Malware Analysis Report

2024-11-16 13:28

Sample ID 240806-shk1vsscnk
Target c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe
SHA256 12efad2cf07da1cc5c0013bea8fa60b3cbf8b8e0b30a5dd356f5cae8003cf303
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12efad2cf07da1cc5c0013bea8fa60b3cbf8b8e0b30a5dd356f5cae8003cf303

Threat Level: Known bad

The file c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 15:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 15:07

Reported

2024-08-06 15:09

Platform

win7-20240705-en

Max time kernel

89s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe

"C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/580-0-0x0000000001370000-0x0000000001395000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 45aa37cb4ba13b358cb994de6f731346
SHA1 c141cc89f6a32ca5158f18f457c313898cae490f
SHA256 a10ea6d2118c6c30cf5ab4fd646fbb22e95137f60492168dee306698fd5090a3
SHA512 bc5fa2d89a07f4861c85e70744176fddf14ddb9653dc61be8571cb96ac3f492aed4afee254810e08013b984837f6100b6aafd927bf77619c521fc55f062817b1

memory/1652-17-0x0000000000350000-0x0000000000375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 92ec417aef2021a405bdc3937ca8c169
SHA1 f09e6b7ab8c2511030dae91392e149f9f3a9b319
SHA256 ac75dd1269f0aedc8d5956ad79c398248f2a0d82d5713eea3d245daffd0ad716
SHA512 344e3507b8a5c0fd5234112d6c23e4ef44ed938b9d694a1e4a313ace686a1b9e2f5a004218b836d9b12f303db3eb2db45de1fe9bb17c4320a95b38614420e968

memory/580-16-0x00000000009B0000-0x00000000009D5000-memory.dmp

memory/580-18-0x0000000001370000-0x0000000001395000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 657ce9e5dd337971e44dfb9cb3fbf7dd
SHA1 026734083afaa4b7d298781b26a72ac9b67ac831
SHA256 3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472
SHA512 79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d

memory/1652-21-0x0000000000350000-0x0000000000375000-memory.dmp

memory/1652-23-0x0000000000350000-0x0000000000375000-memory.dmp

memory/1652-29-0x0000000000350000-0x0000000000375000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 15:07

Reported

2024-08-06 15:09

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe

"C:\Users\Admin\AppData\Local\Temp\c2152cf6e1df9e6b8db5cd728bf1b0a0N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4880-0-0x0000000000670000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 7e684c4a31029a78aa6cd16ff48b45ba
SHA1 4880467336a8b14d67a867f8e1f53d3978da60fe
SHA256 f15efdea2ccb5d1b891797c4832e337a15ec716c7ebc57eccd04e63cd9c069d6
SHA512 419a8db7369c9c0048d87d66e890d6210f4e634720d19dc90914823e00d8b7538bcb01fedd854bc6573b91346ac841eb2e60bc914ea065a27d84913ac795bb12

memory/4412-15-0x0000000000050000-0x0000000000075000-memory.dmp

memory/4880-17-0x0000000000670000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 92ec417aef2021a405bdc3937ca8c169
SHA1 f09e6b7ab8c2511030dae91392e149f9f3a9b319
SHA256 ac75dd1269f0aedc8d5956ad79c398248f2a0d82d5713eea3d245daffd0ad716
SHA512 344e3507b8a5c0fd5234112d6c23e4ef44ed938b9d694a1e4a313ace686a1b9e2f5a004218b836d9b12f303db3eb2db45de1fe9bb17c4320a95b38614420e968

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 657ce9e5dd337971e44dfb9cb3fbf7dd
SHA1 026734083afaa4b7d298781b26a72ac9b67ac831
SHA256 3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472
SHA512 79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d

memory/4412-20-0x0000000000050000-0x0000000000075000-memory.dmp

memory/4412-22-0x0000000000050000-0x0000000000075000-memory.dmp

memory/4412-28-0x0000000000050000-0x0000000000075000-memory.dmp