Malware Analysis Report

2024-11-16 13:25

Sample ID 241013-s2dqwsyclp
Target 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN
SHA256 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288a
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288a

Threat Level: Known bad

The file 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas

Urelas family

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 15:36

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 15:36

Reported

2024-10-13 15:38

Platform

win7-20240729-en

Max time kernel

120s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fulaq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tobeo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fulaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tobeo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 588 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\fulaq.exe
PID 588 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\fulaq.exe
PID 588 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\fulaq.exe
PID 588 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\fulaq.exe
PID 588 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fulaq.exe C:\Users\Admin\AppData\Local\Temp\tobeo.exe
PID 1192 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fulaq.exe C:\Users\Admin\AppData\Local\Temp\tobeo.exe
PID 1192 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fulaq.exe C:\Users\Admin\AppData\Local\Temp\tobeo.exe
PID 1192 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fulaq.exe C:\Users\Admin\AppData\Local\Temp\tobeo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe

"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"

C:\Users\Admin\AppData\Local\Temp\fulaq.exe

"C:\Users\Admin\AppData\Local\Temp\fulaq.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\tobeo.exe

"C:\Users\Admin\AppData\Local\Temp\tobeo.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/588-0-0x0000000000400000-0x0000000000465000-memory.dmp

\Users\Admin\AppData\Local\Temp\fulaq.exe

MD5 08adffe2aabfef6fce9d1f68e2d03f0e
SHA1 37810e61a918c5bda4b2cc8e1304d5d28b9e5258
SHA256 9fdd5c77d66e3640295496ed4e6919662462267a47056a75dfa44c00152ebb77
SHA512 64e8101110be6b5f36134590de16e9d3963320843596fe3fcc8b818f427beed518e9e6946e61c20f864f434fab4923946077db713f35d5e00c34c57d11b1514f

memory/1192-13-0x0000000000400000-0x0000000000465000-memory.dmp

memory/588-11-0x0000000002530000-0x0000000002595000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 7b005e68ba608bed0f82bca950281e7f
SHA1 d8aa71bb2248e59685668514c773d382d9c711bd
SHA256 63c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c
SHA512 c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7

memory/588-21-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 456598d98a5e0e49002099a2ea4d88d2
SHA1 be400359ae3cf48df86d24cc798a6716a8422fb9
SHA256 687a63cc1b85b104faebfa540b34ae5d961efec099c1f4d915d813cd27c20bfe
SHA512 682a186572a8d7188a8a2996fca0132cfd391f89447da19f3a047794fc729169e595f7c1a26ccf309d9e1dbac5bde38fd29b49729eafdb5794d6d8fc8d1caf10

memory/1192-24-0x0000000000400000-0x0000000000465000-memory.dmp

\Users\Admin\AppData\Local\Temp\tobeo.exe

MD5 dce35959000225209be8645511d6add2
SHA1 31324e1b76c71fdcc9880f09aff5a8fb60878a1f
SHA256 04a7d017da8d38c02d748461d175df169955a005d8959ee006fa6965c8892a77
SHA512 bc446377c6395ef38bedeea8ce1728584bee985910ee7e3a62f06595acdd62501a3dfd2169a35fe7c120ffa8cd1fcaf83d9aa2358d2e5c28af0703abe34b7a87

memory/1192-29-0x0000000003DA0000-0x0000000003E34000-memory.dmp

memory/2144-33-0x0000000000890000-0x0000000000924000-memory.dmp

memory/1192-31-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2144-36-0x0000000000890000-0x0000000000924000-memory.dmp

memory/2144-35-0x0000000000890000-0x0000000000924000-memory.dmp

memory/2144-34-0x0000000000890000-0x0000000000924000-memory.dmp

memory/2144-38-0x0000000000890000-0x0000000000924000-memory.dmp

memory/2144-39-0x0000000000890000-0x0000000000924000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 15:36

Reported

2024-10-13 15:38

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\foibm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\foibm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\foibm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loupi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\foibm.exe
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\foibm.exe
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\foibm.exe
PID 1540 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\foibm.exe C:\Users\Admin\AppData\Local\Temp\loupi.exe
PID 1960 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\foibm.exe C:\Users\Admin\AppData\Local\Temp\loupi.exe
PID 1960 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\foibm.exe C:\Users\Admin\AppData\Local\Temp\loupi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe

"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"

C:\Users\Admin\AppData\Local\Temp\foibm.exe

"C:\Users\Admin\AppData\Local\Temp\foibm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\loupi.exe

"C:\Users\Admin\AppData\Local\Temp\loupi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1540-0-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\foibm.exe

MD5 c49b5a7941e0bf83ae27639f59ca9e23
SHA1 6794615e0c92e9e64aa13597eba6d23bf45c8075
SHA256 7a02f6d44d607fb5e33f8e69070cad4435ca98e421bf99ef6dd7c6ce303afa30
SHA512 a65c03386a3cef9b15dd445153f5ab2068ff1f2a95235e97643aaac12db224851ff058ef65dd67bb2692df6a405fff3b2b90c2d056c1c58e3ae86f558547b88f

memory/1540-13-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 7b005e68ba608bed0f82bca950281e7f
SHA1 d8aa71bb2248e59685668514c773d382d9c711bd
SHA256 63c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c
SHA512 c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f91b982d6f50ea89b4e170ab5c39854b
SHA1 1b28a7ca5d52be9883b4cb067a9ebb69988406ea
SHA256 361e7527c45278fc944c3bd41ef8a8ef8847a7b03ad3b8ccb3a25788e05979df
SHA512 07368b730618a8e36730dd66743be3496d2e58f1d9057b2fabe5ad4e60da4a4ebe25be831e746731c241de07e83678029fc924a5088767e63dbd8706ec95960b

memory/1960-16-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\loupi.exe

MD5 76f224a80b09e3ca6c00422b31cffc8a
SHA1 7bf2e32a2aec28ade0edd245526b326f1ffa4191
SHA256 9ff0e43f349b8e780fb1bccdbc3cd511c8fe353d5405c7f3fdabcbb591bdb437
SHA512 3e20c65b10e2f0a2ca4dcf52d9eb96215e5db94cbee6b829e4cbce877e4f1cdd93c8a16901a4ab64fb015e42104b0dd762d624639f0551187913c61c899e4709

memory/4036-25-0x0000000000470000-0x0000000000504000-memory.dmp

memory/1960-26-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4036-27-0x0000000000470000-0x0000000000504000-memory.dmp

memory/4036-29-0x0000000000470000-0x0000000000504000-memory.dmp

memory/4036-28-0x0000000000470000-0x0000000000504000-memory.dmp

memory/4036-31-0x0000000000470000-0x0000000000504000-memory.dmp

memory/4036-32-0x0000000000470000-0x0000000000504000-memory.dmp