Malware Analysis Report

2024-11-16 13:27

Sample ID 240807-djkzxszakr
Target cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb
SHA256 cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb

Threat Level: Known bad

The file cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-07 03:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 03:02

Reported

2024-08-07 03:04

Platform

win7-20240704-en

Max time kernel

90s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe

"C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2172-0-0x0000000000C50000-0x0000000000C87000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 b42db576208121735b9203953edebd34
SHA1 28a4a2fa39910e2ad53b3daf0c56d500251df6c7
SHA256 5746c14ffb65a69526aef3e74eb395fcb5793bc62d7d159f84a1026b017b47b2
SHA512 adffbe719b4dbcfb7e36e6642e96271c0db324391a0ebc0319e5dd6e055a022474e6148b1db336b6ef40469be9bc9baf7244ee1d317e047f008c4441ee6fc0a5

memory/2172-6-0x0000000000B00000-0x0000000000B37000-memory.dmp

memory/968-10-0x0000000000FE0000-0x0000000001017000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 060a220c7dd7c939af5b9104732001bd
SHA1 67dc7728f78072c8f754b710ce2e1b1c8bc1e19f
SHA256 df86da355a64ba5107a90fafa4c7437ddf6a9ae0d83ffe0a739ee703d784e998
SHA512 6757edfd77352432701c5150415e380add0d511e033645d34da3dcd4aa8bd9dd844364ce02a5bc82ce0258aae1cbb8009cc167f040f7e058540caa23bab3ba33

memory/2172-19-0x0000000000C50000-0x0000000000C87000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a39f3ff1599241818ef65c0fd09039ed
SHA1 8d40b394a337a9da3330603fcd523842bccdf504
SHA256 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc
SHA512 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e

memory/968-22-0x0000000000FE0000-0x0000000001017000-memory.dmp

memory/968-24-0x0000000000FE0000-0x0000000001017000-memory.dmp

memory/968-30-0x0000000000FE0000-0x0000000001017000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 03:02

Reported

2024-08-07 03:04

Platform

win10v2004-20240802-en

Max time kernel

100s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe

"C:\Users\Admin\AppData\Local\Temp\cb8e383868c93d77b50ed278d0005ecfb3096027e9de747a0da13272ea8cf8eb.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3940-0-0x0000000000170000-0x00000000001A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 25c1fbc8956f68917485c169e390cd85
SHA1 a99ea4d8c25c735436ae9cb49cc0cc9668692116
SHA256 180d12e845508261f7d3577c10bff8097d88673c133d4c7c8b2ada8cb1ec64fd
SHA512 1f43c67ee37bba139f3bf16f24802888028de141485516c43cab5f39fe4e73dc6b7d1c18c5954a4cf75d1158c4f67ae15b167e99e7c1fb9b556f4e62a3a2bd6b

memory/2636-10-0x00000000001A0000-0x00000000001D7000-memory.dmp

memory/3940-15-0x0000000000170000-0x00000000001A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 060a220c7dd7c939af5b9104732001bd
SHA1 67dc7728f78072c8f754b710ce2e1b1c8bc1e19f
SHA256 df86da355a64ba5107a90fafa4c7437ddf6a9ae0d83ffe0a739ee703d784e998
SHA512 6757edfd77352432701c5150415e380add0d511e033645d34da3dcd4aa8bd9dd844364ce02a5bc82ce0258aae1cbb8009cc167f040f7e058540caa23bab3ba33

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a39f3ff1599241818ef65c0fd09039ed
SHA1 8d40b394a337a9da3330603fcd523842bccdf504
SHA256 1a642c68cd9771cc0f73ba498cf973bb560f34ac6f55ab17d26847a7714e34dc
SHA512 32e59ac200465d2c6c53c76344bfc1382ad12359a4e691c0473a86ba00f264fe7a93925bfac6fb0e4e18ff1a913b2dbba87f6d707e2ce0eafdb861f42028286e

memory/2636-18-0x00000000001A0000-0x00000000001D7000-memory.dmp

memory/2636-20-0x00000000001A0000-0x00000000001D7000-memory.dmp

memory/2636-27-0x00000000001A0000-0x00000000001D7000-memory.dmp