Malware Analysis Report

2024-11-16 13:28

Sample ID 240804-ephx7azgjd
Target def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f
SHA256 def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f

Threat Level: Known bad

The file def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 04:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 04:06

Reported

2024-08-04 04:09

Platform

win7-20240704-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe

"C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2400-0-0x0000000000DD0000-0x0000000000DF6000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 262f3800c6843eb01ed6ef2965a67e05
SHA1 dc01624091e6c05e237d53a9d6a444f24122c191
SHA256 dc34b3ae19122bdd9490f85a8ba7886cc4e145dc24102d40bd4a09aab042a96c
SHA512 9f6d2b0a777102c98afde373f273e5d273949846419cc986914dbc84af8939abdcaca8b4f3ab123a7823411a705b1b9b72ec5322ab76f20040f962cab05f4e6d

memory/2812-16-0x0000000000040000-0x0000000000066000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d8635929082df9ac0a5be0ff1d465f7a
SHA1 bf6a78a72d41e126a32b0b82873967e1edcd7356
SHA256 ab5130aed942753f5ae3acd322c1cbce5a044cf37453dc74e04bfc6a95ad3736
SHA512 690d7bbe838a8d491256802e6702a3256c9271b4821387574f69f9a5b8a220e94729c9042cf267393c73dd8da4bf221b9ef286c7ac11740687d59dcf7417c759

memory/2400-12-0x0000000000B30000-0x0000000000B56000-memory.dmp

memory/2400-19-0x0000000000DD0000-0x0000000000DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7cdc8777d33db85bc19aefb64879a7f7
SHA1 f2d494d4dfe93a05eb58513935196e8578648adf
SHA256 9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336
SHA512 34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

memory/2812-22-0x0000000000040000-0x0000000000066000-memory.dmp

memory/2812-24-0x0000000000040000-0x0000000000066000-memory.dmp

memory/2812-31-0x0000000000040000-0x0000000000066000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 04:06

Reported

2024-08-04 04:09

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

85s

Command Line

"C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe

"C:\Users\Admin\AppData\Local\Temp\def331ad10d30978f1d88a196dcdd5cefa3ce0e2edf0fa8b36255f294859782f.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/4088-0-0x0000000000FA0000-0x0000000000FC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 1a182b6bf9d3fcf63b272a3c214fa2df
SHA1 be701496b4ca96f4b5fb2802d865a25b59dd3a5f
SHA256 1c4166ee70ebbaced45b3bf92c9778f53b31b6a6970bce4cae02bd1fb35926b8
SHA512 d29951a3825be0693f945f1354f2e2fd9b838236e93645930128c9cbc03ffe0bf22e03f242ce7125705cd67a592d84d1dce71911362535793ffa0da67de187f6

memory/1420-12-0x0000000000450000-0x0000000000476000-memory.dmp

memory/4088-15-0x0000000000FA0000-0x0000000000FC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d8635929082df9ac0a5be0ff1d465f7a
SHA1 bf6a78a72d41e126a32b0b82873967e1edcd7356
SHA256 ab5130aed942753f5ae3acd322c1cbce5a044cf37453dc74e04bfc6a95ad3736
SHA512 690d7bbe838a8d491256802e6702a3256c9271b4821387574f69f9a5b8a220e94729c9042cf267393c73dd8da4bf221b9ef286c7ac11740687d59dcf7417c759

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7cdc8777d33db85bc19aefb64879a7f7
SHA1 f2d494d4dfe93a05eb58513935196e8578648adf
SHA256 9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336
SHA512 34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

memory/1420-18-0x0000000000450000-0x0000000000476000-memory.dmp

memory/1420-20-0x0000000000450000-0x0000000000476000-memory.dmp

memory/1420-27-0x0000000000450000-0x0000000000476000-memory.dmp