Malware Analysis Report

2024-11-16 13:28

Sample ID 240814-bk7tzatdlb
Target b00a3c21f17a72955210061b96699f00N.exe
SHA256 c79270e4b69116574c9311790949685c355fcc977364fde0649a4448b87b14a3
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c79270e4b69116574c9311790949685c355fcc977364fde0649a4448b87b14a3

Threat Level: Known bad

The file b00a3c21f17a72955210061b96699f00N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 01:13

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 01:13

Reported

2024-08-14 01:15

Platform

win7-20240704-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe

"C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2696-0-0x0000000001180000-0x00000000011A7000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 d00ecb84eec8b5de97d2f9232bf91f77
SHA1 ca5df309522efdac32807929497faf68b709f2a8
SHA256 aeb54466894734e7c5cd2f18df84e22765dcec2f349e335c3e3ffde2041f2847
SHA512 b109a66e0c8be6f4a9bbd31e5f662fa4871516d6fa56ad7b41d5fd2048ba7c8286036121f73f719ce91337e53b74ce864408c0ecae62f6371f56fb8632a78aaa

memory/2696-6-0x0000000000690000-0x00000000006B7000-memory.dmp

memory/2740-10-0x0000000000D40000-0x0000000000D67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 c00921fb82a42073851c2c99a9a936ae
SHA1 17bd85b0c47838945bf77c2ff39aa6a13d3d5223
SHA256 77e312f4e1b482da638d4f18dab3e8b88c69f07dcf99f6b6f54580a31b4d3580
SHA512 af2b88060e91fab25c44d2ad5f48de6eac3933c0857dbb71c085850a8f28e7812d8148f530feb48e59ac9ad99b6d0572bb336574a0f76729b63f0a434f651e30

memory/2696-18-0x0000000001180000-0x00000000011A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 0ecda9ecaa423d5a8481985b7d3d5a77
SHA1 ecc237c20c234cf9c0e20b39a39ab27244dc7971
SHA256 caed69520592602de846673610507a47e22e0fb108e8e88ba1a85b314607f0a9
SHA512 82ce4bfc411781d187b6151383064f18e22b37f5f03d783476fed1c8ba74ee38dc74b16badf96961e22d6b63ae31425ae785c17fa3bd5d767ae3b0bd9652fe3a

memory/2740-21-0x0000000000D40000-0x0000000000D67000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 01:13

Reported

2024-08-14 01:15

Platform

win10v2004-20240802-en

Max time kernel

98s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe

"C:\Users\Admin\AppData\Local\Temp\b00a3c21f17a72955210061b96699f00N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
KR 218.54.47.77:11150 tcp

Files

memory/4080-0-0x00000000008E0000-0x0000000000907000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 77bb0c1c554b1bc95fefd7eecf026da3
SHA1 5deb239436014d9b0c43e87f8794d5ba2dbe1780
SHA256 fe9b26fb5c9cd6ecf995f861e692d3f9e96f0f04b0683c2838bc2ba7ac9f39d7
SHA512 fa4f80d94598f428ab32ff09bd8305241016ed25f3a9f9694868aeea933cd0cdaa97ebc64aa2a7496cfe83e333b7f2c20465462a7ebf9ce6f584420e50d669bd

memory/4652-15-0x0000000000C90000-0x0000000000CB7000-memory.dmp

memory/4080-17-0x00000000008E0000-0x0000000000907000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 c00921fb82a42073851c2c99a9a936ae
SHA1 17bd85b0c47838945bf77c2ff39aa6a13d3d5223
SHA256 77e312f4e1b482da638d4f18dab3e8b88c69f07dcf99f6b6f54580a31b4d3580
SHA512 af2b88060e91fab25c44d2ad5f48de6eac3933c0857dbb71c085850a8f28e7812d8148f530feb48e59ac9ad99b6d0572bb336574a0f76729b63f0a434f651e30

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 0ecda9ecaa423d5a8481985b7d3d5a77
SHA1 ecc237c20c234cf9c0e20b39a39ab27244dc7971
SHA256 caed69520592602de846673610507a47e22e0fb108e8e88ba1a85b314607f0a9
SHA512 82ce4bfc411781d187b6151383064f18e22b37f5f03d783476fed1c8ba74ee38dc74b16badf96961e22d6b63ae31425ae785c17fa3bd5d767ae3b0bd9652fe3a

memory/4652-20-0x0000000000C90000-0x0000000000CB7000-memory.dmp