Malware Analysis Report

2024-11-16 13:26

Sample ID 241009-r55hca1hlc
Target 7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N
SHA256 7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1

Threat Level: Known bad

The file 7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 14:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 14:47

Reported

2024-10-09 14:49

Platform

win7-20240729-en

Max time kernel

92s

Max time network

70s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe

"C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe"

C:\Users\Admin\AppData\Local\Temp\shoste.exe

"C:\Users\Admin\AppData\Local\Temp\shoste.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.28.139:11120 tcp

Files

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 1e0fda6d58274dbbd94c1ad912d3d7bb
SHA1 ca4ad6544c472c7af4974575d9932f3fe2dca9cb
SHA256 3d6c75cc51dc2a973048a92de79c3f1fc67932e35bd851d7388e3c41e73fed3f
SHA512 c6c2802e3fe336f73ec0467954274c3a2a2d821cdb88cede22a00551d5271b6b0279604d7b54bee14843e4a70ac9986d2d5d7db2d72a8ab09183ab0948df8482

memory/376-18-0x0000000000090000-0x00000000000C5000-memory.dmp

memory/2304-10-0x00000000011D0000-0x0000000001205000-memory.dmp

memory/376-9-0x0000000001DF0000-0x0000000001E25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\shoste.exe

MD5 b4658af7d8b2585e4a39d3db56e52ac5
SHA1 a59a677d9bca91998602d0901b142154fae23a0c
SHA256 d8c1865f2884302c0e798e9229af87502c4fab91335b4a3c7030523e33191a8a
SHA512 887b6d04b8401296732295a49569409f68196be00001d2330fb9d7e4db035fc915f82f5e008483e21282329a61e97b44f17121af8848332b99a8cd284a408680

memory/376-0-0x0000000000090000-0x00000000000C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f51c1462254f3bb8aa00201af0b0a030
SHA1 60d3c892bb5c4f654c318451012f936d81164418
SHA256 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5
SHA512 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

memory/2304-21-0x00000000011D0000-0x0000000001205000-memory.dmp

memory/2304-28-0x00000000011D0000-0x0000000001205000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 14:47

Reported

2024-10-09 14:49

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe

"C:\Users\Admin\AppData\Local\Temp\7980568458b51b6953a9179802915045073a30f35ff1a330edaf972d3e711fe1N.exe"

C:\Users\Admin\AppData\Local\Temp\shoste.exe

"C:\Users\Admin\AppData\Local\Temp\shoste.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.28.139:11120 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2276-0-0x0000000000150000-0x0000000000185000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\shoste.exe

MD5 2a9769c7c150e3e4ab9748dd238b3bf0
SHA1 a6fece983c57543eb0a3cfe90415abb01250da76
SHA256 979b56288a54b1b9f46d078af5bda33aed53142971de851b39b09b721b454fb9
SHA512 bca90b56c956fd4093ea65ea320a35bb3fb3f812767641c1dd3ebeb74ef073e7ee365d0199ee8b811a57f0192602e51760b3620814d48a00b97be2def6fc9486

memory/3332-10-0x0000000000340000-0x0000000000375000-memory.dmp

memory/2276-14-0x0000000000150000-0x0000000000185000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 1e0fda6d58274dbbd94c1ad912d3d7bb
SHA1 ca4ad6544c472c7af4974575d9932f3fe2dca9cb
SHA256 3d6c75cc51dc2a973048a92de79c3f1fc67932e35bd851d7388e3c41e73fed3f
SHA512 c6c2802e3fe336f73ec0467954274c3a2a2d821cdb88cede22a00551d5271b6b0279604d7b54bee14843e4a70ac9986d2d5d7db2d72a8ab09183ab0948df8482

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f51c1462254f3bb8aa00201af0b0a030
SHA1 60d3c892bb5c4f654c318451012f936d81164418
SHA256 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5
SHA512 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

memory/3332-17-0x0000000000340000-0x0000000000375000-memory.dmp

memory/3332-23-0x0000000000340000-0x0000000000375000-memory.dmp