Malware Analysis Report

2024-11-16 13:27

Sample ID 240805-pkk7vswbjp
Target 8c901cea5e13f5979e1e7a48ed4c9e40N.exe
SHA256 b2bdf4d2f9743c5a1bf6d8d76b6b6187eda08c8197bab1897b3886983bc4da2e
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2bdf4d2f9743c5a1bf6d8d76b6b6187eda08c8197bab1897b3886983bc4da2e

Threat Level: Known bad

The file 8c901cea5e13f5979e1e7a48ed4c9e40N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 12:23

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 12:23

Reported

2024-08-05 12:25

Platform

win7-20240708-en

Max time kernel

119s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe

"C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2404-0-0x0000000001170000-0x000000000119B000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 8d199caabb032cb55e9d7ade22d18fae
SHA1 ee6e824204cc3a1d349777b56bb2d56ec6acfdf7
SHA256 44021d2e90101f6ad09ff146704f71f34dc77dad79200b124cd0fc3cd38fff81
SHA512 10b147a77f2d030eeccbfc8c1ed611f27cf08ede46eda112105307445aace020f3864cdaf6d5201594e90c3f25b2af1d49d31370f9442378ed65731e571fbe14

memory/2404-6-0x00000000009D0000-0x00000000009FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 c7032364f2b3e734b701b60b2e33254b
SHA1 04c554f2922dc12ea4695633f75c94af088e981f
SHA256 bfcbc91abfe66c9c56e1888eed5ba7e02bca93517477a0a4ba1cce0bb2207bcd
SHA512 e5b69a028b59c9988a7d4426c7e15ca14d4c1c9f2980b8571e6720a170529757deaa262cd068f36c8f81009dc20983083e0aca39889db0ced85031a82d90fd91

memory/2360-16-0x0000000000940000-0x000000000096B000-memory.dmp

memory/2404-18-0x0000000001170000-0x000000000119B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ac5e84ed8031d66a9fcd5e472ba8091b
SHA1 06303add604104d6abbb69458f89773c066b470c
SHA256 3a3cfa6f4786dab0ac8bc76204948f32a3a2cbd094922f87c251ec80d22baae5
SHA512 7bf829102a70a1304dae435b8ae3c9ef9a925af7e995fe381d80730f4f702e1fd2a0a1b6a3a4b4667925f5bb95c897166a8fc0f52d3171d9cdba0bf09b53f152

memory/2360-21-0x0000000000940000-0x000000000096B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 12:23

Reported

2024-08-05 12:25

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe

"C:\Users\Admin\AppData\Local\Temp\8c901cea5e13f5979e1e7a48ed4c9e40N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/184-0-0x0000000000BE0000-0x0000000000C0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 52ae00c83b49cb7fcf8adb652c39ab3c
SHA1 0840178347b9fe09c478f0230b6c87d8f692e2e2
SHA256 1f662d86b579bb9ba941e944769706545e682542bb1ca94123a97639cad52bf8
SHA512 e54b5b7a914d0455f718b3ac7f1c93662a38e0c271f8c3076fd3f0182231fced0056207fbbc4766fe83598692dd24be39e78f281a5628055c7dcd99d72444dae

memory/2812-15-0x0000000000A40000-0x0000000000A6B000-memory.dmp

memory/184-17-0x0000000000BE0000-0x0000000000C0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 c7032364f2b3e734b701b60b2e33254b
SHA1 04c554f2922dc12ea4695633f75c94af088e981f
SHA256 bfcbc91abfe66c9c56e1888eed5ba7e02bca93517477a0a4ba1cce0bb2207bcd
SHA512 e5b69a028b59c9988a7d4426c7e15ca14d4c1c9f2980b8571e6720a170529757deaa262cd068f36c8f81009dc20983083e0aca39889db0ced85031a82d90fd91

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ac5e84ed8031d66a9fcd5e472ba8091b
SHA1 06303add604104d6abbb69458f89773c066b470c
SHA256 3a3cfa6f4786dab0ac8bc76204948f32a3a2cbd094922f87c251ec80d22baae5
SHA512 7bf829102a70a1304dae435b8ae3c9ef9a925af7e995fe381d80730f4f702e1fd2a0a1b6a3a4b4667925f5bb95c897166a8fc0f52d3171d9cdba0bf09b53f152

memory/2812-20-0x0000000000A40000-0x0000000000A6B000-memory.dmp