Malware Analysis Report

2024-11-16 13:24

Sample ID 241007-laxw5axflk
Target e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N
SHA256 e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47

Threat Level: Known bad

The file e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 09:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 09:20

Reported

2024-10-07 09:22

Platform

win7-20240903-en

Max time kernel

119s

Max time network

85s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\duryq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niwaw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\duryq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\niwaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1812 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Users\Admin\AppData\Local\Temp\duryq.exe
PID 1812 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Users\Admin\AppData\Local\Temp\duryq.exe
PID 1812 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Users\Admin\AppData\Local\Temp\duryq.exe
PID 1812 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Users\Admin\AppData\Local\Temp\duryq.exe
PID 1812 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\duryq.exe C:\Users\Admin\AppData\Local\Temp\niwaw.exe
PID 2456 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\duryq.exe C:\Users\Admin\AppData\Local\Temp\niwaw.exe
PID 2456 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\duryq.exe C:\Users\Admin\AppData\Local\Temp\niwaw.exe
PID 2456 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\duryq.exe C:\Users\Admin\AppData\Local\Temp\niwaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe

"C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe"

C:\Users\Admin\AppData\Local\Temp\duryq.exe

"C:\Users\Admin\AppData\Local\Temp\duryq.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\niwaw.exe

"C:\Users\Admin\AppData\Local\Temp\niwaw.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1812-0-0x00000000003A0000-0x0000000000421000-memory.dmp

memory/1812-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\duryq.exe

MD5 e9719618a92bcceb404a0717aa4d124c
SHA1 e95830f407bf12df9236bdcf69b5aa044017609b
SHA256 c94117852b8009fa7758d75583d41973c1ea9b8d96f0dbd74ae326b80cb3a541
SHA512 716c04886164fcab730d29a4f19910588e24c3ba2c3c80dbc7c0f1444914953e651dbc9663eb4e558f385949fcc715c38bcb230868bcbc120703b1bb06e1e819

memory/1812-7-0x00000000020B0000-0x0000000002131000-memory.dmp

memory/2456-11-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 9e119f9c63a8d07e442a59fa120c3551
SHA1 87f294bed0aeb68bc9440ef1c3f5fff2e2686a42
SHA256 e332095b80112a9c7e85370711e04b18ae3891e0c6b17c29b84e1cb6b7a2ae0d
SHA512 f697d0e5c7e28f843a35c623a07cc75f097e649de211ffda489209a99d9ddb040f4555c67a58f2635d6b552e3a5856d601a2da3a16f519925c18ca2cbf45c8c5

memory/1812-20-0x00000000003A0000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 bfbbd94ed0f9d1b80a54d9c7e5413644
SHA1 5b26c90a207885f6afc15482c069c9928e7a021d
SHA256 ba40dafd4de40e0b7817b2ef64de285e5e0aa4cb3b9fcf74e0632a2b9b2e34e4
SHA512 db2e5c95f2c7f55fa0477e807ed6b7414e2ff223a4c52699ed4adfe172d035d3638d4e529c52b426dc6f97a625a3b432e715fcc848afc0b422ec9067c686b8d6

memory/2456-24-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2456-23-0x00000000011B0000-0x0000000001231000-memory.dmp

\Users\Admin\AppData\Local\Temp\niwaw.exe

MD5 5ddeb81f5617a59b0fb5b4b9193032fa
SHA1 ec24f27033b694ab0ff84aae05998b48d47ec551
SHA256 02e9f6a7d9eb9575f35ecb848c36618db06aff7e4a379aceb1142f63864c85df
SHA512 4ce1221687fef6afa00a1c51b7f3a3ecf8cf60f3d28f328205132391f586ba1b2fa48e2d47d54f4142c2caeb5650f43fb9d7344577ab939287c52d344004f403

memory/2456-41-0x00000000011B0000-0x0000000001231000-memory.dmp

memory/1508-42-0x0000000000FC0000-0x0000000001059000-memory.dmp

memory/2456-39-0x00000000036D0000-0x0000000003769000-memory.dmp

memory/1508-43-0x0000000000FC0000-0x0000000001059000-memory.dmp

memory/1508-47-0x0000000000FC0000-0x0000000001059000-memory.dmp

memory/1508-48-0x0000000000FC0000-0x0000000001059000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 09:20

Reported

2024-10-07 09:22

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\duuly.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\duuly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\duuly.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cucen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Users\Admin\AppData\Local\Temp\duuly.exe
PID 1264 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Users\Admin\AppData\Local\Temp\duuly.exe
PID 1264 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Users\Admin\AppData\Local\Temp\duuly.exe
PID 1264 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\duuly.exe C:\Users\Admin\AppData\Local\Temp\cucen.exe
PID 1512 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\duuly.exe C:\Users\Admin\AppData\Local\Temp\cucen.exe
PID 1512 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\duuly.exe C:\Users\Admin\AppData\Local\Temp\cucen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe

"C:\Users\Admin\AppData\Local\Temp\e5eb5cf10574741822d8b56cb9de772b37428254d329bbad3894d7a7fce23a47N.exe"

C:\Users\Admin\AppData\Local\Temp\duuly.exe

"C:\Users\Admin\AppData\Local\Temp\duuly.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\cucen.exe

"C:\Users\Admin\AppData\Local\Temp\cucen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1264-0-0x0000000000470000-0x00000000004F1000-memory.dmp

memory/1264-1-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\duuly.exe

MD5 399e608a7b38f217b261a230aeeee2da
SHA1 d1a6c8f87b67a72dcc2c5d0430a7a6be0888f993
SHA256 bf28ed413a675c3fba514cfc12ac349555a26bdbeb07dc5ee50d2af15b7c6c32
SHA512 93d4749deeeb0e395ac387008382790df5af9ca5dae1ef20dcafe007ac30c3e4925dfb397a191a4e455528eec05393538666a1f2ab000f72d297366c771088d5

memory/1512-14-0x0000000000790000-0x0000000000791000-memory.dmp

memory/1264-17-0x0000000000470000-0x00000000004F1000-memory.dmp

memory/1512-11-0x00000000000A0000-0x0000000000121000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 9e119f9c63a8d07e442a59fa120c3551
SHA1 87f294bed0aeb68bc9440ef1c3f5fff2e2686a42
SHA256 e332095b80112a9c7e85370711e04b18ae3891e0c6b17c29b84e1cb6b7a2ae0d
SHA512 f697d0e5c7e28f843a35c623a07cc75f097e649de211ffda489209a99d9ddb040f4555c67a58f2635d6b552e3a5856d601a2da3a16f519925c18ca2cbf45c8c5

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f5fb21ec1b4fa8c28aed5dab4b7e9c0c
SHA1 bc7e3f624c7331d37847726e7a3ce374d5616f9d
SHA256 b1af85f701c6d33bf7a023db7bf9c6aa0bc4fcd873355dd50fd8e20f9f0c23b3
SHA512 eff02516cb10d1ed89850f48d182d21e79c9837dc13791362c8596eaba5eaf3460a1ea27f247afcb7a26004e4235047b4bcf26139bebeba415dfafb748b602cd

memory/1512-20-0x00000000000A0000-0x0000000000121000-memory.dmp

memory/1512-21-0x0000000000790000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cucen.exe

MD5 5fcd3d474b9474ce135fdbee7a74faf8
SHA1 013cc9a52f8131029458d5dad4c15c70dc940fbb
SHA256 4589ee25b405bf2fee3c72113e7b760ac52e9a87fc8db9ce2c961261aea9c014
SHA512 f1a2a33ae9cda4337dbf55beff894e23147412517c7944dbbf17193f2ec17e8b6e5bec9447f9dd5fd747018d209e7261f44f44c87a075c1af1be6386aa303843

memory/2544-38-0x0000000000490000-0x0000000000529000-memory.dmp

memory/2544-42-0x0000000001200000-0x0000000001202000-memory.dmp

memory/1512-44-0x00000000000A0000-0x0000000000121000-memory.dmp

memory/2544-39-0x0000000000490000-0x0000000000529000-memory.dmp

memory/2544-46-0x0000000000490000-0x0000000000529000-memory.dmp

memory/2544-47-0x0000000000490000-0x0000000000529000-memory.dmp