Malware Analysis Report

2024-11-16 13:26

Sample ID 241009-afdjws1grj
Target 8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN
SHA256 8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781f
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781f

Threat Level: Known bad

The file 8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 00:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 00:08

Reported

2024-10-09 00:11

Platform

win7-20240903-en

Max time kernel

89s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe

"C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2788-0-0x0000000000200000-0x0000000000225000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 d034258c8a117330b037e147dc4a8c31
SHA1 c7019b445d9af7fadb62d29caa87bb7cf10ff1c4
SHA256 1bcd3d5d90d0b4bc179f8dd9bee29cb0f77919a4abe28ec85f2c4cd9f22cbb0f
SHA512 c7f6b903ac84ca5d0c4de12f37343c3dba9440d6fc6bbc4c5b978b8188e72b5e387c005c9c1d7e1df151ce4b81b061fffb08e962294745f99b1cc9be33952e5c

memory/2788-6-0x0000000001D80000-0x0000000001DA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e5c2a54d6541cc1e6cf6a37b844ee0e1
SHA1 b969a707b11fcf16cb74c979047434438f7f2258
SHA256 550f9c934e86a7cf394aa1e37b5d117dff8c5893c0142352d7c529d7f670d25b
SHA512 ab4abbc3202f9727b5b67610f9750cd92229e8b8ab00d2322dee631864c210b11441e381cddd06bbd93bc6b26fd98291d9cf6760561183a48fb4f6f6a0ad8add

memory/2788-18-0x0000000000200000-0x0000000000225000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/2164-21-0x0000000000260000-0x0000000000285000-memory.dmp

memory/2164-23-0x0000000000260000-0x0000000000285000-memory.dmp

memory/2164-30-0x0000000000260000-0x0000000000285000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 00:08

Reported

2024-10-09 00:11

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe

"C:\Users\Admin\AppData\Local\Temp\8ee91982fbb52fbfa488c37659ecba4f8d7898dd4c5f34de4e949654037f781fN.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3456-0-0x0000000000350000-0x0000000000375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 9643ad261f94d359af79e2c39c26dcd4
SHA1 fc618a7eb66c95106d4b9f3108e8f6f4c70ad45f
SHA256 52fc3d31bc24bd5f5002e2e5e9d6924f80ec1237563c562e0a8e21c45c63a042
SHA512 83f032a75d52bf79fb11b5bed9975c502c108549fa8ba90bd83add2c53af5b3b2ea712c287c5f946f7b2730fc8969356a7f15b3fd63f9f186595d20a92e96552

memory/4156-15-0x0000000000D00000-0x0000000000D25000-memory.dmp

memory/3456-17-0x0000000000350000-0x0000000000375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e5c2a54d6541cc1e6cf6a37b844ee0e1
SHA1 b969a707b11fcf16cb74c979047434438f7f2258
SHA256 550f9c934e86a7cf394aa1e37b5d117dff8c5893c0142352d7c529d7f670d25b
SHA512 ab4abbc3202f9727b5b67610f9750cd92229e8b8ab00d2322dee631864c210b11441e381cddd06bbd93bc6b26fd98291d9cf6760561183a48fb4f6f6a0ad8add

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/4156-20-0x0000000000D00000-0x0000000000D25000-memory.dmp

memory/4156-22-0x0000000000D00000-0x0000000000D25000-memory.dmp

memory/4156-28-0x0000000000D00000-0x0000000000D25000-memory.dmp