Malware Analysis Report

2024-11-16 13:26

Sample ID 241008-frg94szgkn
Target fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6
SHA256 fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6

Threat Level: Known bad

The file fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 05:06

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 05:06

Reported

2024-10-08 10:44

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe

"C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2288-0-0x0000000000360000-0x0000000000391000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 b8e234dfbdbd6300ac4ad07ff295ce1f
SHA1 e148bf4aacd7125cd8cc20b0ed0c31096efab277
SHA256 6c3903f67ec3e9514e6490171a6a41e3b839469f45e56881514aee66303abaab
SHA512 b2d99d62853b2d34f4f81f11cb38b8417fb4ff4f4a77a0bd485497b9cf416b59e116e2f4fcfaf7e3337e594312d71dd81e3005de3ce4025c76389a00f8783f85

memory/2108-10-0x0000000000C30000-0x0000000000C61000-memory.dmp

memory/2288-9-0x0000000000570000-0x00000000005A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 540a9ac78448a14043de54466947c995
SHA1 b1fac401682e5ebc32169f549111554cf8a8b7ca
SHA256 6d2c7ce0566cc4da3a8152380e04db7242b75328b12c3f4f8c675b9fa72b963b
SHA512 ea3c011243b6173bf6243057072b0e152335ecc79a97d7086db84e857e111bae3969c23e63c55cadbe66fd987254b44b90e4b2358404718563ead73ab8346723

memory/2288-18-0x0000000000360000-0x0000000000391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ede6388dfbb03ff576508b085d03e793
SHA1 71d2e779ac6ed074b5698651a8c7fa3b047ccb50
SHA256 779c0d78580692dadb2978ddfcd44d68f8282bb3453c638c9a4c2feecc1b96f8
SHA512 097e3b9b2ad80944e542785db3a9062ecb2c657192d96659dcc5267f362b186c91722f2bc103f19ef895e6d9821cf33d262569fae23605888d75f38d2e30093b

memory/2108-21-0x0000000000C30000-0x0000000000C61000-memory.dmp

memory/2108-22-0x0000000000C30000-0x0000000000C61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 05:06

Reported

2024-10-08 10:44

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe

"C:\Users\Admin\AppData\Local\Temp\fe8551f94bbb32fe53d7613d6b06c1f6a4531fa6dbdacc0b7c495c3b755993a6.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp

Files

memory/1388-0-0x0000000000060000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 7bc24c9d58f61739a16c3621da0544b8
SHA1 2bcb07d63cc412037fe43f7f086b0db3bd91b3be
SHA256 3eb4b2a55ee8250a9c0323c7cc1412c5c4e5ba70de1bb7a646b86daf76a869d8
SHA512 0c0348520015c4c25c9b4c547cfae4c119342526337bca8ace3629ab4cb65c4d017194966de3bf8bc024f8010b2048c0261b0f8d1c91f0c683f2f171461fe310

memory/2612-15-0x00000000005B0000-0x00000000005E1000-memory.dmp

memory/1388-17-0x0000000000060000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 540a9ac78448a14043de54466947c995
SHA1 b1fac401682e5ebc32169f549111554cf8a8b7ca
SHA256 6d2c7ce0566cc4da3a8152380e04db7242b75328b12c3f4f8c675b9fa72b963b
SHA512 ea3c011243b6173bf6243057072b0e152335ecc79a97d7086db84e857e111bae3969c23e63c55cadbe66fd987254b44b90e4b2358404718563ead73ab8346723

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ede6388dfbb03ff576508b085d03e793
SHA1 71d2e779ac6ed074b5698651a8c7fa3b047ccb50
SHA256 779c0d78580692dadb2978ddfcd44d68f8282bb3453c638c9a4c2feecc1b96f8
SHA512 097e3b9b2ad80944e542785db3a9062ecb2c657192d96659dcc5267f362b186c91722f2bc103f19ef895e6d9821cf33d262569fae23605888d75f38d2e30093b

memory/2612-20-0x00000000005B0000-0x00000000005E1000-memory.dmp

memory/2612-21-0x00000000005B0000-0x00000000005E1000-memory.dmp