Malware Analysis Report

2024-11-16 13:28

Sample ID 240802-fm6f5ssbje
Target 59c49c0b0b8c653cc95a856a558ae0a0N.exe
SHA256 f2ca2511b414dfdddd8aaf75a968acb77edcdcde4ec9cbbcd026de737ef173bd
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2ca2511b414dfdddd8aaf75a968acb77edcdcde4ec9cbbcd026de737ef173bd

Threat Level: Known bad

The file 59c49c0b0b8c653cc95a856a558ae0a0N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 05:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 05:00

Reported

2024-08-02 05:02

Platform

win7-20240708-en

Max time kernel

89s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe

"C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/1780-0-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 bcf61b83a671c1af4562fdec80798176
SHA1 c912469b88e43c9f6ae3c050ccc159244db76c7a
SHA256 1650b682791440006403ce3f10fa6cf2ddb87b6dd4c12ffa813069dc192a51d4
SHA512 3954942ea65a6cc1c0395796e54959b35644798c8ff7d981a1e0fe6e255ca78e12f40b102c5179cfeed54fe9a675b99176413af379561a14127f916a52488288

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 dc3b7247571d901221119c4a9a1e0b6e
SHA1 ed0d64d767b68c42edf7cb7105465e4b4e6bd289
SHA256 9ee625b0f3bc3f677e0fae141a42d8fb3db34bd4797f9f77d2d0e4b9cba3de35
SHA512 052bc92cca76501b448962caae62833a49202d331e889b48696b185ac2dd3b1f4c72da7269574927e2cb41960b3f8f14ac1fba9112dcc98191990f8d0d7fb0f7

memory/1780-16-0x0000000002CE0000-0x0000000002D08000-memory.dmp

memory/1096-17-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1780-19-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/1096-22-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1096-24-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1096-31-0x0000000000400000-0x0000000000428000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-02 05:00

Reported

2024-08-02 05:02

Platform

win10v2004-20240730-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe

"C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/324-0-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 9c58813d849e48fd457dcfcabd1fc194
SHA1 2cbc3df4b698d079971ad9cdb2793294fa2bc612
SHA256 3ed5127626251554b318af06ebfe39345177fd7261a8182bfb35aae428dfb6cd
SHA512 19553f8368bbb627cefbd75f80809bae7ed0028f866aba800a1248804f53de7c8ad5ecfc0bd6fc0cc6c4635aa41b9c9694ea59e1b13ae50ada28dad1dac610b9

memory/1608-12-0x0000000000400000-0x0000000000428000-memory.dmp

memory/324-15-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 dc3b7247571d901221119c4a9a1e0b6e
SHA1 ed0d64d767b68c42edf7cb7105465e4b4e6bd289
SHA256 9ee625b0f3bc3f677e0fae141a42d8fb3db34bd4797f9f77d2d0e4b9cba3de35
SHA512 052bc92cca76501b448962caae62833a49202d331e889b48696b185ac2dd3b1f4c72da7269574927e2cb41960b3f8f14ac1fba9112dcc98191990f8d0d7fb0f7

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/1608-18-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1608-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1608-26-0x0000000000400000-0x0000000000428000-memory.dmp