Malware Analysis Report

2024-11-16 13:24

Sample ID 241008-w6yhmssbpr
Target 0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e
SHA256 0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e
Tags
upx urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e

Threat Level: Known bad

The file 0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e was found to be: Known bad.

Malicious Activity Summary

upx urelas discovery trojan

Urelas family

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 18:32

Signatures

Urelas family

urelas

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 18:32

Reported

2024-10-08 18:35

Platform

win7-20240708-en

Max time kernel

47s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 964 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe

"C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 211.57.201.131:11120 tcp
KR 211.57.201.131:11170 tcp

Files

memory/964-0-0x00000000013A0000-0x00000000013D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 919cededa276942794bf519a732f70b1
SHA1 20d67dff907230bd4a1a6c1f358e94f2e87bf59f
SHA256 4c20439e4f7c5c5a455e13af89a767fc10a4101937d12e781a04cfae0fc26379
SHA512 9d7ca9bbc2a72f32eeff943fae5ac88d2d8c12f5ead85734c9245f4c1632eb9403e33836d4ad2a6aa2fc2397c696f771910eb0b2b35eda738c7aa2d553289fa4

memory/964-6-0x0000000000DB0000-0x0000000000DE1000-memory.dmp

memory/2860-10-0x0000000000CF0000-0x0000000000D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 790d13839f31c639cd8de46da32d5651
SHA1 5ea6127c75929b7f00a5a8d3b51167ad50d2f47e
SHA256 799234648766c4aa0ab5da3f93544ac41639b22674d312140cd48a3b12c759f1
SHA512 f246635909a7ba6ce7b9b945d293e73c72344458422303f5a6bb99630d63d35d349520d316d23e118badb937da9066f5a7c6112d9787cf54ba2322bb776477d8

memory/964-19-0x00000000013A0000-0x00000000013D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55d2fdd1432483e3ba86ebeccfe130b6
SHA1 7280b14d708800fd15303b2caa8628a0fbd7aa08
SHA256 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb
SHA512 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3

memory/2860-22-0x0000000000CF0000-0x0000000000D21000-memory.dmp

memory/2860-24-0x0000000000CF0000-0x0000000000D21000-memory.dmp

memory/2860-26-0x0000000000CF0000-0x0000000000D21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 18:32

Reported

2024-10-08 18:35

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe

"C:\Users\Admin\AppData\Local\Temp\0dda00ec726d2719d4542cf0eb4b29ffef673db4a2202db8f71b18ca18bd554e.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 211.57.201.131:11120 tcp
KR 211.57.201.131:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2120-0-0x0000000000080000-0x00000000000B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 98e9ee0241b55e781baf7231ceb8afe3
SHA1 3cdd772b72af7f5305534c54a0828e33d7387eab
SHA256 b12524d56424556078b53e018b93c01851d776b0b6a416aa4542cdae5b6fa9cb
SHA512 dd2253acb59c6fd50f513e02fc45a4c0483b15b0ae3aeebbaa81e50194d5d063fad1b425b042e5dfd5278804bc32117c4b5409c5b9af8e952c3d96068bed2ab4

memory/4928-13-0x0000000000FA0000-0x0000000000FD1000-memory.dmp

memory/2120-18-0x0000000000080000-0x00000000000B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 790d13839f31c639cd8de46da32d5651
SHA1 5ea6127c75929b7f00a5a8d3b51167ad50d2f47e
SHA256 799234648766c4aa0ab5da3f93544ac41639b22674d312140cd48a3b12c759f1
SHA512 f246635909a7ba6ce7b9b945d293e73c72344458422303f5a6bb99630d63d35d349520d316d23e118badb937da9066f5a7c6112d9787cf54ba2322bb776477d8

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55d2fdd1432483e3ba86ebeccfe130b6
SHA1 7280b14d708800fd15303b2caa8628a0fbd7aa08
SHA256 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb
SHA512 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3

memory/4928-21-0x0000000000FA0000-0x0000000000FD1000-memory.dmp

memory/4928-23-0x0000000000FA0000-0x0000000000FD1000-memory.dmp

memory/4928-25-0x0000000000FA0000-0x0000000000FD1000-memory.dmp