Malware Analysis Report

2024-11-16 13:26

Sample ID 240802-gj25zstfrb
Target de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9
SHA256 de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9
Tags
upx urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9

Threat Level: Known bad

The file de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9 was found to be: Known bad.

Malicious Activity Summary

upx urelas discovery trojan

Urelas

UPX packed file

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 05:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 05:50

Reported

2024-08-02 05:53

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe

"C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2572-0-0x0000000000250000-0x000000000027C000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 44d8a98194d58d6e3c71a5679a46ef4f
SHA1 e3cf9b95ddfe0a6dbd1987d192c9d004044c369b
SHA256 64fc8b5a93a50eb11dc800dceca62f177aff7034c86390f839520bf78b27c3d3
SHA512 a92122c7d2b778b43032f268b5f59d3151681901a6be97e2fe9318d99823c9679b16b0ad3847a1cad5313cf31b7845f0474513e236c7d454d467b75670962010

memory/2572-6-0x0000000000450000-0x000000000047C000-memory.dmp

memory/2068-10-0x0000000000D60000-0x0000000000D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 99bff618b65a7245c790f68022a727da
SHA1 ae6c0c9429430e057ce83371daf2b3a66cfd154a
SHA256 7b7102980250ba2913a818393baa7000fa56b504ebf89562b19a2e72110d868e
SHA512 6ae84dce05918269212996c2021a08f64645c78454a16a9a8195d4b92bd1ea91010e2c94ef88c943cc658ba6b6f2c8f4043d1311dd95cc9c37ca22831bc0dfe5

memory/2572-19-0x0000000000250000-0x000000000027C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/2068-22-0x0000000000D60000-0x0000000000D8C000-memory.dmp

memory/2068-24-0x0000000000D60000-0x0000000000D8C000-memory.dmp

memory/2068-31-0x0000000000D60000-0x0000000000D8C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-02 05:50

Reported

2024-08-02 05:53

Platform

win10v2004-20240730-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe

"C:\Users\Admin\AppData\Local\Temp\de1ea3a7dbf8ee7805bb71b03360a5a8ed4a1246e09a6de27759d97d2f6673e9.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/2068-0-0x00000000004A0000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 16f94c6e33bfd6861350c37c6aeca7c0
SHA1 7ea2e2be8f530fabf215f80ffe3d6d1f3936fdda
SHA256 6ec2dc2ea1dc24f4f8c401470972d2c3eef236c4915db0a153dc911eb3396602
SHA512 dc9b42216d30717cdcbfddc35b43b58850e30b473bde07e1f0157d7e63bd22b3838165ceaf2ab59cc9d0c843f5d5b305a31c503f4f243a15763ef1b397865bc0

memory/768-13-0x0000000000AC0000-0x0000000000AEC000-memory.dmp

memory/2068-15-0x00000000004A0000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 99bff618b65a7245c790f68022a727da
SHA1 ae6c0c9429430e057ce83371daf2b3a66cfd154a
SHA256 7b7102980250ba2913a818393baa7000fa56b504ebf89562b19a2e72110d868e
SHA512 6ae84dce05918269212996c2021a08f64645c78454a16a9a8195d4b92bd1ea91010e2c94ef88c943cc658ba6b6f2c8f4043d1311dd95cc9c37ca22831bc0dfe5

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/768-18-0x0000000000AC0000-0x0000000000AEC000-memory.dmp

memory/768-20-0x0000000000AC0000-0x0000000000AEC000-memory.dmp

memory/768-26-0x0000000000AC0000-0x0000000000AEC000-memory.dmp