Malware Analysis Report

2024-11-16 13:26

Sample ID 241010-z7ecyaxcna
Target 4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb
SHA256 4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb

Threat Level: Known bad

The file 4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 21:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 21:21

Reported

2024-10-10 21:23

Platform

win7-20240729-en

Max time kernel

89s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe

"C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/1744-0-0x0000000000A50000-0x0000000000A75000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 ddff2b771dc90cb22936a12df73c8370
SHA1 ad2ffa9d19960af4a524eb9cda468911644769f1
SHA256 de429009498a4290c55ac6396421f1a7db57a8f9606c08733614735e10c5ee90
SHA512 4709441d115f72a7a1180d1e3c86ed203e3eee9f2432c995e67d43540c0d4c9fbd08c6b542db23c2b7273c62dc2c3ecffad26222d97f836d8b904085eca41b9a

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 81636de2e91f2cf944a42f5849c54575
SHA1 f5d5fe65461deabd03da16d528c7ccace6557c73
SHA256 5a8e87ab4a66938bdab75b6aa5d0cec15c528d3d1f11d50759ca7e01730bb66d
SHA512 34f07e2a439e36cd4282b62fc10d1b9f80468525f1b138b7405eb2bf4381ee9c99e936ee33977fe6a96b915b484cd7599fc8c393f7402f3227e6ece321449ea0

memory/1744-19-0x0000000000A50000-0x0000000000A75000-memory.dmp

memory/2152-17-0x0000000000A10000-0x0000000000A35000-memory.dmp

memory/1744-8-0x00000000009C0000-0x00000000009E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/2152-22-0x0000000000A10000-0x0000000000A35000-memory.dmp

memory/2152-24-0x0000000000A10000-0x0000000000A35000-memory.dmp

memory/2152-31-0x0000000000A10000-0x0000000000A35000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 21:21

Reported

2024-10-10 21:23

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe

"C:\Users\Admin\AppData\Local\Temp\4e41dd38ae85aa7aa1770e07d8318522be0fa5807a6fb1a1faafdcd6f7e5dbfb.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

memory/4076-0-0x0000000000F80000-0x0000000000FA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 5babbf5125765032d24d9928826e97e7
SHA1 00ac9dfef75e296f79194ed7c090162d8aa03afa
SHA256 2016fc8cb48ef14f460290a7a2af586237d10e51bfb7cbf1889590dfa70674b4
SHA512 d620afab5310f3a92763cf2c29de4f32ae242da70ef2aa2447e51f0b133f9e8d7a6d8ea19bb13f32cef9996361187ea7086fd15347e6f9e94004e5dca80a63aa

memory/1988-13-0x0000000000EE0000-0x0000000000F05000-memory.dmp

memory/4076-18-0x0000000000F80000-0x0000000000FA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 81636de2e91f2cf944a42f5849c54575
SHA1 f5d5fe65461deabd03da16d528c7ccace6557c73
SHA256 5a8e87ab4a66938bdab75b6aa5d0cec15c528d3d1f11d50759ca7e01730bb66d
SHA512 34f07e2a439e36cd4282b62fc10d1b9f80468525f1b138b7405eb2bf4381ee9c99e936ee33977fe6a96b915b484cd7599fc8c393f7402f3227e6ece321449ea0

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/1988-21-0x0000000000EE0000-0x0000000000F05000-memory.dmp

memory/1988-23-0x0000000000EE0000-0x0000000000F05000-memory.dmp

memory/1988-29-0x0000000000EE0000-0x0000000000F05000-memory.dmp