Malware Analysis Report

2024-11-16 13:26

Sample ID 241012-rjslnayfrm
Target ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N
SHA256 ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2

Threat Level: Known bad

The file ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 14:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 14:13

Reported

2024-10-12 14:16

Platform

win7-20240729-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe

"C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2580-0-0x0000000000BC0000-0x0000000000BE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 f13df147bd81a358f5d3b17c03c8f509
SHA1 6e6844158852e316ac947c446ad8e0a1d2c9dd26
SHA256 8ea6308f4d5f7b4b4f8258e66756851e968dc5f3bb3d52bfaa3e71eba4b5c6d4
SHA512 cae55d43ca5de89973d110335460edec5b76dfc55b313c5920da9c0f9b9117e727f989b47ff922d25d27fa5912fab3a4265ce622012eb680bb4a1e9b52d0ca5f

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 52de364334f68538894034967dfa7b25
SHA1 d394b860ff927b3ea1504d8bbf73aaa61a450895
SHA256 32c8eaa5d1514a1b8920543cbb2e86686812ef8d678ab6a092686398679beb01
SHA512 45aeecea873ce57713bc49e65fb398f90a725ad1210e9b31feee0debe6a9df31c9c7345f1f5546b56cfa52c6ed1de0542ebf405aa0352ebed302bbc3b1407de5

memory/2052-10-0x0000000000C70000-0x0000000000C95000-memory.dmp

memory/2580-9-0x00000000003D0000-0x00000000003F5000-memory.dmp

memory/2580-19-0x0000000000BC0000-0x0000000000BE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/2052-22-0x0000000000C70000-0x0000000000C95000-memory.dmp

memory/2052-24-0x0000000000C70000-0x0000000000C95000-memory.dmp

memory/2052-31-0x0000000000C70000-0x0000000000C95000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 14:13

Reported

2024-10-12 14:16

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe

"C:\Users\Admin\AppData\Local\Temp\ec95dfc127a1053672f3f078925436c9d3c52e72e6ea6678607f4a43bffc06d2N.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1156-0-0x0000000000A80000-0x0000000000AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 99c4f74a1d7f2b0c9b0711f0c01ee666
SHA1 20fbe25ae69238779891ac7b3b29bcde15b4b927
SHA256 0f4a20923217d4b8c82ffc11de89754cfdddbe5346be51fe9e39dc243ea812fe
SHA512 38f01d0226ca3435ce8767684479cb4dc45d41c4bc50a75e455d079b5d315889514eb016437b08f13382810b824d9ab74edc0c53c1f26f12535f638b18a16435

memory/4960-15-0x00000000001F0000-0x0000000000215000-memory.dmp

memory/1156-18-0x0000000000A80000-0x0000000000AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 52de364334f68538894034967dfa7b25
SHA1 d394b860ff927b3ea1504d8bbf73aaa61a450895
SHA256 32c8eaa5d1514a1b8920543cbb2e86686812ef8d678ab6a092686398679beb01
SHA512 45aeecea873ce57713bc49e65fb398f90a725ad1210e9b31feee0debe6a9df31c9c7345f1f5546b56cfa52c6ed1de0542ebf405aa0352ebed302bbc3b1407de5

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 efd90b3ac908d5482af367de3a82184a
SHA1 de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA256 44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA512 6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

memory/4960-21-0x00000000001F0000-0x0000000000215000-memory.dmp

memory/4960-23-0x00000000001F0000-0x0000000000215000-memory.dmp

memory/4960-29-0x00000000001F0000-0x0000000000215000-memory.dmp