Malware Analysis Report

2024-11-16 13:28

Sample ID 240813-htdqtavbnl
Target 14a6f83b336fbc8b254543349cea5f30N.exe
SHA256 456c0704aa62d7190badc3716cdbdf8174874deeaa48a29f4cc954ff0c96677f
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

456c0704aa62d7190badc3716cdbdf8174874deeaa48a29f4cc954ff0c96677f

Threat Level: Known bad

The file 14a6f83b336fbc8b254543349cea5f30N.exe was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas family

Urelas

Executes dropped EXE

ASPack v2.12-2.42

Checks computer location settings

Deletes itself

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 07:01

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 07:01

Reported

2024-08-13 07:03

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sirub.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sirub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sirub.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\saceo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe

"C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe"

C:\Users\Admin\AppData\Local\Temp\sirub.exe

"C:\Users\Admin\AppData\Local\Temp\sirub.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\saceo.exe

"C:\Users\Admin\AppData\Local\Temp\saceo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/1536-0-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sirub.exe

MD5 54861a6e2cdab9a5b2cc1b7ae688c248
SHA1 813c7a087a721cfa0ce4b6c41cf448a19ce06849
SHA256 9c51d5a91a7acd34fcadb94823f70fa080d99a0535cea66c750b845a434ca3f9
SHA512 a50303d6b4494d9e07cb4a8b1fe49ac25556b5c3d30b47a6402e80ac2869405b9f3eef271091692bd9312f8dd321d4a68ecbb00a4c34eede116845415c9b0de5

memory/1536-13-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 f1b753fe3ad15a1ae399c1777c46084f
SHA1 596539fe428acb2bacbf8e6b0e2847cdda422404
SHA256 e82653e9f647fe2b0fc7519f2dba359df2a25f623dbc1f0c5b1ed891b998875d
SHA512 cd78c315d10e7d23977736cf6006f0d2a141b5febf66478c44be1db7ee1cb66be17c3318342234ce296264119f3e80259ac906e7914b8cfadad986800088dfba

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 885b9d96550e8fd9851081c32fa3da1b
SHA1 8e86cfc8757f5c5188e287d9b8eeceab4662cac2
SHA256 37d1816f5b142fe3c994dec04e020a437ed80489e3a1a8a14de9b3400f4da575
SHA512 fc85a9fec53ee129e6b773753951293e1f91b116749507643efe88df43bac10a5b345c596f82628ae462ec2702bdf146d22764b86822367cfa55bf3967007db2

C:\Users\Admin\AppData\Local\Temp\saceo.exe

MD5 5979bb194cd58f555bbb0495d8853e80
SHA1 69da707be4c812c6eddc461a4b58a7938688f83e
SHA256 cdbddad5914ddbdac67846579bf53137fd61af422807f5cf4f407310c35fbee9
SHA512 22ed6d0314b47d4861527c01486bb842b6f56322f05dd4d8ba6310f4b497c6852cc788ce7980a8eef5b064a852d6449579c86adcdf3c22ea5ad9c559d8813df2

memory/5104-23-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4288-24-0x0000000000C70000-0x0000000000D04000-memory.dmp

memory/4288-28-0x0000000000C70000-0x0000000000D04000-memory.dmp

memory/4288-27-0x0000000000C70000-0x0000000000D04000-memory.dmp

memory/4288-26-0x0000000000C70000-0x0000000000D04000-memory.dmp

memory/4288-30-0x0000000000C70000-0x0000000000D04000-memory.dmp

memory/4288-31-0x0000000000C70000-0x0000000000D04000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 07:01

Reported

2024-08-13 07:03

Platform

win7-20240729-en

Max time kernel

120s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ciost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zeguz.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ciost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zeguz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe C:\Users\Admin\AppData\Local\Temp\ciost.exe
PID 2716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe C:\Users\Admin\AppData\Local\Temp\ciost.exe
PID 2716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe C:\Users\Admin\AppData\Local\Temp\ciost.exe
PID 2716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe C:\Users\Admin\AppData\Local\Temp\ciost.exe
PID 2716 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\ciost.exe C:\Users\Admin\AppData\Local\Temp\zeguz.exe
PID 2640 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\ciost.exe C:\Users\Admin\AppData\Local\Temp\zeguz.exe
PID 2640 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\ciost.exe C:\Users\Admin\AppData\Local\Temp\zeguz.exe
PID 2640 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\ciost.exe C:\Users\Admin\AppData\Local\Temp\zeguz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe

"C:\Users\Admin\AppData\Local\Temp\14a6f83b336fbc8b254543349cea5f30N.exe"

C:\Users\Admin\AppData\Local\Temp\ciost.exe

"C:\Users\Admin\AppData\Local\Temp\ciost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\zeguz.exe

"C:\Users\Admin\AppData\Local\Temp\zeguz.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2716-0-0x0000000000400000-0x0000000000465000-memory.dmp

\Users\Admin\AppData\Local\Temp\ciost.exe

MD5 6e67a0a269c5879bdbce8799211213bc
SHA1 7b98a8aab23eae3896bcebb3671db25adcc16e73
SHA256 db1ff98205b2c026f80dcecf6a652771ab830578416c4453cbd14488b9f21821
SHA512 17c075b7f67f6334dec4cbecd788dac2522b884cb0ac799b28c19710bdae5fd344fe17263ad7f4986718daa9365a7ca59cae81e29429c454fb933a3a67468423

memory/2716-12-0x00000000024A0000-0x0000000002505000-memory.dmp

memory/2716-11-0x00000000024A0000-0x0000000002505000-memory.dmp

memory/2640-14-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 f1b753fe3ad15a1ae399c1777c46084f
SHA1 596539fe428acb2bacbf8e6b0e2847cdda422404
SHA256 e82653e9f647fe2b0fc7519f2dba359df2a25f623dbc1f0c5b1ed891b998875d
SHA512 cd78c315d10e7d23977736cf6006f0d2a141b5febf66478c44be1db7ee1cb66be17c3318342234ce296264119f3e80259ac906e7914b8cfadad986800088dfba

memory/2716-22-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 11a867df8d83e32947642091c41196fd
SHA1 77fde987152e326c649b1138297e17691b98c415
SHA256 a3fb9376ddd7cd6c8fe5505eb3e27afe0bbe28a35ee1d3e7cf07ee644941661f
SHA512 b1549c41cb15edcd30e477a88401ef1dea66d693a20728e47d2107b09f473d7cdcedf1165918b66cd7e50ef35d9bfa370b3a896e4d8ad7ce26032fed10358044

C:\Users\Admin\AppData\Local\Temp\zeguz.exe

MD5 5ebf44f1f44448fd06ed94a7ca8128ed
SHA1 c5ad46677ef1e28746c373f879fb3b2a78cb1380
SHA256 704900679a2f1b7999c62c703bf1c35d9d8a3237e14d422e4c8b6fcecb341121
SHA512 d4dd6f9941834b4e55ec57b1551cbccb5fcbb22d9106c10db4cb9ba69ce80ba4be36f1632bdd21059d716ff1d784b1304164f1632e8f21f0dfb16e0dc50527bc

memory/2640-32-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2640-30-0x0000000003300000-0x0000000003394000-memory.dmp

memory/1984-33-0x0000000000E20000-0x0000000000EB4000-memory.dmp

memory/1984-34-0x0000000000E20000-0x0000000000EB4000-memory.dmp

memory/1984-36-0x0000000000E20000-0x0000000000EB4000-memory.dmp

memory/1984-35-0x0000000000E20000-0x0000000000EB4000-memory.dmp

memory/1984-39-0x0000000000E20000-0x0000000000EB4000-memory.dmp

memory/1984-40-0x0000000000E20000-0x0000000000EB4000-memory.dmp