Malware Analysis Report

2024-11-16 13:28

Sample ID 240808-xknlzsxfkl
Target 16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8
SHA256 16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8

Threat Level: Known bad

The file 16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 18:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 18:54

Reported

2024-08-08 18:57

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe"

Signatures

Urelas

trojan urelas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe

"C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe"

C:\Users\Admin\AppData\Local\Temp\poldge.exe

"C:\Users\Admin\AppData\Local\Temp\poldge.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11150 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.28.240:11150 tcp

Files

memory/2332-0-0x0000000000400000-0x000000000043B000-memory.dmp

\Users\Admin\AppData\Local\Temp\poldge.exe

MD5 b4814c520cfe09595459d2699e7715b1
SHA1 4064d399a08b85d9f1ba15126e2784f820c70f44
SHA256 af228849c82312dc85bcbf904856bec02612fa001a702ecacd7e222df15e2a06
SHA512 36a9a6879472b197e3e287315f760a82b3235254aa37c397373a7b831290042ad199d58a8830f32373f9d8d764e77f430490dd9b09b402c8f8ef04ecf2372dc0

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e0349b3455e3920f262d18fe0449e543
SHA1 28389c9f4493413b0e1457e3735abe5aef8b6352
SHA256 0cbed31d62e6982021e58433f3dc8b50851d141dc4c513a7ede40d7b3d5b8df8
SHA512 49d00244155764f7c645fabf40f471afe24d77c4f26bf88e9b92863f7715f5ee9b7271b2940d87f1e07246d9186cc0f279f1704ef9f0abd88ca23147a8f43b70

memory/1928-17-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2332-16-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 3f372385bf24b44385f4b1251d3aca4d
SHA1 83546de6ba8f20bd08a15896d34f6242ed64352f
SHA256 b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27
SHA512 d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7

memory/1928-20-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1928-26-0x0000000000400000-0x000000000043B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 18:54

Reported

2024-08-08 18:57

Platform

win10v2004-20240802-en

Max time kernel

131s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\poldge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe

"C:\Users\Admin\AppData\Local\Temp\16389a346faf235c2a0be839ddec4d8f359ae1664b1e2da1ad5373a7c3c696c8.exe"

C:\Users\Admin\AppData\Local\Temp\poldge.exe

"C:\Users\Admin\AppData\Local\Temp\poldge.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 121.88.5.183:11150 tcp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
KR 218.54.28.240:11150 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/3448-0-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\poldge.exe

MD5 ba7c3a46bf011cb1b0f5417961ac5cde
SHA1 73687acfdd009833470111a49bbf22bdc5c4bcce
SHA256 7986d37e5126d94b0e84529c528a7418a04dee1c42ab20023f7a1883bf5a68bb
SHA512 6464b67ef66ea0f4bb871ddec1ff1d25cdcf6a1de42622b8c6e72cd2cd3bf0f6ac4eb434346adb0f2a48c03606edb34253c682006a4f844b03c02d52d690fb65

memory/5072-12-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3448-15-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e0349b3455e3920f262d18fe0449e543
SHA1 28389c9f4493413b0e1457e3735abe5aef8b6352
SHA256 0cbed31d62e6982021e58433f3dc8b50851d141dc4c513a7ede40d7b3d5b8df8
SHA512 49d00244155764f7c645fabf40f471afe24d77c4f26bf88e9b92863f7715f5ee9b7271b2940d87f1e07246d9186cc0f279f1704ef9f0abd88ca23147a8f43b70

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 3f372385bf24b44385f4b1251d3aca4d
SHA1 83546de6ba8f20bd08a15896d34f6242ed64352f
SHA256 b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27
SHA512 d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7

memory/5072-18-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5072-24-0x0000000000400000-0x000000000043B000-memory.dmp