Malware Analysis Report

2024-11-16 13:28

Sample ID 240803-hbqbwswbjl
Target 6277d67815999af6b5fc10d9daa1d350N.exe
SHA256 10ba25863d3ab242472602e3bbca63e70841bd50139652d0e5c873c65d48036d
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10ba25863d3ab242472602e3bbca63e70841bd50139652d0e5c873c65d48036d

Threat Level: Known bad

The file 6277d67815999af6b5fc10d9daa1d350N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 06:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 06:33

Reported

2024-08-03 06:36

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe

"C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2884-0-0x00000000009D0000-0x00000000009F5000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 237c66b352475f0d9b26515269ba4059
SHA1 9cda12996a64dcdde7d8537a269e0fab8f527b27
SHA256 757190040629eee770de808c754d8dac97d91257384e7a4ce05cc36622aa5d32
SHA512 b4d05c09e7dc0900c1584dc9f292378e108665e17b0837962babd98487916766d035cdd1f3d5d2171ca39a235e658dc70a82d4fa13b7e9d25ca1db079de5cf6e

memory/2884-5-0x0000000000920000-0x0000000000945000-memory.dmp

memory/2884-17-0x00000000009D0000-0x00000000009F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 55be461429bd6231c30190eed5e5034b
SHA1 4b8d6d12402a6e1ef52e78391d54f620cc49b725
SHA256 11668672212b878f24660bda19dfcb3f35c24ada2cce64b868ea4c2f09372e02
SHA512 a30d1e618442dfc77bdb7b5c8f5b2e394dc457fdffa8e1e31796cad1453a9b5ecbc7897c78028065658d2b4424885013a8e7fd517d26ad4f441f3981d507c434

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/2608-20-0x0000000000180000-0x00000000001A5000-memory.dmp

memory/2608-22-0x0000000000180000-0x00000000001A5000-memory.dmp

memory/2608-29-0x0000000000180000-0x00000000001A5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 06:33

Reported

2024-08-03 06:36

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe

"C:\Users\Admin\AppData\Local\Temp\6277d67815999af6b5fc10d9daa1d350N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3160-0-0x0000000001000000-0x0000000001025000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 13bf5b81fe75e686a754248726fe6e93
SHA1 3b73b469376b79adf065f58ad35d5b27d56061e3
SHA256 3d224dd6e250237947210b0be653ef0529c88e20a2f937ec1e1a6dc9259c2496
SHA512 8c4a8f6f714c40f6071ef58a4ca770b44f3913a370a32d08fe13c0d8b0cc7fd1358f6baf5fd44b27c7d07851a6930b9ae3fb3ca3b7facf42a06549f1c6d2c96b

memory/4564-13-0x0000000000320000-0x0000000000345000-memory.dmp

memory/3160-18-0x0000000001000000-0x0000000001025000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 55be461429bd6231c30190eed5e5034b
SHA1 4b8d6d12402a6e1ef52e78391d54f620cc49b725
SHA256 11668672212b878f24660bda19dfcb3f35c24ada2cce64b868ea4c2f09372e02
SHA512 a30d1e618442dfc77bdb7b5c8f5b2e394dc457fdffa8e1e31796cad1453a9b5ecbc7897c78028065658d2b4424885013a8e7fd517d26ad4f441f3981d507c434

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/4564-21-0x0000000000320000-0x0000000000345000-memory.dmp

memory/4564-23-0x0000000000320000-0x0000000000345000-memory.dmp

memory/4564-30-0x0000000000320000-0x0000000000345000-memory.dmp