Malware Analysis Report

2024-11-16 13:27

Sample ID 240801-e2dh8swelb
Target 3bfb0560881a2192e0e5822998cf9a90N.exe
SHA256 89ed2ff188c84fc98fa5aec6914dc96d5e480bc6a1160050aa89cbbdd822e890
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89ed2ff188c84fc98fa5aec6914dc96d5e480bc6a1160050aa89cbbdd822e890

Threat Level: Known bad

The file 3bfb0560881a2192e0e5822998cf9a90N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-01 04:25

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 04:25

Reported

2024-08-01 04:27

Platform

win7-20240705-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ryhog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qybec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe C:\Users\Admin\AppData\Local\Temp\ryhog.exe
PID 2540 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe C:\Users\Admin\AppData\Local\Temp\ryhog.exe
PID 2540 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe C:\Users\Admin\AppData\Local\Temp\ryhog.exe
PID 2540 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe C:\Users\Admin\AppData\Local\Temp\ryhog.exe
PID 2540 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe C:\Users\Admin\AppData\Local\Temp\qybec.exe
PID 2024 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe C:\Users\Admin\AppData\Local\Temp\qybec.exe
PID 2024 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe C:\Users\Admin\AppData\Local\Temp\qybec.exe
PID 2024 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ryhog.exe C:\Users\Admin\AppData\Local\Temp\qybec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe

"C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe"

C:\Users\Admin\AppData\Local\Temp\ryhog.exe

"C:\Users\Admin\AppData\Local\Temp\ryhog.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\qybec.exe

"C:\Users\Admin\AppData\Local\Temp\qybec.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

\Users\Admin\AppData\Local\Temp\ryhog.exe

MD5 8d6d60f5c43b6c3de20b729aa018826e
SHA1 53db40b03577e89586541d8e99f4c43997af47af
SHA256 b021ab45e478b4bb21fae0d6b9957c942b760b162717bdbdff0b58a783ccab6f
SHA512 261a345811b2e3759a32ee37f3d43db6e190bd24a34004a1fa542cbe56fb48badf71a3fa178ca8aa888d0cda25de6a8662a120d71cbd67d817c7aef433687796

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 63dac65e49c3d5c950d92037a21460a1
SHA1 8a344ccefb34634747379346a17af075add97c3f
SHA256 43951d7fb4735c2decbf40ca8656ff7f9917796c771943a0b4d7557157e4f355
SHA512 bc854428d78d962da9c0e11a0be84c4e607f5f5140c9acae30ec8d209e291ae3eedb3a79626d9ab7710223dc0bd1c256e962b09d14b015267467ecfdaa0f8a85

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 954e14b5370b87b5b94f72b10458537a
SHA1 45c9d3199e80465309475c204bdeab5b906d6ebf
SHA256 e3de093705c0a169cc543524a6a031ab8164033f44382946406b9135e26598ea
SHA512 3d01610c82b2f423004fd884e8c94b8403cbdffd05876bfe74bd292e989a1312de70b299f8861aa9dcf6e9f337e1df6b0a85dec54e5e710e429a018d4960ded8

\Users\Admin\AppData\Local\Temp\qybec.exe

MD5 47d714f76f29cef8f758f76516e5bdf9
SHA1 f62d7d53f57038755990d95be0cb81825573e654
SHA256 a4f5f533fc533173cde4e9dd434d1f444d24abd490d89815a185522a4ff80895
SHA512 4a72317ce1ae4a8ab21ffeb1d71de11b9a6bcb0efa7b648d10ae1c71f346cf36c6c072bf7f1e689ef61660390ae482219e4ddcd3720ff4418f5cedc44260662a

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 04:25

Reported

2024-08-01 04:27

Platform

win10v2004-20240730-en

Max time kernel

119s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qoqug.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qoqug.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qoqug.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jeodg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe

"C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe"

C:\Users\Admin\AppData\Local\Temp\qoqug.exe

"C:\Users\Admin\AppData\Local\Temp\qoqug.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\jeodg.exe

"C:\Users\Admin\AppData\Local\Temp\jeodg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
JP 133.242.129.155:11110 tcp

Files

C:\Users\Admin\AppData\Local\Temp\qoqug.exe

MD5 7467a7b0ade2656b1939fd3941429068
SHA1 7d0c12c5d34f68120e8d60b00c898acd01c51057
SHA256 a2b996c4e7136d40e42fbb11b74909719298b84305d24baace66777040a68eaf
SHA512 7edac92db49eb80bf5a3450fdc664e6b6fd5146b52173ed7024919a306d055342d5d34d107ce045cf0539663646d721cf05a447e38e3fda0cf49bfe2886b6b98

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 63dac65e49c3d5c950d92037a21460a1
SHA1 8a344ccefb34634747379346a17af075add97c3f
SHA256 43951d7fb4735c2decbf40ca8656ff7f9917796c771943a0b4d7557157e4f355
SHA512 bc854428d78d962da9c0e11a0be84c4e607f5f5140c9acae30ec8d209e291ae3eedb3a79626d9ab7710223dc0bd1c256e962b09d14b015267467ecfdaa0f8a85

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 0b08283183776ba7cf50ec259a29b001
SHA1 847af9b8bd24a0b437da3f151395d0df42ac0bcf
SHA256 8b3c3f2fe6ef6cc6ce99bc9099be1a1ef6bc2088e6d6198bb8ac9a4485183a44
SHA512 bab66a84315a60797fc25fb285018c349029093ec6b3dfa2cc40d59da0a80aaf1b9238d7b9a8c300c092e6332d9ece0ecf5949e014e1dc6c9bf526d209f79340

C:\Users\Admin\AppData\Local\Temp\jeodg.exe

MD5 56b903e172f97a394c22b8c3f9156b9f
SHA1 96fae3f831b72ce6f857a277c5895dac59910846
SHA256 ad07c912b907722f30858919ec43633b072ba11df6607d367d0c62afad541bf0
SHA512 c16126465e34c1cc27525fc09c28dae07fa2229ef2495437cc519d1da80ca0e4505a936a132029bb22602539d1d8bbddc84232de7c3c33bfdcb6eba398ee0b48