18:04

Platform

win10v2004-20240709-en

Max time kernel

103s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe

"C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2300-0-0x00000000002F0000-0x0000000000318000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 90785e4edb0844867180bc02911f3b7f
SHA1 fb372b8a7986e91df7850156267958f89bd39a72
SHA256 008e97f01091ecedf6964214f9f12f932ecf37648d26c7027eea8e66ab15c2a0
SHA512 a02d6d1166784a915e7ecd5096afa28769e7838a9350c8da34921eb71e7dd06893b7326e0512192e4a264801a2b8e509faf23a10a5d26e93a99b1a363884c3ec

memory/116-14-0x0000000000E60000-0x0000000000E88000-memory.dmp

memory/2300-17-0x00000000002F0000-0x0000000000318000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 050997d3b3978bb95bdd70bf032bf9bb
SHA1 1db435b51cc35c8871fafbbc3a7d767ab4a6d03e
SHA256 1a3f968a6d5fa16c460cc6f1a6f9bba6f79b42c3af4cc4be055761712add4b26
SHA512 508eedc4398f5b0c301439f2e7fcd529da60c75369898691ea73a49db999c5e02064e15e4bef752975d9f9578cce507a88c2b30134b7e9555191007a78ecc6be

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a250860c0687ed9dda488805c025a2d2
SHA1 0c181ed3b46463d35631ca169f0928c33a1da389
SHA256 3947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37
SHA512 0286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a

memory/116-20-0x0000000000E60000-0x0000000000E88000-memory.dmp

memory/116-22-0x0000000000E60000-0x0000000000E88000-memory.dmp

memory/116-28-0x0000000000E60000-0x0000000000E88000-memory.dmp