Malware Analysis Report

2024-11-16 13:28

Sample ID 240804-ceg7ssxdmc
Target de2368758da69e422fa38e9ef3c76770N.exe
SHA256 828a04a211899614965b995e7a077a6a382d5599bfd86993ffab5d75d0692a4a
Tags
upx urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

828a04a211899614965b995e7a077a6a382d5599bfd86993ffab5d75d0692a4a

Threat Level: Known bad

The file de2368758da69e422fa38e9ef3c76770N.exe was found to be: Known bad.

Malicious Activity Summary

upx urelas discovery trojan

Urelas

Deletes itself

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 01:59

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 01:59

Reported

2024-08-04 02:01

Platform

win7-20240704-en

Max time kernel

67s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\opert.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\opert.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe

"C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe"

C:\Users\Admin\AppData\Local\Temp\opert.exe

"C:\Users\Admin\AppData\Local\Temp\opert.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.28.139:11120 tcp

Files

memory/1792-0-0x0000000000840000-0x0000000000879000-memory.dmp

\Users\Admin\AppData\Local\Temp\opert.exe

MD5 2de2da70e584c5f21514c3473faffed0
SHA1 378cb43f427c037a63a2db35c4a5fe018c7a285e
SHA256 127d9e553732be686e227db5cad2f4830a2d78da6de16f252dea000ba1fa0c3d
SHA512 6955df508955dc2ede02883e3229fe0d61641d9888a686997c27c0ccff795b5484fcb260003694c86c1c10dccf6fd475ee85dd856d3c8be9a4c1f402cd8945fe

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 8ebb5e515e68471584943228bde27301
SHA1 b81eb6c83e61919310d19b02e0636fd0b24cbf9b
SHA256 08bee23234ef7f8f8e2c3d984c776535ff96ece058c1d71ce73c2258468cfd30
SHA512 bedf2bfb052c322df7adf8e2f336a255f4bf34261801113c110c0ea64ca5d3423696f0e51a458938debf07ec598d85b333939502499d4356c339fb38e99a0333

memory/2540-17-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1792-16-0x0000000002210000-0x0000000002249000-memory.dmp

memory/1792-19-0x0000000000840000-0x0000000000879000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 6735bbe93159782090eb9c49dde676c6
SHA1 6edec7009f27d90d36081a9d4a05fc6e6bde28e2
SHA256 f8925f72b19e3a2e14ebfda83d63a10e4a6f218d84cc30fb738caa9a575e1217
SHA512 8c85cef74bcd042b528424c1b99149bf5374c428f61a5f3c99e4f42460453b7a36cd0edbf8f76a042432800ee93916a7650b55e41d06f51566ad2cf3d69be696

memory/2540-22-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2540-28-0x0000000000250000-0x0000000000289000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 01:59

Reported

2024-08-04 02:01

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\opert.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\opert.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe

"C:\Users\Admin\AppData\Local\Temp\de2368758da69e422fa38e9ef3c76770N.exe"

C:\Users\Admin\AppData\Local\Temp\opert.exe

"C:\Users\Admin\AppData\Local\Temp\opert.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
KR 218.54.28.139:11120 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3556-0-0x0000000000FB0000-0x0000000000FE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\opert.exe

MD5 bfd67028f4a96897e6f9ab84e5f7df9d
SHA1 664fea05eda12772fab5b93418b06919345ce15d
SHA256 246ca3912d0cec7aa1c8f5de1f61638c3506f55ee3ed6d51aad16b9404cbfe99
SHA512 cd50aca410168da090e1caa3cd4453dd887748b55d7170d493be979b63023f87427aa079f8085033f8e99fff57515529208bbd253e788bbb4a9daf999189e17b

memory/320-12-0x0000000000AA0000-0x0000000000AD9000-memory.dmp

memory/3556-15-0x0000000000FB0000-0x0000000000FE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 8ebb5e515e68471584943228bde27301
SHA1 b81eb6c83e61919310d19b02e0636fd0b24cbf9b
SHA256 08bee23234ef7f8f8e2c3d984c776535ff96ece058c1d71ce73c2258468cfd30
SHA512 bedf2bfb052c322df7adf8e2f336a255f4bf34261801113c110c0ea64ca5d3423696f0e51a458938debf07ec598d85b333939502499d4356c339fb38e99a0333

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 6735bbe93159782090eb9c49dde676c6
SHA1 6edec7009f27d90d36081a9d4a05fc6e6bde28e2
SHA256 f8925f72b19e3a2e14ebfda83d63a10e4a6f218d84cc30fb738caa9a575e1217
SHA512 8c85cef74bcd042b528424c1b99149bf5374c428f61a5f3c99e4f42460453b7a36cd0edbf8f76a042432800ee93916a7650b55e41d06f51566ad2cf3d69be696

memory/320-18-0x0000000000AA0000-0x0000000000AD9000-memory.dmp

memory/320-24-0x0000000000AA0000-0x0000000000AD9000-memory.dmp