Malware Analysis Report

2024-11-16 13:27

Sample ID 240805-br1z1awgng
Target a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4
SHA256 a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4
Tags
upx urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4

Threat Level: Known bad

The file a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4 was found to be: Known bad.

Malicious Activity Summary

upx urelas discovery trojan

Urelas

Urelas family

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 01:23

Signatures

Urelas family

urelas

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 01:23

Reported

2024-08-05 01:26

Platform

win7-20240704-en

Max time kernel

90s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4.exe

"C:\Users\Admin\AppData\Local\Temp\a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2884-0-0x0000000000400000-0x0000000000431000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 3bfdf45a86804d1d7e58eb108083d6c3
SHA1 8d30b5a5b0c6a0a86592ac7f696f193a982b63cd
SHA256 eafd05672c0a5b33f101a398da512c9281fe16c59bd6fdb3f621395a6af25e1f
SHA512 d1cf5759b1e3327e32509c1836977b0b6bb914c3465ef7baef94e42861bba12165b1afa0ad6ff4e2d56b294dcf94e3056551f20f6b1f7922f37e812a22c21837

memory/2208-9-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 cd8c943c96854a6e95d74d3377a8209f
SHA1 bd9abf9e47c2fa39bff909fdf85f44a0256857df
SHA256 0b89e0f842587cef8eda9c5373e9ed2f88ae27675f3c05c6ff37f1e0cb0d2285
SHA512 abf1a67d3f0a118cc76fb04daec3f7bed2b3fadae807a6c70dc6cca1e2ce5df52d0067e8d8549d0118e018807e9476df37b8049c15def5b7b5591b510544831d

memory/2884-18-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a01dba4c45102fc15292fd5591166536
SHA1 d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256 cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

memory/2208-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2208-23-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2208-29-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 01:23

Reported

2024-08-05 01:26

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4.exe

"C:\Users\Admin\AppData\Local\Temp\a8e7fd1a3f7b69061d6cf78e8489f84bb10b6eb10b84bc74344acd3f877eeef4.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1508-0-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 21151296c20bd7ae3167c48e207eaa73
SHA1 971308845315319dade5ead6e5899ec84ed41b39
SHA256 b1180d5223ff19c54dbb806ab973b96f58f201043f3db84f432a5829ff8afaf4
SHA512 f8d3757926b25140d1badb5ab05e9ce5746e234b2b6c7e1f37f56b737051e6a08d136dd94668179962fbb6e909568b2500d9c0bd2335069b779350b7b3d994ab

memory/1964-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1508-18-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 cd8c943c96854a6e95d74d3377a8209f
SHA1 bd9abf9e47c2fa39bff909fdf85f44a0256857df
SHA256 0b89e0f842587cef8eda9c5373e9ed2f88ae27675f3c05c6ff37f1e0cb0d2285
SHA512 abf1a67d3f0a118cc76fb04daec3f7bed2b3fadae807a6c70dc6cca1e2ce5df52d0067e8d8549d0118e018807e9476df37b8049c15def5b7b5591b510544831d

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a01dba4c45102fc15292fd5591166536
SHA1 d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256 cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

memory/1964-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1964-23-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1964-30-0x0000000000400000-0x0000000000431000-memory.dmp