Malware Analysis Report

2024-11-16 13:27

Sample ID 240804-t8jfdszdkr
Target f43e0f2ca51002a44daef5415cec2d20N.exe
SHA256 0f86ec37ce793d7040d48bafc0ae705dbe3c6b2647f3a7cc4755b24356433e71
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f86ec37ce793d7040d48bafc0ae705dbe3c6b2647f3a7cc4755b24356433e71

Threat Level: Known bad

The file f43e0f2ca51002a44daef5415cec2d20N.exe was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas

Urelas family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

ASPack v2.12-2.42

Deletes itself

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 16:43

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 16:43

Reported

2024-08-04 16:45

Platform

win7-20240705-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nemuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fyvot.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nemuc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fyvot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe C:\Users\Admin\AppData\Local\Temp\nemuc.exe
PID 2872 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe C:\Users\Admin\AppData\Local\Temp\nemuc.exe
PID 2872 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe C:\Users\Admin\AppData\Local\Temp\nemuc.exe
PID 2872 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe C:\Users\Admin\AppData\Local\Temp\nemuc.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\nemuc.exe C:\Users\Admin\AppData\Local\Temp\fyvot.exe
PID 2624 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\nemuc.exe C:\Users\Admin\AppData\Local\Temp\fyvot.exe
PID 2624 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\nemuc.exe C:\Users\Admin\AppData\Local\Temp\fyvot.exe
PID 2624 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\nemuc.exe C:\Users\Admin\AppData\Local\Temp\fyvot.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe

"C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe"

C:\Users\Admin\AppData\Local\Temp\nemuc.exe

"C:\Users\Admin\AppData\Local\Temp\nemuc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\fyvot.exe

"C:\Users\Admin\AppData\Local\Temp\fyvot.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2872-0-0x0000000000400000-0x0000000000465000-memory.dmp

\Users\Admin\AppData\Local\Temp\nemuc.exe

MD5 f82ccca9b36069ca0ef85d8b96fb6be9
SHA1 44997371a4b59a585f4f6983a65a4978ca211a61
SHA256 ccf91418d870f791b53e35b0a225d2e9dd513eaa94692c2367646889a9d28756
SHA512 8639a1ac5c2afaf039dd5375ced46d269e28985f40a0034a7163e0100272c42d5f1768c137cc23b63f6c7de6bd5c6199c6726ede51cd77765a5feb103f381e78

memory/2624-21-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2872-20-0x0000000002450000-0x00000000024B5000-memory.dmp

memory/2872-19-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 7b219b2c8d77e7e92245de9125f53c92
SHA1 5199a73c6ec88ae7c27c6823b18f508c7faf5ec0
SHA256 e39d9d4e81abc046868debf89f81446a7243cfe6c00a4f87fc867d94cb85c451
SHA512 ed23ed80b4ab513340d727465ba1e9493b20b232430aa6b7095682eaaae187d27dd246b575f8defe8e2843b8471f5220d80addafb6d0ffa9216fcad06af05d08

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7fff969b6933374f793e3cd191a35bb7
SHA1 ea36c9d6dd4e48fd3c0b96398f83bb5b1a9a8efa
SHA256 cb439bf92842080e78235482bfdc42f4581ebace30a5031bdf01e2ce58ecfe9d
SHA512 fa0a0fe7b1dcf4bcb62a09eebe7cc5b1c16653cda81e9bc85a7d4f953e2420bb85f58dfc02507fc9df582f8b771fdf952241ddc22316c3eb2f9d43b2cdd90d47

\Users\Admin\AppData\Local\Temp\fyvot.exe

MD5 446c77ded493d440b0549ad881793c40
SHA1 f79cd00e2b38cd3b89570c75a563c7a8af531dbf
SHA256 b25d90f4a104817e5b19b8077b201f3776685a6423954127799e05b39979fbb8
SHA512 9b3e3764002d6d382b52a087600c903efae0302b8f7aa8d189c6034fd75538d32a32c0673f3700d363b56c7c0921e226d84e205127ff8d3f0a604f6bcf39319a

memory/1964-34-0x0000000000960000-0x00000000009F4000-memory.dmp

memory/1964-33-0x0000000000960000-0x00000000009F4000-memory.dmp

memory/1964-32-0x0000000000960000-0x00000000009F4000-memory.dmp

memory/1964-31-0x0000000000960000-0x00000000009F4000-memory.dmp

memory/2624-30-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1964-36-0x0000000000960000-0x00000000009F4000-memory.dmp

memory/1964-37-0x0000000000960000-0x00000000009F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 16:43

Reported

2024-08-04 16:45

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fotef.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fotef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fotef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\goepf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe

"C:\Users\Admin\AppData\Local\Temp\f43e0f2ca51002a44daef5415cec2d20N.exe"

C:\Users\Admin\AppData\Local\Temp\fotef.exe

"C:\Users\Admin\AppData\Local\Temp\fotef.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\goepf.exe

"C:\Users\Admin\AppData\Local\Temp\goepf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 22.58.20.217.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
JP 133.242.129.155:11110 tcp

Files

memory/3648-0-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fotef.exe

MD5 266ce12975d37282e16448aaca43fee0
SHA1 f4e3a0d4ddcd1639ddfc727e43bf1b95a038ebe5
SHA256 ff0d25ff837de684c5f3241e8ca7ad16069998c67170387286b9780494f05d85
SHA512 848a4e9dddef931a889ec32f713c5aa3886530ebaeae5fd810fc50443ebf598711fbffd4b1b27f1847b4350f03ba8d93d878515844733279be6cf074d2cde6dc

memory/3648-13-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 7b219b2c8d77e7e92245de9125f53c92
SHA1 5199a73c6ec88ae7c27c6823b18f508c7faf5ec0
SHA256 e39d9d4e81abc046868debf89f81446a7243cfe6c00a4f87fc867d94cb85c451
SHA512 ed23ed80b4ab513340d727465ba1e9493b20b232430aa6b7095682eaaae187d27dd246b575f8defe8e2843b8471f5220d80addafb6d0ffa9216fcad06af05d08

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 57d7f32defd150eefd361f49f71c87c8
SHA1 4933bb19a2c3690d3c669ee3af82e116a93c231e
SHA256 a746a834e5eb73c8ea04859990378bb9866009bc007856dcbbd3ec7c828a1244
SHA512 ee2f76a0295d7b7cfe5a7841d60d5346c45a142fe0ae35634c9c6d4d957779d140cda3927d4d1101e9f2cdfcf2247a48dbac962025fd514b2c1ab11a9dc887a2

C:\Users\Admin\AppData\Local\Temp\goepf.exe

MD5 abb2be1bf5b0a5c3474f000e9c727f77
SHA1 b17e079433f282fd41a5af4c50919481e1203fcd
SHA256 41a0d07a46f216abfa6fe39db6c8f664f3444e39dbc37980593e0786cc810dec
SHA512 0dcd9b0c5c196cd5ef9344312452d5c70f280b9b6f95688ddcc1976aa8e775d5d4fb0be204792eef85337962801f5bc4092ad1758e0b1559e6e5634c3fd85867

memory/1120-23-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3392-27-0x0000000000F10000-0x0000000000FA4000-memory.dmp

memory/3392-28-0x0000000000F10000-0x0000000000FA4000-memory.dmp

memory/3392-26-0x0000000000F10000-0x0000000000FA4000-memory.dmp

memory/3392-25-0x0000000000F10000-0x0000000000FA4000-memory.dmp

memory/3392-30-0x0000000000F10000-0x0000000000FA4000-memory.dmp

memory/3392-31-0x0000000000F10000-0x0000000000FA4000-memory.dmp