Malware Analysis Report

2024-11-16 13:27

Sample ID 240731-2aznqa1fje
Target 0d917d4356e49ad582f390894a45bdc0N.exe
SHA256 a142637f6eacebb4de2997f61d82d2f14d1ff4b6e125f3c1b49806d13d3bc739
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a142637f6eacebb4de2997f61d82d2f14d1ff4b6e125f3c1b49806d13d3bc739

Threat Level: Known bad

The file 0d917d4356e49ad582f390894a45bdc0N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-31 22:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-31 22:23

Reported

2024-07-31 22:25

Platform

win7-20240708-en

Max time kernel

89s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe

"C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2292-0-0x0000000000E20000-0x0000000000E46000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 9d8d0baecbcf02412ae80cd489fc5072
SHA1 7697a60c1c08c832569e4379c5c171529dabf586
SHA256 807568e80037f87a3268fa283307267763e41ecbf42dd40f8b5b9200b0fa94e9
SHA512 59461bace6941c19545218a0b953289ffd069de2214197494fd46526edd8c93c7e734438e022a0e8a7a5250aac42954097caef29540588a19eedee41d464318a

memory/2292-6-0x0000000000910000-0x0000000000936000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 fbca1a090a554b4c8bd3cd0003d8d48b
SHA1 6bd217c7aaafe8e437e7dfc79a820b43d194a529
SHA256 15649ac2cf024c3f84ea48f22e8fe3f2488baa5078f7d14e7fa0c6705d1cc27a
SHA512 0a00ea714a5d3d9c7fc33eb639b957b3142484c315438fcc9a746adef8398eef5ee7635d003cf9e838bde1cf89388123b66b8841221facee69f4ab90a47f1570

memory/1724-18-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

memory/2292-19-0x0000000000E20000-0x0000000000E46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7cdc8777d33db85bc19aefb64879a7f7
SHA1 f2d494d4dfe93a05eb58513935196e8578648adf
SHA256 9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336
SHA512 34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

memory/1724-22-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

memory/1724-24-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

memory/1724-31-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-31 22:23

Reported

2024-07-31 22:25

Platform

win10v2004-20240730-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe

"C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/676-0-0x0000000000B30000-0x0000000000B56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 0fc631fc024c40dc7e10c0ba9acebb93
SHA1 f4cb7871ff72c81c79e462b2b2c6795c12287447
SHA256 cc7f61e529d61e6506953d9bda6cd7798f3b5846c493f24095a111c5b4518ad3
SHA512 1ea20833016dee35b5cea742bbea81c623582237917e32409646a6da0dec6f4c4cbbb6d0fcdb34dbd73cd48c461196ff0f459e58ce7b5689b0a54e2e817ce6e8

memory/1704-12-0x00000000002D0000-0x00000000002F6000-memory.dmp

memory/676-15-0x0000000000B30000-0x0000000000B56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 fbca1a090a554b4c8bd3cd0003d8d48b
SHA1 6bd217c7aaafe8e437e7dfc79a820b43d194a529
SHA256 15649ac2cf024c3f84ea48f22e8fe3f2488baa5078f7d14e7fa0c6705d1cc27a
SHA512 0a00ea714a5d3d9c7fc33eb639b957b3142484c315438fcc9a746adef8398eef5ee7635d003cf9e838bde1cf89388123b66b8841221facee69f4ab90a47f1570

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7cdc8777d33db85bc19aefb64879a7f7
SHA1 f2d494d4dfe93a05eb58513935196e8578648adf
SHA256 9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336
SHA512 34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

memory/1704-18-0x00000000002D0000-0x00000000002F6000-memory.dmp

memory/1704-20-0x00000000002D0000-0x00000000002F6000-memory.dmp

memory/1704-26-0x00000000002D0000-0x00000000002F6000-memory.dmp