Malware Analysis Report

2024-11-16 13:27

Sample ID 240801-pss8fa1brj
Target 78743c3f85b3485ec2a49a07529bc760N.exe
SHA256 fd63c2da89f16a4a2db0a86f79472a72ffd4330458d12201fa0571dc94a1f28f
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd63c2da89f16a4a2db0a86f79472a72ffd4330458d12201fa0571dc94a1f28f

Threat Level: Known bad

The file 78743c3f85b3485ec2a49a07529bc760N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-01 12:35

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 12:35

Reported

2024-08-01 12:37

Platform

win7-20240708-en

Max time kernel

16s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe"

Signatures

Urelas

trojan urelas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuevj.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe

"C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe"

C:\Users\Admin\AppData\Local\Temp\fuevj.exe

"C:\Users\Admin\AppData\Local\Temp\fuevj.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\fuevj.exe

MD5 ebfdecdb79e55cf7850ae1e46487ef06
SHA1 8da71d52c9497f7d3c7019753e64965edcf72715
SHA256 a32b773d819f91a580bba13a6d7149dfef61b78da427a51429357aa1bb9bf9ff
SHA512 297b5c966cc2387c615d833120b314e8f08f501863411ba4d66cd0c9e0400b9dea436252d66e64782d99aeb2e7ccee5072acbe3e079d5912e17d7720a6d93d00

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 4576b45dbc7263392889a9f595148277
SHA1 b0f22ac4707bafb43a7bccdb5ce31c5a5a8b6b63
SHA256 8924c7694f4f23a6b9a97ce46fddc6f1b98a8c12d9c7c2a4bd86291153523b0f
SHA512 f520fb45beb4e6d82f8348056f26c9cc72b2af62ac4ef4cf12dc1060c9d9d97d80c66d2459a7454e3033b9dfe1ce5eeee7624f21c3255d429a29db35d55b8c38

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 12:35

Reported

2024-08-01 12:37

Platform

win10v2004-20240730-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxumh.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uxumh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe

"C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe"

C:\Users\Admin\AppData\Local\Temp\uxumh.exe

"C:\Users\Admin\AppData\Local\Temp\uxumh.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\uxumh.exe

MD5 67fe85901cbfe05bf6852001fb2ce761
SHA1 0c353b3c4d080359d521c53597e5883fdad8e95f
SHA256 4c226733d8f3a5743200e61ffc91bdd7b785a04041669c30c097d9ef67cf8ee4
SHA512 e05d89149fc7a89ab861fbb4ff43c96391279324e092bfd46dc1fa4ef8f4cb12ef8b7a24c04168b44e6cc42edaab41fa56a7bf11c1b2c13d141b1b006c65483d

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 8007db22973fa49184ba65ae2350178b
SHA1 170d310e840a1c7c11db01c5c84a9604e4c22301
SHA256 c09c90f054686d30cc3aba3b62300cfd5b46e389809d938255ea186f79acdeb0
SHA512 775ac014c069a69d225e679e50684bbc32d757c4c068e07d32a5f62b25f2ec93daf98b1e84afea7117c28c92915836845c8f77faa197409391757da061277db6