Malware Analysis Report

2024-11-16 13:27

Sample ID 240803-1gmr3azhpb
Target 4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e
SHA256 4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e

Threat Level: Known bad

The file 4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 21:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 21:37

Reported

2024-08-03 21:39

Platform

win7-20240729-en

Max time kernel

89s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe

"C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/1892-0-0x0000000000870000-0x00000000008A7000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 dce9c098415f46966f424a97c3994ec2
SHA1 5064c4b4d56471ac7f1f5a63639df9333198ecb0
SHA256 b28b3c27f05d93bcf57027331ea8290d8af56f71fa68049dae57cb6de931039c
SHA512 4c75fac6ce13cf145aea03c479197e42c265bfe7f9d59f61d03dceada48bf5d11fe68d8d5cabaa5687e1bf25cde709cc4967c5708170544202ed3666ccd648b6

memory/2272-19-0x0000000000370000-0x00000000003A7000-memory.dmp

memory/1892-16-0x0000000000560000-0x0000000000597000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 7a6fd9fb6b34738327b46d09a88b5d53
SHA1 d7e7a2176972a928b204bec3cec2cb41aadf32f1
SHA256 ab5d84e01c2827f3bd79f53174f603d4502ae30fadbd64366069cc9864a3f06f
SHA512 0ed4ce04c7928b6f33eeee4d884f99ee6d2d7a717742a24ba4276d62959be7296ce98cdca79cac36479f150a424c367c6ddb077178a65205b32760dee5c49b65

memory/1892-18-0x0000000000870000-0x00000000008A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a39f3ff1599241818ef65c0fd09039ed
SHA1 8d40b394a337a9da3330603fcd523842bccdf504
SHA256 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc
SHA512 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e

memory/2272-22-0x0000000000370000-0x00000000003A7000-memory.dmp

memory/2272-24-0x0000000000370000-0x00000000003A7000-memory.dmp

memory/2272-31-0x0000000000370000-0x00000000003A7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 21:37

Reported

2024-08-03 21:39

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe

"C:\Users\Admin\AppData\Local\Temp\4849ca728f1013bc537edcd17d0e4d7faad27a6daa092215deb112d3f64ac76e.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4124,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/816-0-0x0000000000110000-0x0000000000147000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 d06d9f80f98b8510a65aaeebbe96d8db
SHA1 2651d799280130e12be732151f54207710cbdec9
SHA256 bfb8bb6efccb6d40519a277b7dad8a7d8ca3ba10e8d8c67687d48f98b944ff69
SHA512 7f63163b9205f74ca337672c42761f5fe4358e4b62056b0168ccaeb0d233b9590138511bd37b67b21ef5163334ece6eb3522575cdaa0c46033b645569ea9f5b9

memory/3300-11-0x0000000000790000-0x00000000007C7000-memory.dmp

memory/816-15-0x0000000000110000-0x0000000000147000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 7a6fd9fb6b34738327b46d09a88b5d53
SHA1 d7e7a2176972a928b204bec3cec2cb41aadf32f1
SHA256 ab5d84e01c2827f3bd79f53174f603d4502ae30fadbd64366069cc9864a3f06f
SHA512 0ed4ce04c7928b6f33eeee4d884f99ee6d2d7a717742a24ba4276d62959be7296ce98cdca79cac36479f150a424c367c6ddb077178a65205b32760dee5c49b65

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a39f3ff1599241818ef65c0fd09039ed
SHA1 8d40b394a337a9da3330603fcd523842bccdf504
SHA256 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc
SHA512 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e

memory/3300-18-0x0000000000790000-0x00000000007C7000-memory.dmp

memory/3300-20-0x0000000000790000-0x00000000007C7000-memory.dmp

memory/3300-26-0x0000000000790000-0x00000000007C7000-memory.dmp