Malware Analysis Report

2024-11-16 13:27

Sample ID 240731-d8b4bavcnp
Target 5d40681dee8a5eaa2ee76ab80f59fec0N.exe
SHA256 183efc32d12f7d89426755f1650f72e06399e2c81b934c9bcb6b6e9305de9849
Tags
upx urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

183efc32d12f7d89426755f1650f72e06399e2c81b934c9bcb6b6e9305de9849

Threat Level: Known bad

The file 5d40681dee8a5eaa2ee76ab80f59fec0N.exe was found to be: Known bad.

Malicious Activity Summary

upx urelas discovery trojan

Urelas

Executes dropped EXE

Checks computer location settings

UPX packed file

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-31 03:40

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-31 03:40

Reported

2024-07-31 03:42

Platform

win7-20240704-en

Max time kernel

119s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/1580-0-0x0000000000050000-0x000000000007C000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 5410c36b26b0518622068c704b1566dd
SHA1 0d5a5e3c5f8cdbdb219745bf0fb2a81fe5825029
SHA256 cc1682cde36824b29ab18716a2363a0aac74be4489dc96ad14e489b3d6800283
SHA512 f318937e07dbe9a544505ad2c16bbddabbe70b47153ce81a41625130e87adcb263e2963d1139edef44e512b4293042b625045c862931a1c185ff5d7808d9e831

memory/992-11-0x0000000000800000-0x000000000082C000-memory.dmp

memory/1580-10-0x0000000002AD0000-0x0000000002AFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 819362708bc5eee198a15582daab8e7d
SHA1 564d69a5cb20a00734ea49cef078f16b582988e3
SHA256 9e4c8e74ec0ed2ed3fe8888d2227f4bbb0c94134d3cd75b52c7553bec616305b
SHA512 d30d35f26473eeab5308a61fee132387e459df63365e431e3a09a48ad7194b812efd4ca4eaf7f1424e24c00da7608098f74947b031d1c8296aba49ef6daad485

memory/1580-19-0x0000000000050000-0x000000000007C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/992-22-0x0000000000800000-0x000000000082C000-memory.dmp

memory/992-24-0x0000000000800000-0x000000000082C000-memory.dmp

memory/992-31-0x0000000000800000-0x000000000082C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-31 03:40

Reported

2024-07-31 03:42

Platform

win10v2004-20240730-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3248-0-0x0000000000090000-0x00000000000BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 5a5f202cf2b7cf395cc7edfa0c3abbaf
SHA1 1eb3a41b48edb5d5dd56259c11c41cf5ac661c55
SHA256 aac373365b0484475a6f1b224fadc130d9d8c2082dfe141bf87f7b4a27ecbea2
SHA512 8a1a7b47dd49a28c4425db1bab1a275166d54a78f2f656dc63d9622627740dd1121f1e3f35cc4321969c9a18b3e5edd1884528ac285c2613a546a3d3cf816bbd

memory/1724-10-0x0000000000700000-0x000000000072C000-memory.dmp

memory/3248-15-0x0000000000090000-0x00000000000BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 819362708bc5eee198a15582daab8e7d
SHA1 564d69a5cb20a00734ea49cef078f16b582988e3
SHA256 9e4c8e74ec0ed2ed3fe8888d2227f4bbb0c94134d3cd75b52c7553bec616305b
SHA512 d30d35f26473eeab5308a61fee132387e459df63365e431e3a09a48ad7194b812efd4ca4eaf7f1424e24c00da7608098f74947b031d1c8296aba49ef6daad485

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/1724-18-0x0000000000700000-0x000000000072C000-memory.dmp

memory/1724-20-0x0000000000700000-0x000000000072C000-memory.dmp

memory/1724-27-0x0000000000700000-0x000000000072C000-memory.dmp