Malware Analysis Report

2024-11-16 13:27

Sample ID 240731-blrt5staqa
Target 84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b
SHA256 84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b
Tags
upx urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b

Threat Level: Known bad

The file 84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b was found to be: Known bad.

Malicious Activity Summary

upx urelas discovery trojan

Urelas

Urelas family

Executes dropped EXE

Deletes itself

Loads dropped DLL

UPX packed file

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-31 01:14

Signatures

Urelas family

urelas

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-31 01:14

Reported

2024-07-31 01:16

Platform

win7-20240705-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe

"C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2860-0-0x0000000000400000-0x0000000000431000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 f9458c431ad6b2b318fe5e9ce2392f42
SHA1 a01fc1b8defed0dbb091fe846f7c4cd1f00e5bd3
SHA256 7a5db11581422b4b57007dbc31c55f1f0f5b75bcbcc3cff22c0fce70aafefba8
SHA512 a0510be609e8ab9df627a6427b7e05892c0bbd5b9fc8f22b9e347e25e8cc2a5a2a07bf700b93261dfc4126f392fe4c60228d5de892b7aa4414340e096f04bf74

memory/2860-6-0x0000000002BE0000-0x0000000002C11000-memory.dmp

memory/1640-10-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 609ce0e460850082c0ebaa19e82c2597
SHA1 b6b475a8ff74cd1ac908cb70450f7bd52dbaa8ce
SHA256 b91838d7f251698e27bd43b0d199a998d2ca2f286befc70b50e23a0d8fee8e80
SHA512 d416bdb10800e56f971381fa843da964abfd0697dea7ec9801ad9b9e2bd9af4e6ad9e2ec6abae66174f142e606b791172b4d38379eec7c2d119052daaa6f8e12

memory/2860-19-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a01dba4c45102fc15292fd5591166536
SHA1 d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256 cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

memory/1640-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1640-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1640-31-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-31 01:14

Reported

2024-07-31 01:16

Platform

win10v2004-20240730-en

Max time kernel

94s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe

"C:\Users\Admin\AppData\Local\Temp\84a112698b3529a4f24b244e23c3fd92027eb924349f876ef35c7c0e7f844e6b.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2308-0-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 094b187ffce5850aedbecb686332ae58
SHA1 71447c905dd8f6d33c95fc0b02feacf2f27bc974
SHA256 85b23209cc3a7883fe30ebf4b896c5bf0915e46d917597a7b721f891648cbd8c
SHA512 532e3a8d47046e749abf9bea5f9f71ea9c6786ff82497d5afbf34303ec7adbcf4839650425803442d727407f0ff1fd62b088e6619df3c43ea79ac172ef5d6733

memory/640-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2308-18-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 609ce0e460850082c0ebaa19e82c2597
SHA1 b6b475a8ff74cd1ac908cb70450f7bd52dbaa8ce
SHA256 b91838d7f251698e27bd43b0d199a998d2ca2f286befc70b50e23a0d8fee8e80
SHA512 d416bdb10800e56f971381fa843da964abfd0697dea7ec9801ad9b9e2bd9af4e6ad9e2ec6abae66174f142e606b791172b4d38379eec7c2d119052daaa6f8e12

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a01dba4c45102fc15292fd5591166536
SHA1 d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256 cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

memory/640-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/640-23-0x0000000000400000-0x0000000000431000-memory.dmp

memory/640-29-0x0000000000400000-0x0000000000431000-memory.dmp