Malware Analysis Report

2024-11-16 13:27

Sample ID 240801-kfcbyawble
Target 59f0820e1dba93f32143edd3016243e0N.exe
SHA256 d620b15623bb352588dbe7e71ed15be7018750380cf5670c0acfec5612b28d9c
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d620b15623bb352588dbe7e71ed15be7018750380cf5670c0acfec5612b28d9c

Threat Level: Known bad

The file 59f0820e1dba93f32143edd3016243e0N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-01 08:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 08:32

Reported

2024-08-01 08:34

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe

"C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2884-0-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 c2cb93e3639a64143083587638c6e338
SHA1 53c8de35d70106933273c7d9b3f654adc51f9ea4
SHA256 b10fcbaf133620dabc22f4b949c7676983090356a0f02cfe856021494722dbfc
SHA512 8625873433d792f0c316dfb24f740d961af41212817dac30c18cb7b4681ddf37e4606796ed1be5056649dbe418bdbf94c31fe1b8e4716bd3633f309bef323a30

memory/2884-6-0x00000000033F0000-0x0000000003418000-memory.dmp

memory/2884-18-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 81e05de602affcce0df5ebb80d5cb29d
SHA1 ee5f67f6d7fb476030780f50dd92ea78f6871b88
SHA256 8e942d9a670d8961bab18fa7ec93182ddaf9fcf31bf306f7268f079cea1a21ad
SHA512 43525dd191f61167d10999178edf440966dcf5fc0558043df17cf19f7588d25071231ed76430f57fca0efd4815e994939708a2e57659dd46e3416ac1732d37aa

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/2212-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2212-23-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2212-30-0x0000000000400000-0x0000000000428000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 08:32

Reported

2024-08-01 08:34

Platform

win10v2004-20240730-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe

"C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 22.58.20.217.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1568-0-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 91db822d1924cef9326148745ce7e5d5
SHA1 3abd2f8c437c2f271222ab0dcf124e5c3738b544
SHA256 1eb29042bf24eaa44702c94866242aa49b11b16b599e29543e3646d780c78512
SHA512 48cf91f7909485ef11668f394e77b65c9042c5f7b4239aee83908e0070279f9f01677d923f3bd1a33fb9db573c876fe4c18b8e684825f0bfd742bd7c0b376ad1

memory/1824-12-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1568-15-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 81e05de602affcce0df5ebb80d5cb29d
SHA1 ee5f67f6d7fb476030780f50dd92ea78f6871b88
SHA256 8e942d9a670d8961bab18fa7ec93182ddaf9fcf31bf306f7268f079cea1a21ad
SHA512 43525dd191f61167d10999178edf440966dcf5fc0558043df17cf19f7588d25071231ed76430f57fca0efd4815e994939708a2e57659dd46e3416ac1732d37aa

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/1824-18-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1824-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1824-27-0x0000000000400000-0x0000000000428000-memory.dmp