Malware Analysis Report

2024-11-16 13:24

Sample ID 241009-y5wzjaxfjh
Target aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN
SHA256 aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3d
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3d

Threat Level: Known bad

The file aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 20:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 20:22

Reported

2024-10-09 20:24

Platform

win7-20240903-en

Max time kernel

119s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\niinu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pucop.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pucop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\niinu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\niinu.exe
PID 2732 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\niinu.exe
PID 2732 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\niinu.exe
PID 2732 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\niinu.exe
PID 2732 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\niinu.exe C:\Users\Admin\AppData\Local\Temp\pucop.exe
PID 3024 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\niinu.exe C:\Users\Admin\AppData\Local\Temp\pucop.exe
PID 3024 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\niinu.exe C:\Users\Admin\AppData\Local\Temp\pucop.exe
PID 3024 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\niinu.exe C:\Users\Admin\AppData\Local\Temp\pucop.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe

"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"

C:\Users\Admin\AppData\Local\Temp\niinu.exe

"C:\Users\Admin\AppData\Local\Temp\niinu.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\pucop.exe

"C:\Users\Admin\AppData\Local\Temp\pucop.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2732-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2732-0-0x0000000000350000-0x00000000003D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\niinu.exe

MD5 19716fc5cf365cdcf515b94ab06e7a62
SHA1 b4fb360c41f6dcad584b11a170f7183c1bf4a479
SHA256 81acc85eab1343f759aa22bbf2f555f475e2f573c7599079f9a42e2507901f30
SHA512 5c13bbe37b55239ebb80cb72f87b67122009c1ef76deba117f292f800870b8c7c601a6bb7ecb126e722a8f8bacd71c2ba0207041e9e592820c04d94baef9c1aa

memory/2732-7-0x0000000000410000-0x0000000000491000-memory.dmp

memory/3024-11-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 341c4ce3e924b56dc4c616265edeb003
SHA1 46645aa2a5a673b4fe27a30fdebc9c7bffedfcb7
SHA256 4b590f8945bf4998a047f53d9c1d8f9b8f31608498739d5892e08c89c4a679bb
SHA512 67d85c39b7507c974e790a35314038f47cdbc9fc664963fb717fe2d42aa4e586c5ef54cbcc56d777df32684793197dd177741c886a0ca12ed12c5cecd5a02ab7

memory/2732-20-0x0000000000350000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7163d2c6414f7dd3fc3b1d50f50c75c1
SHA1 41480eb7c2d60f4f2bb89aa0ae921d538d13a244
SHA256 df0b622729f03145fca9418ba19ac578a699d174386f14b90285ccb5e60b10d5
SHA512 dbeabfd393bfca1dfafbda29bb43e00bbb95da6bc220b36555aeae913ff6053da97b9546197f63349ecec59dbcc4c794b277aeb0624a888aeadf0fc0bc154fe3

memory/3024-23-0x0000000001320000-0x00000000013A1000-memory.dmp

memory/3024-24-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\pucop.exe

MD5 893308ef6cfd4d412a266a1313fe0442
SHA1 6cfe138f1e347ccecbf72081b7ff3ebb178c6322
SHA256 60abbb5ded3067c6dd1a49bcf863f614728da4020c421e8fa6611e77169e7a1e
SHA512 167215e8da0f91580171d4cf91719e4e065760650249833b1565bd787080522755c468bd9087a1522869aeec4840aaaba9577ca63d114e05739b26ce2320f0ec

memory/608-42-0x0000000000860000-0x00000000008F9000-memory.dmp

memory/3024-41-0x0000000001320000-0x00000000013A1000-memory.dmp

memory/3024-39-0x0000000000BE0000-0x0000000000C79000-memory.dmp

memory/608-44-0x0000000000860000-0x00000000008F9000-memory.dmp

memory/608-47-0x0000000000860000-0x00000000008F9000-memory.dmp

memory/608-48-0x0000000000860000-0x00000000008F9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 20:22

Reported

2024-10-09 20:25

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ecavx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecavx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ecavx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kemot.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe

"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"

C:\Users\Admin\AppData\Local\Temp\ecavx.exe

"C:\Users\Admin\AppData\Local\Temp\ecavx.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\kemot.exe

"C:\Users\Admin\AppData\Local\Temp\kemot.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/536-0-0x0000000000C60000-0x0000000000CE1000-memory.dmp

memory/536-1-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ecavx.exe

MD5 9e5fcf439bcd56ea8c48d1cadc2ab0d2
SHA1 d6a24caea4ca71fa1cc6315d9e031f21f0057031
SHA256 4a16e50623be7eab49fc697916135c507e77e067ad2a321dfc945af66fcf30be
SHA512 03dd865353a54c291c3c6e2aa2a82376ff584a76b88ab1cc967bf583887ca4713ae88bc0913726b1ba970bf602799d42aaa198829ebea60d11622c8aed2e2829

memory/880-11-0x0000000000580000-0x0000000000601000-memory.dmp

memory/880-14-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/536-17-0x0000000000C60000-0x0000000000CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 341c4ce3e924b56dc4c616265edeb003
SHA1 46645aa2a5a673b4fe27a30fdebc9c7bffedfcb7
SHA256 4b590f8945bf4998a047f53d9c1d8f9b8f31608498739d5892e08c89c4a679bb
SHA512 67d85c39b7507c974e790a35314038f47cdbc9fc664963fb717fe2d42aa4e586c5ef54cbcc56d777df32684793197dd177741c886a0ca12ed12c5cecd5a02ab7

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ba80f6161b81140b8cf3ddc3ff6dc564
SHA1 5a87c08fe1d3a7067846b47d653701daf0c66813
SHA256 64c6d0a2ef76fb8ab744222a243dd5648407dbb1683e803ed9813a42080a0dbc
SHA512 e6ecbbfe8613bddcf9ffcea669b1b13d7df0a1a506ebc5b5fdb058588a87d5f018c0464714bb311251b23c0979dfdd768cdb02b6240155626ace43919ff6773f

memory/880-20-0x0000000000580000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kemot.exe

MD5 3bc26accdbf33fb50918aeaa01b48b7c
SHA1 db3e58dff9fd74dbef07ac1cd7f22988589a6fef
SHA256 a72fa1cfc1422cd3fa114bc98ac2c0ebd399b7f5d1ea380d440881142268b1ee
SHA512 a094d49dc7026ea7712902fca15e6ec1dddc1427f549cb056c2d5b7472b16768b81d8cb21c157ef7af01d0ae73fc5e6b19115963887f070318f8c5793d670a66

memory/3636-37-0x0000000000280000-0x0000000000319000-memory.dmp

memory/3636-41-0x00000000007A0000-0x00000000007A2000-memory.dmp

memory/880-43-0x0000000000580000-0x0000000000601000-memory.dmp

memory/3636-38-0x0000000000280000-0x0000000000319000-memory.dmp

memory/3636-45-0x0000000000280000-0x0000000000319000-memory.dmp

memory/3636-46-0x0000000000280000-0x0000000000319000-memory.dmp