Malware Analysis Report

2024-11-16 13:25

Sample ID 241013-fnbm6avbnl
Target f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4
SHA256 f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4

Threat Level: Known bad

The file f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 05:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 05:00

Reported

2024-10-13 05:03

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe

"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"

C:\Users\Admin\AppData\Local\Temp\shoste.exe

"C:\Users\Admin\AppData\Local\Temp\shoste.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.28.139:11120 tcp

Files

memory/2368-0-0x0000000000C50000-0x0000000000C85000-memory.dmp

memory/2172-17-0x0000000000A70000-0x0000000000AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\shoste.exe

MD5 300e716526b35e808f575f6a1199ec8d
SHA1 5ba46e97a4743dd3f1cbbbd8c7b12a21c6f9521f
SHA256 557af369b39c7c5c5c1e169621f5f1711809a9864291fad444fe62e3561bdb2d
SHA512 681b061300588898265be270b1e7c2f5f46698ecface80957736812ca30879c879d3f26454c495e0e41d5d89def40a6982eea0c444143190bd5ee1adab802c51

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 dfc1868e4957bc76c07d22931e2f6779
SHA1 aea3ca1d9c4c7ed739fc04c5a48cbfbe792f3d2f
SHA256 e52e9012393c4b6cf20707de354cf9e744633a32cc3a625c6aaf9bad8b0f2d2e
SHA512 ad511d7f3af93f5f649adc46cb62a0db5d53376a17f5936ad7f64832acd369f3a1ba06e0c36fdb8ee2f922ab38157640583bac1fcc67b113f9f24564cf614700

memory/2368-19-0x0000000000C50000-0x0000000000C85000-memory.dmp

memory/2368-16-0x0000000000A70000-0x0000000000AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f51c1462254f3bb8aa00201af0b0a030
SHA1 60d3c892bb5c4f654c318451012f936d81164418
SHA256 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5
SHA512 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

memory/2172-22-0x0000000000A70000-0x0000000000AA5000-memory.dmp

memory/2172-30-0x0000000000A70000-0x0000000000AA5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 05:00

Reported

2024-10-13 05:03

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe

"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"

C:\Users\Admin\AppData\Local\Temp\shoste.exe

"C:\Users\Admin\AppData\Local\Temp\shoste.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.28.139:11120 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2840-0-0x0000000000630000-0x0000000000665000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\shoste.exe

MD5 d3c5a1898457111ce02cb45bae365736
SHA1 ac9dea019974970a7f2c2addb78d5aacf78e9fb1
SHA256 6c7a12fb58d76f5f05e2ecb089348d6303b656a29b16a195564e45503c60eb61
SHA512 2bfc10ce024ab33dab84bebbade99f7c2b62894e43dae03ab8dc37003bffc84f8c7a10e83ce09aff8a62e55159bd1c710c167fa3ada826a4a568b63fe55562c1

memory/5100-10-0x0000000000FD0000-0x0000000001005000-memory.dmp

memory/2840-14-0x0000000000630000-0x0000000000665000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 dfc1868e4957bc76c07d22931e2f6779
SHA1 aea3ca1d9c4c7ed739fc04c5a48cbfbe792f3d2f
SHA256 e52e9012393c4b6cf20707de354cf9e744633a32cc3a625c6aaf9bad8b0f2d2e
SHA512 ad511d7f3af93f5f649adc46cb62a0db5d53376a17f5936ad7f64832acd369f3a1ba06e0c36fdb8ee2f922ab38157640583bac1fcc67b113f9f24564cf614700

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f51c1462254f3bb8aa00201af0b0a030
SHA1 60d3c892bb5c4f654c318451012f936d81164418
SHA256 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5
SHA512 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

memory/5100-17-0x0000000000FD0000-0x0000000001005000-memory.dmp

memory/5100-23-0x0000000000FD0000-0x0000000001005000-memory.dmp