Malware Analysis Report

2024-11-16 13:28

Sample ID 240808-2v9pes1hnk
Target 7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5
SHA256 7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5

Threat Level: Known bad

The file 7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 22:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 22:55

Reported

2024-08-08 22:57

Platform

win7-20240705-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe

"C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 5c832aa84399bbed00e0b433171f1b31
SHA1 e64e2de779a8b672e80ab009920f2be9dd1b4b34
SHA256 85733e200b497ce2eb13b53143820d334fba403cfe3e6af7fe0d3d6f296bfbfa
SHA512 a36ce7fe681f0362e439089e6db3a8e56abdcafb07120740dc95dcf37329c17eae1cd8c056e0a0890f817b1c2cfa26ae3e54fb650efce00c6b3debef01dcc7d2

memory/2092-19-0x0000000000010000-0x0000000000037000-memory.dmp

memory/2292-16-0x0000000000D60000-0x0000000000D87000-memory.dmp

memory/2092-15-0x0000000001CF0000-0x0000000001D17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 83868ea232b17dfb5d78dfbbbb97dd6c
SHA1 8ea8e7e9e71d8e9ac4694f35410375871c12e9ab
SHA256 ba1d07e7222d8b5c30c85dc4706cec58c5cc8625dba9f28c5bfd5aa74c226669
SHA512 40dfafa28d3574cb3e4d748bcf64182137a7f31252e03aec3d14fe7e26112563129d4119dfa53442b3eaa6d480897c7724c953249bcc630126e9d9c54d12688a

memory/2092-0-0x0000000000010000-0x0000000000037000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1c9b2720af0ca9528b47898d9c7f4799
SHA1 80495f16e333f54ecc700252323c2a7cb7d751e1
SHA256 d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5
SHA512 5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

memory/2292-22-0x0000000000D60000-0x0000000000D87000-memory.dmp

memory/2292-24-0x0000000000D60000-0x0000000000D87000-memory.dmp

memory/2292-31-0x0000000000D60000-0x0000000000D87000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 22:55

Reported

2024-08-08 22:57

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe

"C:\Users\Admin\AppData\Local\Temp\7990d0f4d31f9b38d6f900f38ba04b8cb6fa89fb70e3da18e135f17e4ad684a5.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3732-0-0x0000000000060000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 d92d90db5eb9243ffb1b76b767e9f8e9
SHA1 a03910597f05300fb7ada646be19d03a2cda83ff
SHA256 48c4793c25eb223eb36220536f77aa6561fead3c21d1b09cb319cdec4cb9c15a
SHA512 d9008891c1f2fc38714ca85dde47a4cf730fd2da5a677378efe5fb853be156d6667805879c1e04dd4e462b79f8c0abd379fa60aef2516f252eaa83efc16d82fb

memory/804-15-0x00000000007F0000-0x0000000000817000-memory.dmp

memory/3732-18-0x0000000000060000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 5c832aa84399bbed00e0b433171f1b31
SHA1 e64e2de779a8b672e80ab009920f2be9dd1b4b34
SHA256 85733e200b497ce2eb13b53143820d334fba403cfe3e6af7fe0d3d6f296bfbfa
SHA512 a36ce7fe681f0362e439089e6db3a8e56abdcafb07120740dc95dcf37329c17eae1cd8c056e0a0890f817b1c2cfa26ae3e54fb650efce00c6b3debef01dcc7d2

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1c9b2720af0ca9528b47898d9c7f4799
SHA1 80495f16e333f54ecc700252323c2a7cb7d751e1
SHA256 d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5
SHA512 5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

memory/804-21-0x00000000007F0000-0x0000000000817000-memory.dmp

memory/804-23-0x00000000007F0000-0x0000000000817000-memory.dmp

memory/804-29-0x00000000007F0000-0x0000000000817000-memory.dmp