Malware Analysis Report

2024-11-16 13:24

Sample ID 241007-ydbvaawclf
Target 27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1
SHA256 27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1
Tags
upx urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1

Threat Level: Known bad

The file 27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1 was found to be: Known bad.

Malicious Activity Summary

upx urelas discovery trojan

Urelas family

Urelas

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks computer location settings

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 19:39

Signatures

Urelas family

urelas

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 19:39

Reported

2024-10-07 19:43

Platform

win7-20240903-en

Max time kernel

91s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe

"C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2876-0-0x0000000000400000-0x0000000000431000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 836db3035505dd5214fe48ccd600c503
SHA1 3fc5ad46378ea143e0fa0ecf61b8116e70452791
SHA256 76b3b383d6a10aebda4d955c3d024d4d42a87296bcca26abeaf46c4b98311177
SHA512 d51fef73c08195f9df11c099e4b92400ce5b9b4b33437766cd41740f89c67a528328f29fe7516ec43ebd0df5910e9d200e2e9d818b102bc5ee5df9162f18f42c

memory/1864-9-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 839fcd8ad55c2036ccbc1a03c7dcd838
SHA1 542fa9ba2f7b049ac94617d49aeb0bb97ed01052
SHA256 8219e7029137248d238defe857458d4ac53194f9f3aa733e6e88654aa66a29ca
SHA512 b89b84296e8b40226b3622a670108689f69f4ecbba9dbe736558f06817f1c44615fe44d043e6a09ecb63bb7fc45cc2e687c27f6193959be84a09203252bac676

memory/2876-17-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a01dba4c45102fc15292fd5591166536
SHA1 d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256 cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

memory/1864-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1864-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1864-28-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 19:39

Reported

2024-10-08 11:00

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe

"C:\Users\Admin\AppData\Local\Temp\27de06fca92729ff9bb8b5a9cc97fd677512910a7e2dd1e5462b9de30a8359b1.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3620-0-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 294a9136a801b41b258feb29c08f7be9
SHA1 e9784752a7efdf457a7b2b2f8437adeb11c38d37
SHA256 0c6c782e73064aeac8001cd75998541b94fc2ec406cbddddd10a23f24da7627d
SHA512 df206361736fe0443f1b4400151159cd2a41c3fbe6189db61cc198ffa8a359bd31c2b24b3924b288c290f2a9b9e3144d46ba5e61658de1787ca2d7633583a4fd

memory/3620-17-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 839fcd8ad55c2036ccbc1a03c7dcd838
SHA1 542fa9ba2f7b049ac94617d49aeb0bb97ed01052
SHA256 8219e7029137248d238defe857458d4ac53194f9f3aa733e6e88654aa66a29ca
SHA512 b89b84296e8b40226b3622a670108689f69f4ecbba9dbe736558f06817f1c44615fe44d043e6a09ecb63bb7fc45cc2e687c27f6193959be84a09203252bac676

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a01dba4c45102fc15292fd5591166536
SHA1 d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256 cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

memory/4128-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4128-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4128-28-0x0000000000400000-0x0000000000431000-memory.dmp