Malware Analysis Report

2024-11-16 13:28

Sample ID 240728-hxw2kathnq
Target 68d69faf6220c50a95de6b54815474f0N.exe
SHA256 01f890783b8750e10b5c62cc087e5fbeb7b924bca6ecb2e522351831a919bcc1
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01f890783b8750e10b5c62cc087e5fbeb7b924bca6ecb2e522351831a919bcc1

Threat Level: Known bad

The file 68d69faf6220c50a95de6b54815474f0N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 07:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 07:07

Reported

2024-07-28 07:10

Platform

win7-20240704-en

Max time kernel

69s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe

"C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"

C:\Users\Admin\AppData\Local\Temp\poldge.exe

"C:\Users\Admin\AppData\Local\Temp\poldge.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11150 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.28.240:11150 tcp

Files

memory/1624-0-0x0000000000400000-0x000000000043B000-memory.dmp

\Users\Admin\AppData\Local\Temp\poldge.exe

MD5 3083e7bd8495296f665b4764a22f4df6
SHA1 3c3d49e1090e3cf53c5cd4c181c318a08092c139
SHA256 09eced2ce52e1af674c0a8637a5f9924050fc22e77da83b229bae5df9bbdb715
SHA512 3fc96c81d4d5f9b2182f72ecd5b244e3268fbdb4ec9076c7ddaf2c04abf3587e3ac6ec57eb75a359b10698cb19ed2cc31353ab276d102b04a86abb0f626741a2

memory/2440-9-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 dff8e39ed48c596107b0527450202ab2
SHA1 f5442f78bf9926ecfa56152e4ebbc1e1af041f8e
SHA256 174bac57d3f72e76634e3babdc911b9742e05fb62810425075aef9e0944d1768
SHA512 dd9d73e9a020dbd3b081a6665078a1e68e68e5d1041c52a51ce1f326f0b9e0694a488d11c91554cad4861e008c16d9a8a6ad6f961af5788729572f0078f05b09

memory/1624-18-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 3f372385bf24b44385f4b1251d3aca4d
SHA1 83546de6ba8f20bd08a15896d34f6242ed64352f
SHA256 b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27
SHA512 d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7

memory/2440-21-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2440-27-0x0000000000400000-0x000000000043B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 07:07

Reported

2024-07-28 07:09

Platform

win10v2004-20240709-en

Max time kernel

103s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe

"C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"

C:\Users\Admin\AppData\Local\Temp\poldge.exe

"C:\Users\Admin\AppData\Local\Temp\poldge.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
KR 121.88.5.183:11150 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
KR 218.54.28.240:11150 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/1224-0-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\poldge.exe

MD5 4bdde19067b5e16fa93dca96bdb7b84e
SHA1 f3d9aaa8246a6d3347b5b53d7ef1c48be136540c
SHA256 8c5bb96551cd756a6e8fbcd0d1f46ac1816b6d571f8dc73472063f686f95be7a
SHA512 c3f009d3f5d1bdf42e3be580ee6e23a6d9fcc1f0722df17814a58e4e4f4e7714f3ceca9fa196eeb656434dbe4fcca89dd6f05de29e86a766e7b573acb5a205a2

memory/828-11-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1224-14-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 dff8e39ed48c596107b0527450202ab2
SHA1 f5442f78bf9926ecfa56152e4ebbc1e1af041f8e
SHA256 174bac57d3f72e76634e3babdc911b9742e05fb62810425075aef9e0944d1768
SHA512 dd9d73e9a020dbd3b081a6665078a1e68e68e5d1041c52a51ce1f326f0b9e0694a488d11c91554cad4861e008c16d9a8a6ad6f961af5788729572f0078f05b09

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 3f372385bf24b44385f4b1251d3aca4d
SHA1 83546de6ba8f20bd08a15896d34f6242ed64352f
SHA256 b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27
SHA512 d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7

memory/828-17-0x0000000000400000-0x000000000043B000-memory.dmp

memory/828-23-0x0000000000400000-0x000000000043B000-memory.dmp