Malware Analysis Report

2024-11-16 13:25

Sample ID 241010-hz3bcswfkl
Target 592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N
SHA256 592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85

Threat Level: Known bad

The file 592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 07:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 07:11

Reported

2024-10-10 07:13

Platform

win7-20240729-en

Max time kernel

89s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe

"C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/1520-0-0x00000000000C0000-0x00000000000F5000-memory.dmp

memory/1520-18-0x0000000000510000-0x0000000000545000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 3775a1ae7984061b1bc1d54072a64e7e
SHA1 48522f84f54b7e1191edd3ff06c97cddad081610
SHA256 f060e3eba12f776fd357abb731f5fbd9518068d349ba9510eaeb93d45b1e6cb9
SHA512 6233997891ad5fa87bb6840f7fad516ed75ea2481cfa313b7e73750371341ebba2ce8505625ca0cce22296c3e77d13e4e525d95f129b7b74d0a980ce2283d506

memory/1944-19-0x0000000000040000-0x0000000000075000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 29bddbeacfa12a1b1c86f62e7589b299
SHA1 9fd051c969b5cdeba63f3bc845a15029933674b5
SHA256 86c2f9ad0c8b363b086b3be3d9363b0ed5593119c13e4f56f85dbdf53962d8a8
SHA512 906131c5b611e06ffb9108858237bb86e594a963c95b67c441f476c5491c3e4f6fe9aaf1b70614b0249168aac027c570cc59de25542fd6d6455c6ad924597c18

memory/1520-17-0x00000000000C0000-0x00000000000F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55e10a9af74d3f3fa5ae3cb7ff5ad9d4
SHA1 449221fd8d7196a54de2bd583625d8d1b64db56a
SHA256 a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1
SHA512 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

memory/1520-22-0x0000000000510000-0x0000000000545000-memory.dmp

memory/1944-23-0x0000000000040000-0x0000000000075000-memory.dmp

memory/1944-26-0x0000000000040000-0x0000000000075000-memory.dmp

memory/1944-33-0x0000000000040000-0x0000000000075000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 07:11

Reported

2024-10-10 07:13

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe

"C:\Users\Admin\AppData\Local\Temp\592e645038130e63a594a538c582b0e5199e98b69b37e02a519d992057923a85N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/844-0-0x00000000006D0000-0x0000000000705000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 e579b202ac41292a8ab8b561347287c3
SHA1 b086c547c04977efd097b2c9b33ddc961b22c3b7
SHA256 f88667440fb716a3f23d7067cf8a7baa8c2eb8b0e351a7c939f4418714215735
SHA512 ce5261dbd9ade2eb87aca2804c68d6d505f1cb22e7ec498433bb948caa06628f22eddeddba2e1ded82c200bd8470147c254f709802ee04d36a6a774c544c70d1

memory/4956-10-0x0000000000B00000-0x0000000000B35000-memory.dmp

memory/844-15-0x00000000006D0000-0x0000000000705000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 3775a1ae7984061b1bc1d54072a64e7e
SHA1 48522f84f54b7e1191edd3ff06c97cddad081610
SHA256 f060e3eba12f776fd357abb731f5fbd9518068d349ba9510eaeb93d45b1e6cb9
SHA512 6233997891ad5fa87bb6840f7fad516ed75ea2481cfa313b7e73750371341ebba2ce8505625ca0cce22296c3e77d13e4e525d95f129b7b74d0a980ce2283d506

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55e10a9af74d3f3fa5ae3cb7ff5ad9d4
SHA1 449221fd8d7196a54de2bd583625d8d1b64db56a
SHA256 a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1
SHA512 4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

memory/4956-18-0x0000000000B00000-0x0000000000B35000-memory.dmp

memory/4956-20-0x0000000000B00000-0x0000000000B35000-memory.dmp

memory/4956-27-0x0000000000B00000-0x0000000000B35000-memory.dmp