Malware Analysis Report

2024-11-16 13:28

Sample ID 240811-2nln1sxanf
Target 76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b
SHA256 76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b

Threat Level: Known bad

The file 76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas family

Urelas

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

UPX packed file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 22:43

Signatures

Urelas family

urelas

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 22:43

Reported

2024-08-11 22:46

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\opert.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\opert.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe

"C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe"

C:\Users\Admin\AppData\Local\Temp\opert.exe

"C:\Users\Admin\AppData\Local\Temp\opert.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4376,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 121.88.5.183:11120 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
KR 121.88.5.184:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
KR 218.54.28.139:11120 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3660-0-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\opert.exe

MD5 63ef760053b8a7b73fcd10e8aea8e70a
SHA1 14cc1a09fd0b145f41231ed98b6d78be8baaa459
SHA256 d6a23f30dcad9cb1b900c86c6dda625da55ebda4437d56ff61b12949914200d0
SHA512 a0236b4d92ba7108303a1ea26749285a5149111b4cc495d3d6da2d47daf60873c827298363985338571588bf86fd0c98ed08765121f5f0f550a0758e73717fc0

memory/2660-13-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3660-14-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 35b91ecf81f9aa60b3db2f9237bb43ad
SHA1 1937e052e7d04b17ea5453508cf373c130e3f9c1
SHA256 13a510a383b77b35d9cc35133137f7fc322ecbaf7e76f1f706b8378a950ca770
SHA512 15561e562cf3e2553390c7b933b08caeedbca8df70e15cccd5b0b39dade76f338c1ac97e8e220b444049d7304689ef07cd43cb274ed47d4a10af3570de631c79

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 711e26fa1024e8da58addb2cc5cb0480
SHA1 d74e9904ded2879fc72a86888fc6b2a565dd1c6d
SHA256 6de0fa8644d6bd089519e966f32acc2d0ab83dfc425ac40d7d5114ad83657616
SHA512 2df203e52c624dfe744df23e128d3495cf9a0bbcd5186b554724cc89a316322f5dd2e5e73a6dfec5790ad2f857be220e502024caf5b9c4500194f59e07a2bec4

memory/2660-17-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2660-18-0x0000000000400000-0x000000000045A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 22:43

Reported

2024-08-11 22:46

Platform

win7-20240705-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\opert.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\opert.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe

"C:\Users\Admin\AppData\Local\Temp\76ca24aa5d6f2f5885ef424d91566804ce2ce70f53efd4da44160650a3c95e6b.exe"

C:\Users\Admin\AppData\Local\Temp\opert.exe

"C:\Users\Admin\AppData\Local\Temp\opert.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 121.88.5.183:11120 tcp
KR 121.88.5.184:11170 tcp
KR 218.54.28.139:11120 tcp

Files

memory/3016-0-0x0000000000400000-0x000000000045A000-memory.dmp

\Users\Admin\AppData\Local\Temp\opert.exe

MD5 716f1355553f47bb8730743e50e2510e
SHA1 55ebf6dc178fa1204d9c0c8b401713457792b53b
SHA256 5b4438908c2fe7168531afaeeb288b210842c00f62464a04ca1794abe139868d
SHA512 25acde5aceb31292aeb50ce29c31246549c9761891732f82f09b9ca1cc01ce2e2ad7ade50ff80cba5833d2e6095c2ccba6e6fafec99c80618d530650000e8ec6

memory/3016-10-0x0000000002630000-0x000000000268A000-memory.dmp

memory/2408-16-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 35b91ecf81f9aa60b3db2f9237bb43ad
SHA1 1937e052e7d04b17ea5453508cf373c130e3f9c1
SHA256 13a510a383b77b35d9cc35133137f7fc322ecbaf7e76f1f706b8378a950ca770
SHA512 15561e562cf3e2553390c7b933b08caeedbca8df70e15cccd5b0b39dade76f338c1ac97e8e220b444049d7304689ef07cd43cb274ed47d4a10af3570de631c79

memory/3016-18-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 711e26fa1024e8da58addb2cc5cb0480
SHA1 d74e9904ded2879fc72a86888fc6b2a565dd1c6d
SHA256 6de0fa8644d6bd089519e966f32acc2d0ab83dfc425ac40d7d5114ad83657616
SHA512 2df203e52c624dfe744df23e128d3495cf9a0bbcd5186b554724cc89a316322f5dd2e5e73a6dfec5790ad2f857be220e502024caf5b9c4500194f59e07a2bec4

memory/2408-21-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2408-22-0x0000000000400000-0x000000000045A000-memory.dmp