Malware Analysis Report

2024-11-16 13:27

Sample ID 240804-e34rtawejl
Target e1a2c6df63912e750f762a181afcdc20N.exe
SHA256 a90191bcd4c952c26f0b92a2872303fd3c7e97e0e7473ee882e8d490741d6307
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a90191bcd4c952c26f0b92a2872303fd3c7e97e0e7473ee882e8d490741d6307

Threat Level: Known bad

The file e1a2c6df63912e750f762a181afcdc20N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 04:28

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 04:28

Reported

2024-08-04 04:30

Platform

win7-20240704-en

Max time kernel

90s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe

"C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 70327f9f9a020a4bcc08c2ca0ce4e0cd
SHA1 ca82986657b4dabe5709d93bc4e074f4068acc23
SHA256 ba345335030ded70d9cfde7e4d4de2cac95b4506886392eee10ce6123f845970
SHA512 990cd349e0494ea29a2832d204551a5ccd526392d95206ac960a506ca1a25d289c03b9d6f6fd59e06c399a06227c9011729420423dc41d0a4b4aec88aaf0348c

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 9c50fddb0095a59554d669c6ddcf8b7e
SHA1 e619094e38f8c3351ee084338a41ea4a7005c0aa
SHA256 9d8821c4186c809f5131f10cd894675b833a9dde5285718fae4ac700a804112f
SHA512 4f6e51ee364d2666130bd1b69d0edf494beefbda828fac3d056488af06c2ab4d105ae498010ddddc42551838b7049a4cade84b59e497ee53f3a55025fc46bbc1

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 2930c042c9ee5e07f321f2134a0c7edc
SHA1 ee39f41eaf6ce3c8d917a89e65959414ae0088e6
SHA256 a328475bbb730da292b83ed6cabbdbfc0616f042296f0c6fa356c5368ffc1309
SHA512 2da91d5effc116d8c8661c2a99f1d9c2aaffda0f776551dc7ad1911fdb2765591e5b441b9a1fe0090bcda8ed24d180b563ed2c127676cf1de40001e4b15b5506

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 04:28

Reported

2024-08-04 04:30

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe

"C:\Users\Admin\AppData\Local\Temp\e1a2c6df63912e750f762a181afcdc20N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 6f3dc7255da3d90a8fa6cabac96dea40
SHA1 787d3dd93bf4cc160cf38d283cdb9a76dbec26b3
SHA256 8640f61cbb9fc03903c044a481abded5bf7800b1d8a5ff6baa41830666ded239
SHA512 27500b90734448fcb021df5bf8e77237b1a94fe2d5144c71c1c0d13179a9a36dc1d4da85e644e01e92e3fb2441f98236eed9b0627547d7b5af8ecffe9be05f9c

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 9c50fddb0095a59554d669c6ddcf8b7e
SHA1 e619094e38f8c3351ee084338a41ea4a7005c0aa
SHA256 9d8821c4186c809f5131f10cd894675b833a9dde5285718fae4ac700a804112f
SHA512 4f6e51ee364d2666130bd1b69d0edf494beefbda828fac3d056488af06c2ab4d105ae498010ddddc42551838b7049a4cade84b59e497ee53f3a55025fc46bbc1

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 2930c042c9ee5e07f321f2134a0c7edc
SHA1 ee39f41eaf6ce3c8d917a89e65959414ae0088e6
SHA256 a328475bbb730da292b83ed6cabbdbfc0616f042296f0c6fa356c5368ffc1309
SHA512 2da91d5effc116d8c8661c2a99f1d9c2aaffda0f776551dc7ad1911fdb2765591e5b441b9a1fe0090bcda8ed24d180b563ed2c127676cf1de40001e4b15b5506