Malware Analysis Report

2024-11-16 13:28

Sample ID 240804-1cm72awhkr
Target 4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff
SHA256 4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff

Threat Level: Known bad

The file 4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 21:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 21:30

Reported

2024-08-04 21:32

Platform

win7-20240708-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe

"C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2972-0-0x0000000000190000-0x00000000001B5000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 2174de5aec1f6def7261a817814fec00
SHA1 60c52f2a94ea1f23cc82f3dd6f3a1eb9d196b61d
SHA256 189beb52e1e8e0d81a3bb5dceae77b44d8809e2404882e08a341c03a11d7a97a
SHA512 fe2f8767d2a9430da3e3d637df3b47e05f2e733a86a8f05db013a4448650c8e2d4160e517fffcb8d0c63f1f852f40a1b6fb9718a98c71ae42f95b1b511df1065

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 8a6b0ede7a9a1b7d054127ab15202bcc
SHA1 e2bd2ea415132a933519b2520c6a0b4f3c933284
SHA256 4f3c90f4294bd0733d394a740c0100717695ef4899e8d6d8c14b348342cb4f06
SHA512 501af41bc194a9ec7041979cbc88be97f7f2c7c6baaadcd69c01f4edb97b11b512d2ec94ddfc1f20d520e5d2edc039d98e66fae106216f2ade2c649ce14e7882

memory/2972-19-0x0000000000190000-0x00000000001B5000-memory.dmp

memory/2296-18-0x0000000000010000-0x0000000000035000-memory.dmp

memory/2972-16-0x0000000000530000-0x0000000000555000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/2296-22-0x0000000000010000-0x0000000000035000-memory.dmp

memory/2296-24-0x0000000000010000-0x0000000000035000-memory.dmp

memory/2296-30-0x0000000000010000-0x0000000000035000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 21:30

Reported

2024-08-04 21:32

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe

"C:\Users\Admin\AppData\Local\Temp\4f1e9b920ab44db0d247d547511217a23dd7111114ef91a828b49ac69f42fcff.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

memory/1916-0-0x00000000004A0000-0x00000000004C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 77e029121fbdf9488fab6dad2c1499f0
SHA1 723e9234b7b8b5b5a09123bb47794eb00485a0f1
SHA256 3fc36517392486d6bcfcaf46359470ebf484e3b34b8a45ab7194f99162deedb3
SHA512 77793d765029ff495e8ab586c994f9c711b90793edebf3b41eb4690a36907eb33a0eeff08ba4e71f28105518b4df6dfa671aa87ae57ec414e1d19ad186062f30

memory/1160-15-0x0000000000560000-0x0000000000585000-memory.dmp

memory/1916-18-0x00000000004A0000-0x00000000004C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 8a6b0ede7a9a1b7d054127ab15202bcc
SHA1 e2bd2ea415132a933519b2520c6a0b4f3c933284
SHA256 4f3c90f4294bd0733d394a740c0100717695ef4899e8d6d8c14b348342cb4f06
SHA512 501af41bc194a9ec7041979cbc88be97f7f2c7c6baaadcd69c01f4edb97b11b512d2ec94ddfc1f20d520e5d2edc039d98e66fae106216f2ade2c649ce14e7882

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/1160-21-0x0000000000560000-0x0000000000585000-memory.dmp

memory/1160-23-0x0000000000560000-0x0000000000585000-memory.dmp

memory/1160-29-0x0000000000560000-0x0000000000585000-memory.dmp