Malware Analysis Report

2024-11-16 13:26

Sample ID 240805-tjz2va1ejk
Target ac59e3715f8dae42406952e8ec759320N.exe
SHA256 9b9fcae8338d9b592efd5542a5f2f94035efc4607e1a862e31950d12acb062f4
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b9fcae8338d9b592efd5542a5f2f94035efc4607e1a862e31950d12acb062f4

Threat Level: Known bad

The file ac59e3715f8dae42406952e8ec759320N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 16:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 16:05

Reported

2024-08-05 16:08

Platform

win7-20240708-en

Max time kernel

89s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe

"C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2416-0-0x0000000000E80000-0x0000000000EB7000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 843af422c855a493e775c10e7ffab33d
SHA1 37c587744c83d926a629b6c6dac2083fd4306014
SHA256 9d749de75c28d3629c7e8e73415bb31d5fbff6f7105c6b8941f8e5a45a87b833
SHA512 bb6e6ae77ee381c0c9669ff93a85859c5f71a274cbb2febcafb87ac698769c3d9a98634ff98d9da718c23e1c8f3dde58a4da66ea605fd6001074a681f7f9545b

memory/2840-10-0x0000000000020000-0x0000000000057000-memory.dmp

memory/2416-9-0x0000000000990000-0x00000000009C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 3419bd20baf35d56aa81eee396613864
SHA1 09f84ec125b495804b571ce4a7cc9e3c4f3dbc87
SHA256 6e01d85a5f7fce2f926d34f81bbeceb551a37e85426a1c1631e0e93b3d50848c
SHA512 9766e337e84ded3bf205f7479b05b7c5aa6a76b758adadac1961bc8910b29795214bef9f18930a4737a8538057cff5c294288adc8a47f90260dd2288f44fee6c

memory/2416-19-0x0000000000E80000-0x0000000000EB7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a39f3ff1599241818ef65c0fd09039ed
SHA1 8d40b394a337a9da3330603fcd523842bccdf504
SHA256 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc
SHA512 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e

memory/2840-22-0x0000000000020000-0x0000000000057000-memory.dmp

memory/2840-24-0x0000000000020000-0x0000000000057000-memory.dmp

memory/2840-31-0x0000000000020000-0x0000000000057000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 16:05

Reported

2024-08-05 16:08

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe

"C:\Users\Admin\AppData\Local\Temp\ac59e3715f8dae42406952e8ec759320N.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2452-0-0x0000000000250000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 07fe947e10aac7c6e26e0578c938845e
SHA1 1e8ac3e0da548bb75664287c08651cdeb708540b
SHA256 b0ee06b910ce3f09045b4f15ff0a24a4047b0d36fddef4b1808a3395a6fb2bdb
SHA512 f65cc54fd5cbdc9ff49a17263b42e240ca0b44cf482108fecba85b7d616d65c24718b168d1a4d7a068fff415c5ddbfeceaeaf4e0bb587d578740d28df75b2a12

memory/1792-13-0x0000000000F10000-0x0000000000F47000-memory.dmp

memory/2452-15-0x0000000000250000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 3419bd20baf35d56aa81eee396613864
SHA1 09f84ec125b495804b571ce4a7cc9e3c4f3dbc87
SHA256 6e01d85a5f7fce2f926d34f81bbeceb551a37e85426a1c1631e0e93b3d50848c
SHA512 9766e337e84ded3bf205f7479b05b7c5aa6a76b758adadac1961bc8910b29795214bef9f18930a4737a8538057cff5c294288adc8a47f90260dd2288f44fee6c

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a39f3ff1599241818ef65c0fd09039ed
SHA1 8d40b394a337a9da3330603fcd523842bccdf504
SHA256 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc
SHA512 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e

memory/1792-18-0x0000000000F10000-0x0000000000F47000-memory.dmp

memory/1792-20-0x0000000000F10000-0x0000000000F47000-memory.dmp

memory/1792-26-0x0000000000F10000-0x0000000000F47000-memory.dmp