Malware Analysis Report

2024-11-16 13:26

Sample ID 241009-2rkwwszgpf
Target 836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf
SHA256 836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf

Threat Level: Known bad

The file 836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 22:48

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 22:48

Reported

2024-10-09 22:51

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe

"C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.30.235:11120 tcp

Files

memory/2292-1-0x0000000000E00000-0x0000000000E82000-memory.dmp

memory/2292-0-0x0000000000E00000-0x0000000000E82000-memory.dmp

\Users\Admin\AppData\Local\Temp\sander.exe

MD5 7eafee011423bbc7a03f9d6902ea11ea
SHA1 75e149f555d2df758f98750ad38d2ee0f3e0ea2b
SHA256 d35724ff1cd3fa0dd84bc148ad7f163662956e9e2ac5b8abe9ed42ef9fec195a
SHA512 f4ba2a1b0475d5205493d516d77e24ef41570023b8ed5939dfcf80d1fde1a3959d7bbfd2c8f771a67d977bd492d0f0bd7d51038c5e0b78387375c52a95880154

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 fbf013e1f3dc8909c5806662e13ec8c0
SHA1 4a7a31de3408c23e1de4243ef8c113126cfde7fc
SHA256 81fb42d98f502a99ceb69fb0df9c67cb27c8856d77766b13b7a7a6e1eab28a13
SHA512 9192c250ae4dc3197f913f8dc8455ed15489b0d5100f3e6d39781783acd78b52db43f40b9599ad4ee879806ed066ea593c582f06eeb98461d6817962220668ab

memory/2292-19-0x0000000000D60000-0x0000000000DE2000-memory.dmp

memory/2292-18-0x0000000000E00000-0x0000000000E82000-memory.dmp

memory/2320-20-0x0000000001280000-0x0000000001302000-memory.dmp

memory/2320-16-0x0000000001280000-0x0000000001302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 145cec05d8d704ff7aa3d812b1aff628
SHA1 097ae09965ed3804359803708b8af87b5b90fcbb
SHA256 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea
SHA512 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

memory/2320-23-0x0000000001280000-0x0000000001302000-memory.dmp

memory/2320-24-0x0000000001280000-0x0000000001302000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 22:48

Reported

2024-10-09 22:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sander.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sander.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe

"C:\Users\Admin\AppData\Local\Temp\836ab70974363b42bac1efc3107febc7cb063cbd0b473521284f1f1354462abf.exe"

C:\Users\Admin\AppData\Local\Temp\sander.exe

"C:\Users\Admin\AppData\Local\Temp\sander.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4728-0-0x0000000000860000-0x00000000008E2000-memory.dmp

memory/4728-1-0x0000000000860000-0x00000000008E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sander.exe

MD5 781b61f74dbe208d4339190bbfd5a660
SHA1 c2a878a4f714b01c2bb13dc3851567f469ea1cc7
SHA256 95d7498efd61a681ef31dbd852c728082a50e4f4dea06e4b99d9002c6ea98e01
SHA512 da69a492691b7ceb01e90c8ed6c82730de408471e95330963e0c419170df6dfadb6cf4ad9836d2ecc6d5cd31657893424c17d8c94e45c46ed89d2a2d8b182539

memory/2996-14-0x0000000000920000-0x00000000009A2000-memory.dmp

memory/4728-16-0x0000000000860000-0x00000000008E2000-memory.dmp

memory/2996-11-0x0000000000920000-0x00000000009A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

MD5 fbf013e1f3dc8909c5806662e13ec8c0
SHA1 4a7a31de3408c23e1de4243ef8c113126cfde7fc
SHA256 81fb42d98f502a99ceb69fb0df9c67cb27c8856d77766b13b7a7a6e1eab28a13
SHA512 9192c250ae4dc3197f913f8dc8455ed15489b0d5100f3e6d39781783acd78b52db43f40b9599ad4ee879806ed066ea593c582f06eeb98461d6817962220668ab

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 145cec05d8d704ff7aa3d812b1aff628
SHA1 097ae09965ed3804359803708b8af87b5b90fcbb
SHA256 66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea
SHA512 1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

memory/2996-19-0x0000000000920000-0x00000000009A2000-memory.dmp

memory/2996-20-0x0000000000920000-0x00000000009A2000-memory.dmp