Malware Analysis Report

2024-11-16 13:26

Sample ID 240806-3mh26sthlq
Target 7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed
SHA256 7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed

Threat Level: Known bad

The file 7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 23:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 23:37

Reported

2024-08-06 23:40

Platform

win7-20240704-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe

"C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/1876-0-0x00000000002C0000-0x00000000002E6000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 d3ffd1625e34029aa7bee59c831eac4b
SHA1 4326857064825c31f008caf48bf0e14c9025e92a
SHA256 f662b3c29b5bac511989402cf387f02c5cc897d3fbf13ad14d56144f5584aedf
SHA512 f0dbf93cc6f15bfe680f32df51ad1edfb5202a3d794f69b818cfd5f0435fcbd342a037ca29654ea18f1b887b4d1c9034a46d9c358716d194851e471a81466647

memory/1876-6-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 742ca291db423d34618f3829a135cd9c
SHA1 0c00fcff458090048e2715eaa9da17c11002a8ce
SHA256 0514ba7fa6782519d027c78162f863911770e949e40338eb39890cda0bbdb541
SHA512 42f87aef6259f93af54078b6206b7e0a0d0b7fb0e993c9f3a40570edd9b41d5cee11ca2943517d8f7551536aa5eece692efb0a81f63506abf9637232d7607be2

memory/3060-17-0x0000000001160000-0x0000000001186000-memory.dmp

memory/1876-19-0x00000000002C0000-0x00000000002E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/3060-22-0x0000000001160000-0x0000000001186000-memory.dmp

memory/3060-24-0x0000000001160000-0x0000000001186000-memory.dmp

memory/3060-30-0x0000000001160000-0x0000000001186000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 23:37

Reported

2024-08-06 23:40

Platform

win10v2004-20240802-en

Max time kernel

100s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe

"C:\Users\Admin\AppData\Local\Temp\7c9f1bd7baaa29ad2b15cc74e0be41612b9809946028027617e60a291ce2cfed.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 24.58.20.217.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2432-0-0x00000000000B0000-0x00000000000D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 dd8111c9f18dc2393c30547c32c043ae
SHA1 c3857491d272016076acd21452eed287f0efacf1
SHA256 fa4ac4386b6894c0b3779e1d9d6f4f64bccac39406a70a43ce646ce71e5f7ff5
SHA512 dfe5d5212c8f57082fc22e8dde973acecce08a26d96ef77845ee4e5976a2f56a824177e0484d97db3846668ad756dbceef4ed1b316429cab73225ab03a3f6c2d

memory/4872-12-0x0000000000120000-0x0000000000146000-memory.dmp

memory/2432-15-0x00000000000B0000-0x00000000000D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 742ca291db423d34618f3829a135cd9c
SHA1 0c00fcff458090048e2715eaa9da17c11002a8ce
SHA256 0514ba7fa6782519d027c78162f863911770e949e40338eb39890cda0bbdb541
SHA512 42f87aef6259f93af54078b6206b7e0a0d0b7fb0e993c9f3a40570edd9b41d5cee11ca2943517d8f7551536aa5eece692efb0a81f63506abf9637232d7607be2

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b4a86880004da8726288d7ec954885a8
SHA1 1bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256 c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA512 22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

memory/4872-18-0x0000000000120000-0x0000000000146000-memory.dmp

memory/4872-20-0x0000000000120000-0x0000000000146000-memory.dmp

memory/4872-27-0x0000000000120000-0x0000000000146000-memory.dmp