Malware Analysis Report

2024-11-16 13:27

Sample ID 240804-fn6hjaxapj
Target e25ae91fc2e54cf9d368032513d78270N.exe
SHA256 2d2c59b1464eab7c2b5e3489d081374da699a53a65b9c8f67255edcb429d15a6
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d2c59b1464eab7c2b5e3489d081374da699a53a65b9c8f67255edcb429d15a6

Threat Level: Known bad

The file e25ae91fc2e54cf9d368032513d78270N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Urelas family

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 05:02

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 05:02

Reported

2024-08-04 05:04

Platform

win7-20240708-en

Max time kernel

119s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\awcyj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muwem.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\awcyj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\muwem.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe C:\Users\Admin\AppData\Local\Temp\awcyj.exe
PID 2308 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe C:\Users\Admin\AppData\Local\Temp\awcyj.exe
PID 2308 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe C:\Users\Admin\AppData\Local\Temp\awcyj.exe
PID 2308 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe C:\Users\Admin\AppData\Local\Temp\awcyj.exe
PID 2308 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\awcyj.exe C:\Users\Admin\AppData\Local\Temp\muwem.exe
PID 1808 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\awcyj.exe C:\Users\Admin\AppData\Local\Temp\muwem.exe
PID 1808 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\awcyj.exe C:\Users\Admin\AppData\Local\Temp\muwem.exe
PID 1808 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\awcyj.exe C:\Users\Admin\AppData\Local\Temp\muwem.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe

"C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe"

C:\Users\Admin\AppData\Local\Temp\awcyj.exe

"C:\Users\Admin\AppData\Local\Temp\awcyj.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "

C:\Users\Admin\AppData\Local\Temp\muwem.exe

"C:\Users\Admin\AppData\Local\Temp\muwem.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11120 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.30.235:11120 tcp
JP 133.242.129.155:11120 tcp

Files

memory/2308-0-0x0000000000400000-0x000000000047D000-memory.dmp

\Users\Admin\AppData\Local\Temp\awcyj.exe

MD5 723be1a23cd2b55615b77ddeceabebcd
SHA1 21606386c5ddfc178bbb1ed643c6f96d5fdd0e4b
SHA256 1dbdfdcabe27f27713c5e2623fa3b81b408d520183de37376edc9648a0959686
SHA512 bbbddcf16f22c3318305d43889800c57b2628d7935dde565434677a0480a817038bb97120a445c68c2ee37ad9a0a2205e61376ad819f545d53399b3484c69db0

memory/1808-9-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

MD5 d0c8b031ab29878968735e5d385dfdb6
SHA1 2d6559a5dfde462986cc953b91765a842cbf93d9
SHA256 d0a2a03162a1068fbab3733cdbfc06a1e02701a8ad227c6b34fe251b63efad49
SHA512 f12ebc124cfecdd5cf8378500ce589d630d13c6866ad51d75f7955f5c4c5563aa23e30a00752965b86175764aa3f60c98e08e36f472fca48d7a1e65d4e2e4cd6

memory/2308-17-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 6bf21a0294e5ba5ee09b5b5821511ef3
SHA1 4504d3d356345620d227adba33de45230a12c5ec
SHA256 3414167ea81224cbb6509828ba43ffb287e44b66bb055a772a641befcc11c9c8
SHA512 9768571c00025baaf9d0c59e9fb3b4d3ae0a89c1de4bdb5c79e25f2b0e653f65a7ed21998345add5a4c55a7907c0e39879d58852bda374870570420673838c6a

\Users\Admin\AppData\Local\Temp\muwem.exe

MD5 ef9c5f28c79ab6f8def9579686e8f5a3
SHA1 782e0e58e501855f3740d71b16340f78412ed488
SHA256 44e24fbcaab15dba089fc8ddb720982a93a73e4125ad601b574a3cc97a76ce5d
SHA512 1391bebb6ddb00817d2e399c0afb5473c2a887f4cb44879cbbea1c7bad1b5a5cbfb3be53f534a37a8c866ff3081cc442b42aac48a010abed75671bf77224d85f

memory/1808-27-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1808-25-0x0000000003B50000-0x0000000003BEF000-memory.dmp

memory/1724-28-0x0000000000400000-0x000000000049F000-memory.dmp

memory/1724-30-0x0000000000400000-0x000000000049F000-memory.dmp

memory/1724-31-0x0000000000400000-0x000000000049F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 05:02

Reported

2024-08-04 05:04

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wuziv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wuziv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uwecl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe

"C:\Users\Admin\AppData\Local\Temp\e25ae91fc2e54cf9d368032513d78270N.exe"

C:\Users\Admin\AppData\Local\Temp\wuziv.exe

"C:\Users\Admin\AppData\Local\Temp\wuziv.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "

C:\Users\Admin\AppData\Local\Temp\uwecl.exe

"C:\Users\Admin\AppData\Local\Temp\uwecl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.31.226:11120 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
JP 133.242.129.155:11120 tcp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/736-0-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wuziv.exe

MD5 ac0550c8b518660b4ee2a62b8e87b64e
SHA1 6dca96d4968880d143d8eaa578dcddbd818efa0b
SHA256 fc0668cbd7f54774965467fd2b8121bbccf87239d3fc20798190e728395f594b
SHA512 3a9716469e48152908b65e64a7a0eab126f0abd07a365be93825b923700d7b602b51fb2b4c665fa651fd1f53b01ede656d661f5c59b1e917f9829deed6adbdcb

memory/2428-12-0x0000000000400000-0x000000000047D000-memory.dmp

memory/736-14-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

MD5 d0c8b031ab29878968735e5d385dfdb6
SHA1 2d6559a5dfde462986cc953b91765a842cbf93d9
SHA256 d0a2a03162a1068fbab3733cdbfc06a1e02701a8ad227c6b34fe251b63efad49
SHA512 f12ebc124cfecdd5cf8378500ce589d630d13c6866ad51d75f7955f5c4c5563aa23e30a00752965b86175764aa3f60c98e08e36f472fca48d7a1e65d4e2e4cd6

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 29616367925b9d56a2bd767b051ad830
SHA1 16996f06a3dc4abacf878ea3d4393f28f2a3ada8
SHA256 696cac0c16dafa77da28219618f8bcce8acdf8b2ca6f570761929278ce1b5ee2
SHA512 98adb61cbe142face9f1145dc502a8fd3504db3cef3707428814fa8b97dc23529289ad935eb9a1ec20b3ac7219bf6ad2bd549cb9f611599c81f03ab785658d81

C:\Users\Admin\AppData\Local\Temp\uwecl.exe

MD5 1161451d1036b77fd19356aa89171794
SHA1 e94f55b91a62e36965a59104cdb7aae98f6de9c6
SHA256 d6663bad43410b241c23547bdebe30acda30b7b173f511a837f8e713623e326f
SHA512 692b8185ae25a0137255b10c18bb1d2179b56405f9a90570944a7ea0219aab1f59890f087a9f76d1d6ba90b9919802951b5c5735064a14ffc64b00c5efb760cf

memory/4364-25-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2428-26-0x0000000000400000-0x000000000047D000-memory.dmp

memory/4364-28-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4364-29-0x0000000000400000-0x000000000049F000-memory.dmp