Malware Analysis Report

2024-11-16 13:25

Sample ID 241013-fs6zvszhqh
Target f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4
SHA256 f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4

Threat Level: Known bad

The file f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 05:09

Reported

2024-10-13 05:11

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe

"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"

C:\Users\Admin\AppData\Local\Temp\shoste.exe

"C:\Users\Admin\AppData\Local\Temp\shoste.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.28.139:11120 tcp

Files

memory/1704-0-0x0000000000C40000-0x0000000000C75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 dfc1868e4957bc76c07d22931e2f6779
SHA1 aea3ca1d9c4c7ed739fc04c5a48cbfbe792f3d2f
SHA256 e52e9012393c4b6cf20707de354cf9e744633a32cc3a625c6aaf9bad8b0f2d2e
SHA512 ad511d7f3af93f5f649adc46cb62a0db5d53376a17f5936ad7f64832acd369f3a1ba06e0c36fdb8ee2f922ab38157640583bac1fcc67b113f9f24564cf614700

memory/1264-17-0x00000000013D0000-0x0000000001405000-memory.dmp

memory/1704-16-0x0000000000B00000-0x0000000000B35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\shoste.exe

MD5 bd8302f65ba0d9afa69d07f30cb295ab
SHA1 4b0cb42ac547e1711760e9b77d74f072babd4812
SHA256 03b9b97a67531507aaa6ccb2b6cbcb61418f9013913b95fe667625162784941b
SHA512 199e29f5b6ae16c9fcae2d20693afb653ad33ceb8a05e609fd807a1d86e79b282b3cd469883a166df1b0f41299553fc612474b819843a857fdf4441496a2121f

memory/1704-19-0x0000000000C40000-0x0000000000C75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f51c1462254f3bb8aa00201af0b0a030
SHA1 60d3c892bb5c4f654c318451012f936d81164418
SHA256 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5
SHA512 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

memory/1264-22-0x00000000013D0000-0x0000000001405000-memory.dmp

memory/1264-30-0x00000000013D0000-0x0000000001405000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 05:09

Reported

2024-10-13 05:11

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\shoste.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe

"C:\Users\Admin\AppData\Local\Temp\f0e577708c1718ba08ef3e43a172599cda89537f74a91dadefc7cf696c197ac4.exe"

C:\Users\Admin\AppData\Local\Temp\shoste.exe

"C:\Users\Admin\AppData\Local\Temp\shoste.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
KR 218.54.28.139:11120 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1404-0-0x0000000000470000-0x00000000004A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\shoste.exe

MD5 e99e64807bb42a5b821e979087c625d9
SHA1 ce065d4eec7077a42a2749a14c754693cae900e7
SHA256 149cc9e41d5d401040901ae982cc34da5afa39fcbc043daf67b3444b19e79b39
SHA512 f17c116864fed5a3a26387ffdbca1bf64ab868bb908f2abdb383bdbf065cddb65200f8f37f05d6c654d6ffe85369f5bf121412e17f2cd5d8fdc2c2c1c1ea787f

memory/1788-12-0x0000000000910000-0x0000000000945000-memory.dmp

memory/1404-15-0x0000000000470000-0x00000000004A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 dfc1868e4957bc76c07d22931e2f6779
SHA1 aea3ca1d9c4c7ed739fc04c5a48cbfbe792f3d2f
SHA256 e52e9012393c4b6cf20707de354cf9e744633a32cc3a625c6aaf9bad8b0f2d2e
SHA512 ad511d7f3af93f5f649adc46cb62a0db5d53376a17f5936ad7f64832acd369f3a1ba06e0c36fdb8ee2f922ab38157640583bac1fcc67b113f9f24564cf614700

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f51c1462254f3bb8aa00201af0b0a030
SHA1 60d3c892bb5c4f654c318451012f936d81164418
SHA256 695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5
SHA512 41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

memory/1788-18-0x0000000000910000-0x0000000000945000-memory.dmp

memory/1788-24-0x0000000000910000-0x0000000000945000-memory.dmp