Malware Analysis Report

2024-11-16 13:27

Sample ID 240726-zjezkaxalg
Target 3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d
SHA256 3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d

Threat Level: Known bad

The file 3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 20:44

Reported

2024-07-26 20:47

Platform

win7-20240704-en

Max time kernel

91s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe

"C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2860-0-0x0000000000130000-0x0000000000155000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 438028d040bcf9ef5e90df0abb1af5b2
SHA1 87c967f65a922de4a960e31992bd5484b03ba0d4
SHA256 e091a36526d6f0f9bd7f66675d366ecf2983fb84614b673bf402d2e6f37be370
SHA512 740f986b7da06420856b12c8cf91586367cc1e38b01420a2ab6b7563cd7ad18d3876146cda1266c1ad923460293e4fbe6997dd90dc51a1c8168b2fa9dc9f00fc

memory/2784-10-0x0000000000C50000-0x0000000000C75000-memory.dmp

memory/2860-9-0x0000000000200000-0x0000000000225000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 b2f167d976fbab4ebcad72be5625f596
SHA1 0a79af93d0857c93a01cfd402228775c49949abb
SHA256 a9465f51a25bf51cb3447e223c87bcc83f651554147eecc3f2436af2b2244c4c
SHA512 f62fa12998f5c82f99068b9d9e82977fa35a02ccdd4bfdc7c97015b2e5ccc63a3294f9eec1b8c7a74908d3451750d157c5a8c0631c0ffc5e0cccff358125dee6

memory/2860-19-0x0000000000130000-0x0000000000155000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 657ce9e5dd337971e44dfb9cb3fbf7dd
SHA1 026734083afaa4b7d298781b26a72ac9b67ac831
SHA256 3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472
SHA512 79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d

memory/2784-22-0x0000000000C50000-0x0000000000C75000-memory.dmp

memory/2784-24-0x0000000000C50000-0x0000000000C75000-memory.dmp

memory/2784-31-0x0000000000C50000-0x0000000000C75000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 20:44

Reported

2024-07-26 20:47

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe

"C:\Users\Admin\AppData\Local\Temp\3a27f0e0ce51850fadf827aa71ac6980c8e86a8faeaa7d4af268aed4af76c54d.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 170.253.116.51.in-addr.arpa udp

Files

memory/1028-0-0x0000000000290000-0x00000000002B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 bb4b322fee271a5a631167637e39aa3d
SHA1 b576d43438a586af45bda3fd1714244b0157e040
SHA256 abc847b9f97d6702fc3872445ed1ae61b51e48308104f7aff8e52c9d1e5e8416
SHA512 62778cc497600e8e8415cd3a66ec1122dd036fde603b19fefe0a4ee3d951a9cf3ee1b85b97e5ac7c3f3a41062d11ff5ef1c2d6856ef53dfd71403d6ff9d83c7b

memory/4664-14-0x0000000000010000-0x0000000000035000-memory.dmp

memory/1028-17-0x0000000000290000-0x00000000002B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 b2f167d976fbab4ebcad72be5625f596
SHA1 0a79af93d0857c93a01cfd402228775c49949abb
SHA256 a9465f51a25bf51cb3447e223c87bcc83f651554147eecc3f2436af2b2244c4c
SHA512 f62fa12998f5c82f99068b9d9e82977fa35a02ccdd4bfdc7c97015b2e5ccc63a3294f9eec1b8c7a74908d3451750d157c5a8c0631c0ffc5e0cccff358125dee6

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 657ce9e5dd337971e44dfb9cb3fbf7dd
SHA1 026734083afaa4b7d298781b26a72ac9b67ac831
SHA256 3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472
SHA512 79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d

memory/4664-20-0x0000000000010000-0x0000000000035000-memory.dmp

memory/4664-22-0x0000000000010000-0x0000000000035000-memory.dmp

memory/4664-28-0x0000000000010000-0x0000000000035000-memory.dmp